search cancel

Configure database downloads from an internal server on the Edge SWG (ProxySG) or Advanced Secure Gateway appliance

book

Article ID: 173115

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

You can download databases for subscription services from internal servers (see the reference at the end of this article for a list of supported services). Provided you have a valid subscription, you can transfer the database to an HTTP/S server inside your organization's firewall and configure the URL on the Edge SWG (ProxySG)/Advanced Secure Gateway appliance. The server must be accessible by the appliance.

Edge SWG (ProxySG) and Advanced Secure Gateway allow you to configure subscription service database downloads from an internal server. 

Resolution

Step 1: Complete Prerequisites

Complete the following before setting up the appliance:

  • Obtain the database file and put it on the server
  • Note the URL of the database file, for example, "http://<IP_address>:<port>/Databases/app-attributes.tar"
  • Make sure that appropriate SSL protocols and ciphers are enabled on the server. 

 

Step 2: Set up Authentication Between the Internal Server and the Appliance

Perform the following steps as needed for your deployment.

Basic Authentication

If the server requires username and password authentication, make note of the username and password. You will need this information to configure the appliance in Step 3.

Mutual Authentication 

To secure connections between the server and the appliance, set up mutual authentication. Two methods are provided below: using the Management Console (on the Advanced Secure Gateway appliance, click the Proxy tab before navigating) and through the ProxySG command line interface (CLI). For details, refer to:

  • SGOS Administration Guide, "Managing X.509 Certificates" chapter
  • Command Line Interface Reference, "Privileged Mode Configure Commands" chapter
Using Management Console Using CLI Commands

1. Export the appliance CA certificate.

  1. Select Configuration > SSL > CA Certificates > CA Certificates; select the keyring and click View Certificate.
  2. Copy and paste the contents into a text file and import the certificate to the server.

#(config ssl) view ca-certificate ca_certificate_name

Copy and paste the output into a text file and import the certificate to the server.

2. Export the server's CA certificate to a system where you can access the appliance.

3. Import the server certificate to the appliance. 

  1. Select Configuration > SSL > Keyrings > Keyrings.
  2. Browse to the certificate and click Import.
#(config ssl)inline ca-certificate ca_certificate_name eof
4. Determine which SSL device profile the appliance will use to connect to the server, and then add the CA certificate to the CCL that is associated with the SSL device profile. 
  1. Select Configuration > SSL > CA Certificates > CA Certificate List.
  2. Edit a CCL and add the CA certificate to it.

#(config ssl)edit ccl ccl_name

#(config ssl ccl ccl_name)add ca_certificate_name

5. Configure the SSL device profile.

  1. Select Configuration > SSL > Device Profiles; select the device profile and click Edit.
  2. Make sure that at least one of the selected SSL protocols is supported by the server.
  3. Confirm that the CCL including the server certificate is selected.
  4. Make sure that the Selected Ciphers list includes at least one cipher suite supported by the server. 
#(config ssl)edit ssl-device-profile profile_name

#(config device-profile profile_name)protocol {tlsv1 | tlsv1.1 | tlsv1.2}

#(config device-profile profile_name)ccl ccl_name

#(config device-profile profile_name)cipher-suite cipher_suite

Server Authentication Only

If the server does not perform client authentication, only the server needs to be authenticated. The appliance sends the configured HTTPS certificate during the connection and validates the server certificate. By default, the configured HTTPS certificate is a self-signed certificate generated by the appliance.

To set up server certificate validation, perform steps 2 through 5 in the procedure for mutual authentication.

 

Step 3: Configure the Database Download on the ProxySG/Advanced Secure Gateway Appliance

You can configure the database using the Management Console (on the Advanced Secure Gateway appliance, click the Proxy tab before navigating) or the ProxySG CLI. For more detailed steps, refer to:

  • the appropriate chapter for the subscription service in the SGOS Administration Guide
  • Command Line Interface Reference, "Privileged Mode Configure Commands" chapter

This procedure uses Application Attributes as an example, but it applies to all subscription services that support downloading databases from internal servers. See the reference at the end of this article for the supported services, as well as navigation in the ProxySG/Advanced Secure Gateway Management Console and CLI commands.

Using Management Console Using CLI Commands

1. Specify the download URL and optional authentication parameters. If configuring authentication, you will need the SSL device profile you configured in Step 2 and the username/password you noted when completing prerequisites

  1. Select Configuration > Application Classification > Attributes > Download.
  2. Select URL to host the database on a local server and enter the URL. By default, Direct is selected (to download from Symantec).  
  3. From the Profile menu, select the SSL device profile.
  4. In the Username field, enter the username.
  5. Click Change Password. In the Change Password dialog, enter and confirm the password.
  6. Click OK to return to the tab.

#(config application-attributes)download url url

#(config application-attributes)download profile ssl_device_profile_name

#(config application-attributes)download username username

#(config application-attributes)download password password

2. Enable the service to initiate the database download.
  1. Select Configuration > Application Classification > Attributes > Attributes.
  2. Click Enable. The appliance downloads the database for the first time.

#(config application-attributes)enable

 

Reference: Subscription Service and Database Configuration Path/Commands

Subscription Service 

Admin Console Path

Management Console Path

 

CLI Mode

Application Attributes

Administration > Data & Cloud Services > Application Classification > Application Attributes > Download Application Attributes Configuration > Application Classification > Application Attributes > Download #(config application-attributes)

Application Classification (Intelligence Services data source only)

Administration > Data & Cloud Services > Application Classification > Application Attributes > Download Application Classification Configuration > Application Classification > General > Download #(config application-classification)

Application Protection

N/A Configuration > Threat Protection > Application Protection > Application Protection #(config application-protection)

CachePulse

N/A Configuration > Proxy Settings > General > General #(config cachepulse) 
Content Filtering (Intelligence Services data source only)

Administration > Data & Cloud Services > Content Filtering > Blue Coat > Download

Configuration > Content Filtering > Blue Coat > Blue Coat

#(config bluecoat)

Geolocation

Administration > Data & Cloud Services > Geolocation > Download Database Configuration > Geolocation > General > Download #(config geolocation) 

IP Reputation

N/A Configuration > Threat Protection > IP Reputation > IP Reputation #(config ip-reputation)
Threat Risk Levels

Administration > Data & Cloud Services > Threat Protection > Threat Risk Levels > License and Download Status

Configuration > Threat Protection > Threat Risk Levels > Download

#(config threat-risk)