Introduction
This document describes Cisco Hybrid Web Appliance FAQ.
What is the First Customer Shipment (FCS) version for Hybrid Web Appliance?
AsyncOS 9.2.0 for Web build 075.
What are the steps to deploy Cisco Hybrid Web Appliance?
https://youtu.be/b23MBYyPiis
What are the steps to perform AsyncOS Upgrade on Cisco Hybrid Web Appliance (Physical - Virtual)?
https://youtu.be/Mpr8rmwR3a8
How do you configure Cisco Hybrid Web Appliance & ScanCenter - Active Directory Group Base Authentication?
https://youtu.be/CyvN7wI_BJs
Does each Web Security Appliance (WSA) need its own token when registering with ScanCenter Portal?
Yes, it is a one time use only for each WSA.
How long is the registration token valid for to register Web Appliance with ScanCenter Portal?
60 minutes or one hour.
How often does a policy get pulled from ScanCenter on WSA?
120 seconds or two minutes.
What is the purpose/goal of Hybrid Web Solution?
Hybrid Web Security mode provides unified cloud and on-premise policy enforcement and threat defense, using policies defined in Cisco ScanCenter—the administrative portal to Cloud Web Security (CWS) —which are automatically downloaded to the Web Security appliance.
Does a WSA in Hybrid Web send traffic to CWS?
No, it’s direct access to the Internet.
What feature keys are required to set up the WSA in Hybrid Web mode?
Features key Set are the same as WSA deployed in Proxy mode.
What WSA version supports Hybrid Web mode?
AsyncOS 9.2.0 for Web build 075 and Higher.
What license is needed for Hybrid Web Appliance Physical Appliance?
Features key Set are the same as WSA deployed in Proxy mode.
What license is needed for Hybrid Web Appliance Virtual Appliance?
Features key Set are the same as WSA deployed in Proxy mode.
What information is needed to open service requests with Technical Assistance Center (TAC) for Physical Hybrid Appliance?
Cisco Contract number, Serial number of the Appliance, and CWS contract ID.
What information is needed to open service requests with TAC for Virtual Hybrid Appliance?
Cisco Contract number, VLN#, and CWS contract ID.
I do not see Access Policy under Web Security Manager?
This functionality moved to Scan Center portal which is a part ofCloud Management Portal.
What is the AsyncOS update release cycle for the Hybrid Web Appliance builds?
Current schedule is every two weeks.
I do not see the revert command on the command line. How do I perform revert?
Revert command is not supported with Hybrid Web Appliance.
How do I perform revert with Cisco Hybrid Web Appliance?
Revert must be performed as an upgrade and requires provisioning from Cisco TAC. Please open support case.
Where do I find the Cisco CWS Scan Center Administrator Guide?
https://tools.cisco.com/squish/B4cff
Where do I find the release notes for the Version 9.2.x release?
https://tools.cisco.com/squish/1D334
Where do I find the User-Guide for the Version 9.2.x release?
https://www.cisco.com/c/en/us/support/security/web-security-appliance/products-user-guide-list.html
Where is the download link for Hybrid Web Virtual Appliance?
https://tools.cisco.com/squish/0B343
I do not see the Upgrade command on the command line. How do I perform Upgrade?
Upgrade command is not supported with the Hybrid Web Appliance. To know more click https://youtu.be/Mpr8rmwR3a8.
What are the user cases of deployment of Cisco Hybrid Web Appliance in the real world?
- Customer does not want to send traffic to the cloud, or wants to keep their logs within their network
- Customer has a decentralized network with breakout points in locations where there is no CWS presence
- Unified Policy Management
- Unified reporting
What are the target customer base with Cisco Hybrid Web Appliance?
- Already a CWS customer
- New customer requires Hybrid Web offering
- Existing WSA customers
Is there a local reporting on Cisco Hybrid Web Appliance?
No, only System Capacity reporting page is supported. It requires Cisco Advanced Web Security Reporting Application.
What are the licensing requirements for Cisco Hybrid Web Appliance?
Make sure customers understand they need both CWS and WSA accounts/licenses to use this solution.
What are the steps to deploy Cisco Advanced Web Security Reporting Application with Cisco Hybrid Web Appliance?
https://tools.cisco.com/squish/9982D
What are the new logs and how can we view communication logs between the Web Appliance and Scan Center?
hybridd_logs, you can Grep or tail hybridd_logs for the details. User Interface (UI) improvements are coming in later versions.
Do I need to modify policy download interval from default value?
Currently, default policy download is configured for 120 sec and this value cannot be modified.
How can I re-register Hybrid Web Appliance with the Scan Center without running Setup Wizard again?
From the Appliance GUI navigate to Support and Help > Web Policy Connectivity > change registration
How can we verify that Hybrid Web Appliance is registered successfully with the Scan Center?
From the Appliance GUI navigate to Reporting > System Status > Cloud Policy Communication
What are the new logs added to the Cisco Hybrid Web Appliance?
hybridd_logs that provide communication details between Web Appliance and Scan Center
What port Hybrid Web Appliance communicates to Cisco policy server, registration server, and upgrade server?
TCP port 443 must be open through firewall.
What are the features that must be configured on Cisco Hybrid Web Appliance directly?
Networking, interface, routes, Web and HTTPS proxy, Authentication Realm(s), EUN page, email alerts, Global
setting, Transparent re-direction and Proxy bypass.
Is there a way to disable the automatic upgrade?
No, and it’s not recommended.
Why is the automatic upgrade necessary?
In order to keep Cisco Hybrid Web Appliance up to date with the latest build and to keep the appliance in sync with the cloud.
How do we deal with environment who require a scheduled change window to complete the upgrade?
Administrators can update the Upgrade and Update Setting from GUI navigate to System Administration > Upgrade and Update Setting > Edit Time Windows.
What happens if a customer has two different AD realms configured and there are groups with matching names?
As long as the Active Directory Domain names are unique, that is not an issue.
What happens if a customer upgrades to a non-Hybrid version? Is this possible?
The only way this can be achieved is to run the setup wizard again and change the deployment mode.
For unsupported features, what is the timeline at this time?
Please reach out to Cisco TAC for the timeline.
Is Layer 4 traffic monitoring supported with Cisco Hybrid Web Appliance?
Not at this time.
What other Protocol/Features currently are not supported with the Cisco Hybrid Web Appliance?
Native FTP, SOCKS, SaaS, DLP, SNMP trap, and setting threshold of WBRS service are not supported at this time.
How does the Identification Profile on WSA interact with the Access Policies converted from ScanCenter Portal?
For most part, we use advanced membership criteria in access policies to differentiate traffic hitting the particular
policy. For authentication, we expect a specific Identification Profile to be created with authentication realms and subnet.
Is it possible to push unique configurations from Scan Center to each WSA (where multiple Hybrid Web deployed)?
Yes, these are the options:
- You can register all of your WSAs under the same CWS account and the same policy is synced with all of them.
- You need separate CWS accounts if you wanted different set of policy between WSA.
Caveats on what types of configs cannot be converted from CWS to Hybrid Web Appliance (WSA) and vice versa?
There is list of exceptions in user guide please review.
How can we determine if a policy conversion has failed between WSA to CWS?
Grep or tail hybridd_logs for realtime information - communication update between WSA and CWS portal.
If one part of the policy fails to convert, does any part of the config apply?
We skip the failure part of the policy and convert they rest of the policy if there are no errors.
What is the SmartNet requirement for Cisco Hybrid Web Appliance?
https://www.cisco.com/site/us/en/products/security/secure-web-appliance/index.html