ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Content Analysis Licensing

book

Article ID: 172097

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

Antivirus scanning services cannot begin without a valid license from a supported AV vendor installed on the Content Analysis System. There are multiple ways to retrieve the Antivirus vendor license, depending on whether or not your Content Analysis has direct access to the Internet.

To activate the license, you must obtain the License Key File from the Entitlement Portal using your Symantec account credentials. If you have direct access to the Internet, you can activate the license and automatically download the License Key File to the Content Analysis System; otherwise you must add the License Key File manually. (For example, in a closed network deployment, the license key file is first downloaded to a local system or stored on a dedicated server, and then the content is manually added on the Content Analysis System).

Resolution

Retrieving a Vendor License File at Initial Startup:
This procedure must be done on a fresh appliance that meets the following prerequisites:

- There is no previous subscription number or license key file on the appliance.
- You have not previously declined the EULA.


If you do not have a Symantec account, you can choose to retrieve a vendor license file after initial startup by clicking Later in the Content Analysis System Automatic Registration dialog that displays at initial startup.

To retrieve a vendor license file at initial startup:
1. Enter your Symantec account credentials and your Activation Code or Subscription Number.
2. Click Register Content Analysis System.

- If you entered an activation code, the EULA displays. Select Accept.
- If you entered a subscription number, a EULA does not display.

3. Click Continue. If you receive an error, check to be sure that you have entered the correct Symantec credentials and activation code or subscription number.

Retrieving an Antivirus License File After Initial Startup:
If you opted not to retrieve a vendor license file at initial startup, Symantec recommends that you retrieve one automatically using the Content Analysis System Automatic Registration page. However, if your appliance does not have direct access to the Internet, you can register it using a Web browser and the Symantec Enterprise Security Portal Entitlements page.

To retrieve a vendor license file automatically:
1. In the Management Console, select Licensing.
2. Under License Administration, click Register appliance automatically (recommended).  The Automatic Registration page displays.
3. Enter your Symantec account credentials and your activation code or subscription number.
4. Click Register Content Analysis System.

- If you entered an activation code, the EULA displays. Select Accept.
- If you entered a subscription number, a EULA does not display.

5. Click Continue.

The registration status displays on the Content Analysis System Automatic Registration page. If you receive an error, check to be sure that you have entered the correct Symantec account credentials and activation code or subscription number.

NOTE: If outgoing Content Analysis System connections go through the ProxySG, make sure that SSL intercept is not enabled for communication (https://services.es.bluecoat.com). If SSL intercept is enabled for entitlement communications, automatic registration could fail. We recommend utilizing the following list of ports and URLs when building exceptions for the Content Analysis System, as the system requires internet access. We do not support offline licensing at this time.

Retrieving an Antivirus License Using the Network Protection Licensing Portal:
When you use the entitlement portal, all you need is a Web browser and an Internet connection.
The Content Analysis does need to have Internet access for subscriptions and the associated updates. For additional information, please see list of ports and URLs
 
To retrieve an antivirus license using the Entitlement Portal:
1. In a Web browser, enter the following URL: https://support.broadcom.com/security
2. Click on My Entitlements
3. Login
4. Locate you device and click on the license icon to the right of the device description
5. Click Generate Key
6. From the Content Analysis Web UI location of System > Licensing, click Upload License File
          - Browse to the license file and click open.

7. The Content Analysis will provide a success message upon completion.  The availability of some components may take some time (up to 20 minutes) to reflect as available, please be patient.

8. On the left- hand side (Activation Column) tick the option of which licenses you would like to have in use.
 


9. Press Save Changes to place selected licenses into effect.
 

Content Analysis Licensing Troubleshooting:
 
There are two options to apply the licenses for Content Analysis

  1. Download License from Symantec
  2. Upload License File

First step is activation of the licenses. The license will grant you Base and Sandbox availability. If you have not activated the licenses via https://support.broadcom.com/security, in my entitlements, then the licenses will fail to associate with the device, and will not be available to download.  In order for Content Analysis to properly function, the device will need internet communication that does not involve SSL inspection. This is due to the fact that Content Analysis platform utilizes mutual authentication in the transaction to gain access to entitlements.

Activating (also referred to as associating) the subscription is performed through the My Entitlements section of the support portal ttps://support.broadcom.com/security. By selecting the license icon, Software Add Ons; then clicking the Add on button will display the available entitlements that can be associated to the device.

The URLs in use during the normal transactions of acquiring the birth-certificate, subscriptions, and updates are as follows (Note: For an up-to-date list of URLs, please refer to the guide.):
contentanalysis.es.bluecoat.com – File Reputation
subscription.es.bluecoat.com – Engine and pattern updates
services.es.bluecoat.com – License updates
device-services.es.bluecoat.com – Birth Certificate
bto-services.es.bluecoat.com – Software Downloads
liveupdate.symantec.com – Symantec AV/AML updates

Uploading the License File will still require an internet connection to download the Engines and Signatures for the Anti-Virus as well as Static Analysis Engine and pattern components. Manual installation of the Content Analysis base and sandbox licenses only includes the necessary elements to operate and if one is configured, send data to a sandboxing service. Antivirus products are managed with a subscription-based license that requires that your Content Analysis appliance is connected to the Internet to retrieve and use.

Content Analysis systems check the cloud for AV updates several times a minute. During that probe, the license, engine, and pattern files for each AV product you have purchased is checked and verified.

For Downloading
If the Content Analysis is behind a Symantec ProxySG, explicitly, the following CPL policy will allow proper communication. This is normally recommended to be placed in the local policy file. The local policy file will be located on the ProxySG under Configuration > Policy > Policy Files > Local Policy File.

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 detect_protocol.ssl(no) ALLOW
For explicit communication through a ProxySG, be sure to check the configuration of the settings on Content Analysis Web UI; under Settings > Proxy. In order for these settings to be functional, ensure that you tick the “Enable” checkbox and place the authentication credentials for Proxy Authentication. (These steps will still require the above policy in place on the ProxySG).
If you do not have a set of Proxy Authentication credentials for Content Analysis to use, the policy on the ProxySG will need to be adjusted to include an authentication disable:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 authenticate(no) detect_protocol.ssl(no) ALLOW

For transparent communication from Content Analysis through a ProxySG, there are two options the ProxySG has to allow the communication to occur:

  1. Create a TCP Tunnel service for the source IP of the Content Analysis
  2. Create a Static Bypass entry for the source IP of the Content Analysis
    (There is no option with transparent to disable protocol detection on the SSL Proxy listener)

If the decision to use TCP Tunnel service is determined, you will still need to include the following policy:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.168.21.10 authenticate(no) ALLOW

If the download is still failing after all of the previous steps have been taken, we recommend running a packet capture from the Content Analysis to verify the birth certificate is properly provided.
The certificate will be within a response to the server with the certificate from the Content Analysis with the Serial Number of the device as the Common Name. In addition, it will be signed by abrca.bluecoat.com.



If for any reason, this is not the case, please run the following command from enabled mode in CLI (Hardware Only):
acquire-factory-certificate or request-appliance-certificate (based on the version of Content Analysis you are currently using)

Subscription Updates:
If you have recently updated or renewed the subscriptions, and the CAS has not reflected the update over the course of 30 minutes to one hour, you can address via refresh of the antivirus and engine signatures. This option is found under Utilities > Services. This action will request the update without without checking for modifications (full download).

Some common error codes that have been seen with the restriction of access upstream or upstream modification of access usually include (but not limited to) the following (clp_services log will record):

Peer Not Authenticated
Invalid Server Certificate
Read Timed Out
Request Timed Out
Connect to URL Timed Out
Connection to URL Refused
Proxy Authentication Required

If you experience any of these issues, please ensure you refer to the guide to enable communications outbound and return for the necessary ports and URLs

Attachments