You can download databases for subscription services from internal servers (see the reference at the end of this article for a list of supported services). Provided you have a valid subscription, you can transfer the database to an HTTP/S server inside your organization's firewall and configure the URL on the Edge SWG (ProxySG)/Advanced Secure Gateway appliance. The server must be accessible by the appliance.
Edge SWG (ProxySG) and Advanced Secure Gateway allow you to configure subscription service database downloads from an internal server.
Complete the following before setting up the appliance:
Perform the following steps as needed for your deployment.
If the server requires username and password authentication, make note of the username and password. You will need this information to configure the appliance in Step 3.
To secure connections between the server and the appliance, set up mutual authentication. Two methods are provided below: using the Management Console (on the Advanced Secure Gateway appliance, click the Proxy tab before navigating) and through the ProxySG command line interface (CLI). For details, refer to:
Using Management Console | Using CLI Commands |
---|---|
1. Export the appliance CA certificate. |
|
|
Copy and paste the output into a text file and import the certificate to the server. |
2. Export the server's CA certificate to a system where you can access the appliance. |
|
3. Import the server certificate to the appliance. |
|
|
#(config ssl)inline ca-certificate ca_certificate_name eof |
4. Determine which SSL device profile the appliance will use to connect to the server, and then add the CA certificate to the CCL that is associated with the SSL device profile. | |
|
|
5. Configure the SSL device profile. |
|
|
#(config ssl)edit ssl-device-profile profile_name #(config device-profile profile_name)protocol {tlsv1 | tlsv1.1 | tlsv1.2} #(config device-profile profile_name)ccl ccl_name #(config device-profile profile_name)cipher-suite cipher_suite |
If the server does not perform client authentication, only the server needs to be authenticated. The appliance sends the configured HTTPS certificate during the connection and validates the server certificate. By default, the configured HTTPS certificate is a self-signed certificate generated by the appliance.
To set up server certificate validation, perform steps 2 through 5 in the procedure for mutual authentication.
You can configure the database using the Management Console (on the Advanced Secure Gateway appliance, click the Proxy tab before navigating) or the ProxySG CLI. For more detailed steps, refer to:
This procedure uses Application Attributes as an example, but it applies to all subscription services that support downloading databases from internal servers. See the reference at the end of this article for the supported services, as well as navigation in the ProxySG/Advanced Secure Gateway Management Console and CLI commands.
Using Management Console | Using CLI Commands |
---|---|
1. Specify the download URL and optional authentication parameters. If configuring authentication, you will need the SSL device profile you configured in Step 2 and the username/password you noted when completing prerequisites. |
|
|
#(config application-attributes)download url url #(config application-attributes)download profile ssl_device_profile_name #(config application-attributes)download username username #(config application-attributes)download password password |
2. Enable the service to initiate the database download. | |
|
#(config application-attributes)enable |
Subscription Service |
Admin Console Path |
Management Console Path
|
CLI Mode |
Application Attributes |
Administration > Data & Cloud Services > Application Classification > Application Attributes > Download Application Attributes | Configuration > Application Classification > Application Attributes > Download | #(config application-attributes) |
Application Classification (Intelligence Services data source only) |
Administration > Data & Cloud Services > Application Classification > Application Attributes > Download Application Classification | Configuration > Application Classification > General > Download | #(config application-classification) |
Application Protection |
N/A | Configuration > Threat Protection > Application Protection > Application Protection | #(config application-protection) |
CachePulse |
N/A | Configuration > Proxy Settings > General > General | #(config cachepulse ) |
Content Filtering (Intelligence Services data source only) |
Administration > Data & Cloud Services > Content Filtering > Blue Coat > Download |
Configuration > Content Filtering > Blue Coat > Blue Coat |
|
Geolocation |
Administration > Data & Cloud Services > Geolocation > Download Database | Configuration > Geolocation > General > Download | #(config geolocation ) |
IP Reputation |
N/A | Configuration > Threat Protection > IP Reputation > IP Reputation | #(config ip-reputation ) |
Threat Risk Levels |
Administration > Data & Cloud Services > Threat Protection > Threat Risk Levels > License and Download Status |
Configuration > Threat Protection > Threat Risk Levels > Download |
#(config threat-risk) |