NOTE: If outgoing Content Analysis System connections go through the ProxySG, make sure that SSL intercept is not enabled for communication. If SSL intercept is enabled for entitlement communications, communication will likely fail. We recommend utilizing the following list of ports, protocols, and URLs when building exceptions for the Content Analysis System, as the system requires internet access. We do not support offline licensing at this time.

Retrieving an Antivirus License Using the Network Protection Licensing Portal:
When you use the entitlement portal, all you need is a Web browser and an Internet connection.
The Content Analysis does require Internet access for subscriptions and the associated updates. For additional information, please see list of ports, protocols, and URLs and Licensing Content Analysis

Make sure that your organization's outbound firewall allows Content Analysis to access the list of ports, protocols, and URLs. If your Content Analysis System is deployed behind an explicitly-deployed proxy, or if proxy authentication is required, see Proxy Connections Through a Gateway Device.
 

The availability of some components may take some time to reflect as available after updating the system, please be patient.
 

Content Analysis Licensing Troubleshooting:
 
There are two options to apply the licenses for Content Analysis

1. Download License from Symantec
2. Upload License File

First step is activation of the licenses. The license will grant you Base and Sandbox availability (where applicable). If you have not activated the licenses via https://support.broadcom.com/security, in my entitlements, then the licenses will fail to associate with the device, and will not be available to download.  In order for Content Analysis to properly function, the device will need internet communication that does not involve SSL inspection. This is due to the fact that Content Analysis platform utilizes mutual authentication in the transaction to gain access to entitlements.

Activating (also referred to as associating) the subscription add-on is performed through the My Entitlements section of the support portal https://support.broadcom.com/group/ecx/products. By selecting the license icon, Software Add Ons; then clicking the Add on button will display the available entitlements that can be associated to the device.

The URLs in use during the normal transactions of acquiring the birth-certificate, subscriptions, and updates are as follows (Note: For an up-to-date list of URLs, please refer to the guide.):
contentanalysis.es.bluecoat.com – File Reputation
subscription.es.bluecoat.com – Engine and pattern updates
services.es.bluecoat.com – License updates
device-services.es.bluecoat.com – Birth Certificate
bto-services.es.bluecoat.com – Software Downloads
liveupdate.symantec.com – Symantec AV/AML updates

Uploading the License File will still require an internet connection to validate the license, download the Engines and Signatures for the Anti-Virus as well as Static Analysis Engine and pattern components. Manual installation of the Content Analysis base licenses (on hardware devices) only includes the necessary elements to operate and if one is configured, send data to a sandboxing service. Antivirus products are managed with a subscription-based license that requires that your Content Analysis appliance is connected to the Internet to retrieve and use. All virtual platforms require internet access even for the base license.

Content Analysis systems check the cloud for AV updates several times a minute. During that probe, the license, engine, and pattern files for each AV product you have purchased is checked and verified.

For Downloading
If the Content Analysis is behind a Symantec ProxySG, explicitly, the following CPL policy will allow proper communication. This is normally recommended to be placed in the local policy file. The local policy file will be located on the ProxySG under Configuration > Policy > Policy Files > Local Policy File.

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.0.2.1 detect_protocol.ssl(no) ALLOW
For explicit communication through a ProxySG, be sure to check the configuration of the settings on Content Analysis Web UI; under Settings > Proxy. In order for these settings to be functional, ensure that you tick the “Enable” checkbox and place the authentication credentials for Proxy Authentication. (These steps will still require the above policy in place on the ProxySG).
If you do not have a set of Proxy Authentication credentials for Content Analysis to use, the policy on the ProxySG will need to be adjusted to include an authentication disable:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.0.2.1 authenticate(no) detect_protocol.ssl(no) ALLOW

For transparent communication from Content Analysis through a ProxySG, there are two options the ProxySG has to allow the communication to occur:

1. Create a TCP Tunnel service for the source IP of the Content Analysis
2. Create a Static Bypass entry for the source IP of the Content Analysis
   (There is no option with transparent to disable protocol detection on the SSL Proxy listener)

If the decision to use TCP Tunnel service is determined, you will still need to include the following policy:

;Note: Ensure that you use the proper IP address assigned to your Content Analysis in the below rule
<Proxy>
client.address=192.0.2.1 authenticate(no) ALLOW

If the download is still failing after all of the previous steps have been taken, we recommend running a packet capture from the Content Analysis to verify the birth certificate is properly provided.
The certificate will be within a response to the server with the certificate from the Content Analysis with the Serial Number of the device as the Common Name. In addition, it will be signed by abrca.bluecoat.com.

If for any reason, this is not the case, please run the following command from enabled mode in CLI (Hardware Only):
acquire-factory-certificate or request-appliance-certificate (based on the version of Content Analysis you are currently using)

Subscription Updates:
If you have recently updated or renewed the subscriptions, and the CAS has not reflected the update over the course of 30 minutes to one hour, you can address via refresh of the antivirus and engine signatures. This option is found under Utilities > Services. This action will request the update without checking for modifications (full download).

Some common error codes that have been seen with the restriction of access upstream or upstream modification of access usually include (but not limited to) the following (clp_services log will record):

Peer Not Authenticated
Invalid Server Certificate
Read Timed Out
Request Timed Out
Connect to URL Timed Out
Connection to URL Refused
Proxy Authentication Required

If you experience any of these issues, please ensure you refer to the guide to enable communications outbound and return for the necessary ports, protocols, and URLs