Management Guide
2
Management Center Configuration &Management
TOC
ManagementCenterOverview 23
WebConsoleOverview 25
Dashboard 26
Network 26
Configuration 27
Jobs 27
Reports 27
Administration 28
Example 29
LogintotheWebConsole 31
NavigatetheWebConsole 32
RequiredPorts,Protocols,andServices 33
VerifyWebConsoleAccess 35
MoveItems 36
EncryptSensitiveSystemData 38
PotentialDataLoss 38
HowDoI? 39
AddandMonitorDevices 39
CreateandManageJobs 40
UploadFilestoManagementCenter 41
AddUsersandGrantPermissions 45
MonitorDeviceHealth 47
ManageDashboards 50
Notes 51
IntegrateReporterintoManagementCenter 53
ViewConsolidatedReports 53
MigrateDeviceMetadatainDirectorasManagementCenterScripts 55
3
Management Center Configuration &Management
DetermineYourNextStep 60
ViewAuditLog 61
RegularlyBackUpaGroupofDevices 62
ManageDevices 64
AddaDevice 65
DetermineYourNextStep 67
AddaDeviceGroup 68
SettheDevicePollingInterval 68
AddMultipleDevicesatOnce 70
ImportDevicesUsingaCSVFile 70
DetermineYourNextStep 71
EditaDevice 72
Procedure 72
ViewEffectivePolicyforEachSlotontheDevice 72
DetermineYourNextStep 73
EditaDeviceGroup 74
LaunchaDeviceConsole 75
UpgradeSystemImagesonManagedDevices 75
Troubleshooting 77
BackUpDeviceConfigurations 78
NextSteps 80
UseDeviceInformationforBackupJobImageMetadata 81
ViewDeviceBackups 83
RestoreDeviceBackups 84
ExportDeviceBackups 85
RestoreDeviceBackups 87
SettheNumberofBackupSlots 88
SSLVisibilityAppliance-WhatisBackedupandSynchronized? 88
Policy 88
4
Management Center Configuration &Management
PKI 88
Users 88
Platform 88
Alerts 89
Remoteauthentication 89
MonitorDeviceHealthandStatistics 90
StopManagingaDevice 95
AboutPre-DeployedandDeactivatedDevices 96
RestartaDevice 96
SynchronizeDevices 97
Prerequisites 97
DeviceSyncDetails 97
SupportforSSLVisibilityAppliance 97
SupportforContentAnalysis 97
SupportforMalwareAnalysisAppliance(MA) 98
PerformDeviceSynchronization 98
ConfigureHierarchyforDevicesandDeviceGroups 100
HierarchicalConfigurations 100
EditaHierarchy 102
DeleteaHierarchy 102
SearchforManagedDevices 103
SearchbyNameorIPAddress 103
BrowsetheHierarchy 103
PerformanOperationonaManagedDevice 104
EnsureDevicesBelongtoDeviceGroups 105
MonitorDeviceHealth 106
VerifyDeviceDetails 110
DeviceOverviewTab 110
ViewSystemMetrics 112
5
Management Center Configuration &Management
TheSystemMetricsTab 112
TheHealthChecksTab 112
TheBackupTab 113
DetermineYourNextStep 113
RMAaDevice 114
PutDeviceinMonitor-OnlyMode 115
UseWAFPolicyToProtectServersFromAttacks 119
Requirements 120
SolutionSteps 120
AboutWAFPolicy 121
AbouttheDefaultTenant 121
AboutTenantDetermination 122
Reference:ConditionsandExamples 122
ManageTenants 124
WAFPolicyUse 124
SpecifyTenantDeterminationRules 126
WAFPolicyUse 126
ConfigureWAFSecurityRules 130
WAFPolicyUse 130
ConfigureWAFApplicationObjects 133
WAFPolicyUse 133
AnalyzeandRefineWAFPolicy(MitigateFalsePositives) 139
WAFPolicyUse 139
AnalyzeandRefineWAFPolicyWorkflow 139
ManageWAFSecurityPolicy 140
WAFPolicyUse 140
DistributeConfigurationstoDevices 144
CreateandDistributeConfigurationsUsingScripts 145
CompareVersionsoftheScript 148
6
Management Center Configuration &Management
CustomizeObjectFilters 149
ExecuteaScript 150
Example 150
ToExecuteaScript 150
FilterbyAttributesandKeywordSearch 151
SearchbyKeyword 151
Procedure 152
Canquotesbeusedinasearch? 152
Howdoyousearchforwholewords? 152
Howdoyousearchforpartialwords? 152
ExampleSearches 152
IPv4127.0.0.1 152
IPv60:0:0:0:0:1 152
Hostnames 152
Whatifthesearchfindsnomatch? 152
Whatifthesearchsucceedsinfindingmatches? 152
Howdoyouclearthesearchresults? 152
ImportScriptfromaDevice 153
DetermineYourNextStep 154
ManageAttributes 155
ViewandSorttheFollowingAttributesLists 155
RestoreaVersionofScript 156
ViewScriptInformation 157
UseSubstitutionVariablesinPoliciesandScripts 158
Syntax 158
Examples 159
SupportedVariables 159
SpecifyaDefaultSubstitutionValue 160
Syntax 161
Example 161
7
Management Center Configuration &Management
CreateandDistributePolicy 162
UseContentPolicyLanguage(CPL)toCreatePolicy 165
WorkingwithCPLPolicyFragments 165
DetermineYourNextStep 166
CreateaCPLPolicyObject 167
DetermineYourNextStep 168
AddorEditCPLPolicySections 169
RefineExistingCPLPolicy 171
WorkwithCPLPolicySections 172
Navigatesections 172
Collapseasection 172
Collapseallsections 172
Movesections 172
FindaPolicySection 173
Ifthesearchfindsnomatch 173
Ifthesearchfindsmatches 173
Clearthesearchresults 173
ManageAttributes 174
ViewandSorttheFollowingAttributesLists 174
ChangetheOrderinwhichPolicyRulesareEvaluated 175
UseSubstitutionVariablesinPoliciesandScripts 176
Syntax 176
Examples 176
SupportedVariables 177
SpecifyaDefaultSubstitutionValue 178
Syntax 178
Example 179
LaunchVisualPolicyManager 180
SetUpandEnableJavainYourBrowser 182
LaunchVisualPolicyManager 183
8
Management Center Configuration &Management
SelectReferenceDeviceforVPMPolicy 185
DetermineYourNextStep 186
ViewVPMPolicySource 186
CreateSharedObjects 187
CreateaCPLPolicyFragment 188
CreateURLList(URLPolicyExceptions) 189
EnablingandDisablingURLs 190
URLListExample 191
StepOne-CreatetheURLListObject 191
StepTwo-AddAllowedURLs 191
StepThree-AddtheURLListtotheASUPPolicy 192
CreateCategoryLists 193
CategoryListExample 196
StepOne-CreatetheCategoryListObject 197
StepTwo-SelectCategoriesthatShouldbeDenied 197
StepThree-AddtheCategoryListtotheASUPPolicy 198
UseCategoryListTemplates 200
IncludeaPolicyFragment 204
DeployTenantPolicy 207
ManageTenants 209
WAFPolicyUse 209
CreateaVPMTenantPolicyObject 212
DetermineYourNextStep 212
ImportVPMTenantPolicyfromSourceDevice 213
DetermineYourNextStep 215
DeployTenantPolicy 217
ConfigurePolicy 219
AddorRemoveDevicesAssociatedwithPolicy 220
DetermineYourNextStep 221
CheckConsistencybetweenPolicyandDevices 222
9
Management Center Configuration &Management
DetermineYourNextStep 223
CompareDifferentVersionsoftheSamePolicy 224
ComparetheDevicePolicyVersionwithCurrentPolicyVersion 225
DetermineYourNextStep 226
ExportPolicyorSharedObjectstoLocalDisk 226
InstallPolicy 227
PolicyInstallationMethods 227
Install... 227
InstalltoAll... 230
InstalltoDevice 230
InstallMultiplePolicies 231
ImportPolicyorSharedObjects 232
DetermineYourNextStep 237
ImportExternalPolicy 238
Prerequisites 238
Procedure 238
ManageCPLPolicies 239
ViewPolicyVersions 239
RestoreaVersionofPolicy 242
ViewExistingPolicyInformation 243
ViewDeployedPolicyforeachDeviceSlot 246
ViewDevicesAssociatedwithPolicy 247
UseSpecificAttributeValuestoControlAccesstoPolicy 247
Procedure 247
PermissionsReference 249
Reference:PermissionsInterdependencies 250
Reference:PermissionsFiltersObjectandAttributes 259
Reference:UnderstandingJobPermissions 261
UserrunsajobimmediatelyafterconfiguringitormanuallyusingRunNow 261
Userconfiguresajobscheduledinthefuture 261
10
Management Center Configuration &Management
ConfigureUsers,Roles,andAttributes 262
ManageManagementCenterUsers 263
AddLocalUsers 264
AddUsersfromanExistingDirectoryorService 266
AuthenticateUsersAgainstLDAPorLDAPS 267
AuthenticateUsersAgainstActiveDirectoryLDAP 270
AuthenticateUsersAgainstRADIUS 272
AuthenticateUserswithSSLMutualAuthentication 273
Note 276
EditaLocalorImportedUser 277
DeleteaUser 277
ChangeandResetPasswords 278
ChangeYourPassword 279
ResetPassword 280
AutomatePasswordResetProcess 281
ManuallyResetaUser'sWebConsolePassword 282
ResetorRestoreAdminAccountPasswords 283
ManageUserGroups 284
AddUserGroups 284
EditaUserGroup 286
DeleteaUserGroup 286
ManageUserSessions 287
DefineRoles 288
AboutRoles 288
Procedure 288
DuplicateanExistingRole 290
EditanExistingRole 290
GrantPermissions 291
UpdateAccessWhenaUser'sJobChanges 293
UpdateaUser'sRoles 293
11
Management Center Configuration &Management
FilterDevicesorDeviceGroupsinaPermission 294
RestrictAccesstoReporterReports 294
Procedure 294
UsersAssociatedWithMultipleRoles 296
ManageAttributes 297
ViewandSorttheFollowingAttributesLists 297
AddAttributes 298
MandatoryAttributes 300
EditAttributes 301
SetUser-DefinedDeviceAttributesforAccessControl 302
FilterandKeywordSearch 303
Procedure 303
SearchbyKeyword 303
Canquotesbeusedinasearch? 304
Howdoyousearchforwholewords? 304
Howdoyousearchforpartialwords? 304
ExampleSearches 304
IPv4127.0.0.1 304
IPv60:0:0:0:0:1 304
Hostnames 304
Search 304
Whatifthesearchfindsnomatch? 304
Whatifthesearchsucceedsinfindingmatches? 304
Howdoyouclearthesearchresults? 304
PrevieworDownloadLogs 305
AvailableLogs 305
LogTypes 305
ManageUserSessions 306
ReceiveErrorNotifications 307
ManageAlerts 307
12
Management Center Configuration &Management
ConfigureSMTPAlerts 318
ConfigureSNMPAlerts 319
CustomizetheAuditLog 321
CreateandManageJobs 323
AddaJob 324
JobOperations 325
JobSchedulingOptions 328
MonitorJobs 330
EditaJob 331
ViewCurrentJobs 332
CancelaCurrentlyRunningJob 333
ViewJobHistory 334
ViewJobProgress 334
ManagementCenterReports 336
StatisticsMonitoringReports 336
ReporterReports 336
IntegrateReporterintoManagementCenter 337
AddReporterasaManagedDevice 338
ViewaReporterReport 339
CustomizeReporterReportOptions 343
AddReportFilters 343
Examples 346
ChangetheReportSummary 346
SetTimeZoneforReporterReports 348
Reference:ReportDescriptions 351
SearchforSpecificReportData(SearchandForensicReport) 360
ReporterGraphTypesandViews 364
SetTimeZoneforReporterReports 365
DetermineWhyAReporterDatabaseDoesNotDisplay 368
13
Management Center Configuration &Management
ViewStatisticsMonitoringReports 368
Reference:StatisticsMonitoringReportsinManagementCenter 369
ModifyOptionsforStatisticsMonitoringReports 372
ChangetheScopeofaStatisticsMonitoringReport 374
FilteronDevicesorDeviceGroups 375
ZoomInandOutonReports 375
StatisticsMonitoringGraphTypes 375
DisplayaFullReport 376
DetermineYourNextStep 376
ViewStatisticsMonitoringReports 376
Reference:StatisticsMonitoringReportsinManagementCenter 377
ModifyOptionsforStatisticsMonitoringReports 380
ChangetheScopeofaStatisticsMonitoringReport 382
FilteronDevicesorDeviceGroups 383
ZoomInandOutonReports 383
DisplayaFullReport 383
DetermineYourNextStep 384
StatisticsMonitoringGraphTypes 384
WorkwithReports 384
CustomizeReportWidgets 386
CollapseReportWidgets 386
MoveReportWidgets 386
RemoveReportWidgets 386
AddReports 386
CloseaReport 386
ClosetheActiveReport 386
CloseaReportonAnotherWidget 386
ModifyDisplayofTableData 386
ViewRawReportData 389
ManageDashboards 390
14
Management Center Configuration &Management
Notes 390
DashboardsandWidgets 393
AddaWidgettotheCurrentDashboard 393
AddtheBookmarkedDevicesWidget 394
EditorDuplicateDashboards 395
Home 396
StatisticsMonitoringDashboard 396
ChangetheDashboardLayout 396
AdministrateManagementCenter 397
ConfigureGeneralSystemSettings 397
SetBandwidthCostforReports 399
SettheDevicePollingInterval 399
SettheNumberofBackupSlots 399
SpecifyExplicitProxySettings 400
SynchronizetheSystemClockusingNTP 400
ConfigureDiagnosticsLogging 401
ConfigureHousekeepingSettings 402
ConfigureMailSettings 402
ConfiguretheSNMPAgentPassword 403
ConfigureConsentBanner 403
Procedure 404
ConfigureHardwareMonitorSettings 405
Upgrade/DowngradeSystemImages 406
BackUptheManagementCenterConfiguration 408
BackupRequirements 408
BackUpManagementCenter 408
BackUpManagementCenterUsingtheCLI 409
EncryptSensitiveSystemData 409
PotentialDataLoss 409
15
Management Center Configuration &Management
RestoreaManagementCenterBackupConfiguration 410
RestoreManagementCenterBackup 410
ConfigureManagementCenterFailover 411
ConfigurationLimitations 412
FailoverPrerequisites 412
ConfigureFailover 412
SwitchtoSecondaryWhenthePrimaryisUnresponsive 414
DisableFailover 415
UpdatetheManagementCenterLicense 417
VerifyLicenseComponentsfromtheWebConsole 418
TroubleshootandResolveIssues 419
AuditTransactions 420
UnderstandTransactionTypes 422
CustomizetheAuditLog 423
ConfigureHousekeepingSettings 425
ConfigureDiagnosticsLogging 425
RequiredPorts,Protocols,andServices 427
DetermineWhichVersionYouareUsing 428
BuildInformationFields 429
AutomatePasswordResetProcess 429
PreventLicensingIssuesonaVirtualAppliance 431
DuplicateSerialNumbers 431
ExpiringLicenses 431
RestartServices 431
TestNetworkConnectivity 432
UploadSystemDiagnostics 433
ViewHardwareDiagnosticsandMemoryResources 433
ProblemsandErrors 435
16
Management Center Configuration &Management
ReadAlerts 436
"Couldnotenablestatisticscollectionduetounexpectedserverfailure"whenactivatingadevice 436
"Importbatchcontainsduplicatedevicenameviolation"whenimportingmultipledevices 436
"LocalChangesDetected"errorwheninstallingpolicy 437
Userhas"accessdenied"errorwhenrunningajob 437
"Multi-tenantpolicysupportisnotenabledforthisdevice"wheninstallingpolicy 437
CLICommandReference 438
AccesstheManagementCenterCLI 439
CLIURLSyntax 440
Notes 440
StandardModeCommands 441
>enable 441
Syntax 441
Example 441
>exit 441
Syntax 441
Example 441
>help 442
Syntax 442
Example 442
>ping 442
Syntax 442
Example 443
>show 443
Syntax 443
Subcommands 443
Example 444
>tracepath 445
Syntax 445
Example 445
17
Management Center Configuration &Management
PrivilegedModeCommands 446
#backup 446
Syntax 447
Subcommands 447
TransferConfigurationandDatatoAnotherAppliance 447
Example 448
#diagnostic-systems 448
Syntax 448
Subcommands 448
#disable 449
Syntax 449
Example 449
#exit 449
Syntax 449
Example 449
#failover 449
Syntax 450
Subcommands 450
Example 450
#help 450
Syntax 450
Example 450
#http-proxy 451
Syntax 451
Subcommands 451
Example 451
#installed-systems 452
Syntax 452
Subcommands 452
Exampleofcanceledimagedownload: 453
18
Management Center Configuration &Management
Example 453
#license 453
Syntax 454
Subcommands 454
Example 454
#pcap 455
Syntax 455
Subcommands 455
Example 456
#ping 456
Syntax 456
Example 456
#restart 456
Syntax 456
Subcommands 457
Example 457
#restore-defaults 457
Syntax 457
Subcommands 457
Example 458
#rsyslog-output 458
Syntax 458
Subcommands 458
Examples 458
#security 459
Syntax 459
Subcommands 459
Example 462
#service 462
ViewDiskUsage 462
19
Management Center Configuration &Management
Syntax 462
PerformDiskMaintenance 463
Syntax 463
EnableVerboseLogging 463
Syntax 463
UploadDiagnosticsData 463
Syntax 463
Subcommands 463
PurgeVPMCache 464
Syntax 464
#show 464
Syntax 464
Subcommands 464
Example 465
#shutdown 466
Syntax 466
Example 466
#snmp 466
Syntax 466
Subcommands 466
Example 466
statistics-monitoring 466
Syntax 467
Subcommands 467
Example 467
#subscriptions 467
Syntax 467
Subcommands 467
Example 468
#tracepath 468
20
Management Center Configuration &Management
Syntax 468
Example 468
#verify-hardware 469
Syntax 469
Example 469
21
ThirdPartyCopyrightNotices
2016BlueCoatSystems,Inc.Allrightsreserved.BLUECOAT,PROXYSG,PACKETSHAPER,CACHEFLOW,
INTELLIGENCECENTER,CACHEOS,CACHEPULSE,CROSSBEAM,K9,DRTR,MACH5,PACKETWISE,
POLICYCENTER,PROXYAV,PROXYCLIENT,SGOS,WEBPULSE,SOLERANETWORKS,DEEPSEE,DS
APPLIANCE,CONTENTANALAYSISSYSTEM,SEEEVERYTHING.KNOWEVERYTHING.,SECURITY
EMPOWERSBUSINESS,BLUETOUCH,theBlueCoatshield,K9,andSoleraNetworkslogosandotherBlueCoatlogos
areregisteredtrademarksortrademarksofBlueCoatSystems,Inc.oritsaffiliatesintheU.S.andcertainothercountries.
Thislistmaynotbecomplete,andtheabsenceofatrademarkfromthislistdoesnotmeanitisnotatrademarkofBlueCoat
orthatBlueCoathasstoppedusingthetrademark.Allothertrademarksmentionedinthisdocumentownedbythirdparties
arethepropertyoftheirrespectiveowners.Thisdocumentisforinformationalpurposesonly.
BLUECOATMAKESNOWARRANTIES,EXPRESS,IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONIN
THISDOCUMENT.BLUECOATPRODUCTS,TECHNICALSERVICES,ANDANYOTHERTECHNICALDATA
REFERENCEDINTHISDOCUMENTARESUBJECTTOU.S.EXPORTCONTROLANDSANCTIONSLAWS,
REGULATIONSANDREQUIREMENTS,ANDMAYBESUBJECTTOEXPORTORIMPORTREGULATIONSIN
OTHERCOUNTRIES.YOUAGREETOCOMPLYSTRICTLYWITHTHESELAWS,REGULATIONSAND
REQUIREMENTS,ANDACKNOWLEDGETHATYOUHAVETHERESPONSIBILITYTOOBTAINANYLICENSES,
PERMITSOROTHERAPPROVALSTHATMAYBEREQUIREDINORDERTOEXPORT,RE-EXPORT,TRANSFER
INCOUNTRYORIMPORTAFTERDELIVERYTOYOU.
Americas:
BlueCoatSystems,Inc.
384SantaTrinitaAvenue
Sunnyvale,CA94085
RestoftheWorld:
BlueCoatSystemsInternationalSARL
3aRoutedesArsenaux
1700Fribourg,Switzerland
ManagementCenterOverview
BlueCoatManagementCentercentrallymanagesandmonitorstheBlueCoatdevicesinyourorganization.Youcanorgan-
izedevicesintohierarchicalgroups,monitordevicehealth,installpoliciestoProxySGdevices,backupdevicecon-
figurations,andproduceconsolidatedreports.Inaddition,youcancontrolaccesstoManagementCenteranddevicesby
addingsystemusersmanuallyorauthenticatingthroughanexistingdirectoryorservice,suchasRADIUS.
ThefollowingtablesummarizessomeofthefeaturesandbenefitsofusingManagementCenter.
Feature Benefit
Management Center provides cent- Eliminate the need to manage each remote device manually, reducing man-
ralized management for up to 500 agement costs.
devices.
Groups devices based on location, Delegate administrative duties and deploy policies for specific groups.
department, purpose, and other Enables administrators to assign attributes for managed devices that
attributes that you specify. have different purposes within their network.
Roles have greater flexibility, User Groups with the same permissions access, manage, and can report on
enabling user groups with the same devices within their management area without overlapping job duties and
permissions to access and manage wasting time and resources. Apply roles to user groups that you need to have
policies and devices within their spe- homogenous results (for example user groups that are in specific locations or
cific organization. have a specific job function).
Manages internal and external Users only access the functional areas and perform tasks required for
user accounts for Management their jobs.
Center.
Facilitates creating and deploying Ensure consistency amongst devices that have the same purpose or require
policy to multiple devices sim- standardized policy. Administrators can manage policy using the Visual
ultaneously. Includes Visual Policy Policy Manager on managed devices from within the Management Center
Manager and consistency checking web console.
between policies and devices
Manage attributes for devices, Use attributes to define custom metadata for devices, device groups, policy
device groups, policy and device and device scripts. Filter on attributes to refine searches for all objects.
scripts
Create, edit and execute scripts. Administrators can create and edit scripts as well as execute scripts on man-
Includes the ability to compare script aged devices. Variable replacement is supported, as well as the ability to
versions and to import a script from check versions of a saved script and to import a script from a device.
a managed device
Audit log records user and system Be aware of all user actions in the system and support organizational
event history accountability.
23
Management Center Configuration &Management
Feature Benefit
Default Reporting (Reports on Management Center provides centralized reporting for managed
device performance) devices. Statistics Monitoring reports are included by default and
include:
l Devices
l WAN Optimization Reports
Advanced Reporting (Reporter For advanced reporting features, you can add a Reporter Enterprise
10.x integration) Server as a managed device. After adding Reporter, four groups of
reports are available for viewing data:
l Security reports
l Web Application reports
l User Behavior reports
l Bandwidth Usage reports
24
WebConsoleOverview
ThewebconsoleisManagementCenter'sbrowseruserinterface,asshownbelow.
Dependingonauser'spermissions,notallofthetabsmaybevisibletoaparticularuser.See"Reference:Per-
missionsInterdependencies"onpage250forinformationonuserpermissionsinManagementCenter.
Banner
Management Center Configuration &Management
ThebanneristheareaatthetopoftheManagementCenterwebconsole;lookforthetitleBlueCoatManagement
Center.Thebannerisvisibleregardlessofwhichtabormenuitemyouselect.Itprovidesyouwithaviewofdevicehealth
statusandalertmessages,accesstoyourprofile,globalsettings,andmore.Thefollowingareoptionsinthebanner,from
lefttoright(excludingthetitle):
n TaskTabsarewhereyouperformdevicemanagementoperations.
n DeviceStatusTotalsindicatethenumberofdevicesandcolorsindicatedevicehealth.Seethetablebelowforweb
consolecolordetails.
n MessagesdisplaywhenyouorotheruserscompletecertaintasksinManagementCenter.See"ReadAlerts"on
page436.
n SystemMenu containsthefollowingoptions:
o ManagementCenterlinks
o ProfiledisplaysyouruserprofileinManagementCenter.SeeUpdateYourWebConsoleProfile,Password
andSecurityQuestion.
o Logoutlogsyououtofthesystem.
o Supportlinkstohttps://bto.bluecoat.com/.
o DocumentationlinkstotheManagementCenterdocumentationonBTO.
o AboutdisplaystheManagementCenterversionandlinkstolegalnotices,includingtheEULA.
Tabs
ManagementCenterdividesfunctionalityintotabs.
Dashboard
WhenyoulogintoManagementCenter,thewebconsoledisplaystheHomedashboardbydefault.Fromhere,youcan
"ManageDashboards"onpage390andcustomizethedatathatyouwanttomonitorformanageddevices.See"Changethe
DashboardLayout"onpage396and"DashboardsandWidgets"onpage393and"AddtheBookmarkedDevicesWidget"
onpage394
Network
Networkdisplaysallmanageddevicesinyourhierarchy.Foreachdevice,youcanviewdeviceoverviewinformation(such
asplatform,OSandserialnumber),devicehealth,systemmetrics,andthebackupsforeachdevice.
26
Management Center Configuration &Management
Configuration
ProxySGconfigurationscanbeupdatedusingPolicyorScripts.Tocreateandmanagepolicyorcreateandexecute
scripts,see"DistributeConfigurationstoDevices"onpage144.
Jobs
TheJobstabenablesyoutocreateandrunjobs,viewtheprogressofanycurrentlyrunningjob,andprovidesawayto
schedulerecurringjobs.Youcanalsoseetheentirejobhistoryforeachdevice."CreateandManageJobs"onpage323.
Reports
ManagementCenterprovidescentralizedreportingformanageddevices.StatisticsMonitoringincludesreportsonthefol-
lowingcategories:
n Devices
n WANOptimization(requiresaProxyorMACH5Editionlicense)
27
Management Center Configuration &Management
Foradvancedreportingfeatures,youcanaddaReporterEnterpriseServerasamanageddevice.AfteraddingReporter,
fourgroupsofreportsareavailableforviewingdataaboutProxySGdevices:
n Securityreports
n WebApplicationreports
n UserBehaviorreports
n BandwidthUsagereports
Administration
Thesesettingsenableyoutoaddusers,assignroles,andperformotheradministrativetasks.ThetabsincludeAuditing,
Settings,Users,Groups,Roles,Attributes,HardwareDiagnostics,Logs,UserSession,andLicense.
AboutColor-CodedStatusIndicators
Colorsrepresentthestatusofsignificanteventsinseveralareasinthewebconsole:
n Alertcolors
InalertsthatpopupinthewebconsoleandarelistedintheMessageslist,colorsindicatetheseveritylevelofthe
event.Ifyouhaveunreadalerts,theMessageslabelinthebannerdisplaysthestatusofthemessagewiththe
highestseveritylevel.Forexample,ifyouhaveanunreadMessage-levelalertandanunreadErroralert,the
MessageslabeldisplaysaredErrorstatus.See"ReadAlerts"onpage436formoreinformation.
n Banner
Onthewebconsolebanner,theDeviceStatusTotalsiconsrepresentnotonlyhealthstatusbutthenumberofeach
devices.ClickanumbertoviewthedevicesintheNetworktab.
n Dashboard
ColorsintheDeviceHealthandTopProblemwidgetsindicateadevice'shealthstatus.Selectanypartofthedisplay
colorintheDeviceHealthwidgettodisplaythedevicesintheNetworktab.
28
Management Center Configuration &Management
n Example
n Network
FromtheNetworktab,adevice'scolorindicatesitshealthstatus.Thecolorsofgroupsandhierarchiesindicatethe
healthstatusofthedeviceswiththehighest-severitystatus.See"MonitorDeviceHealth"onpage106.
n Jobs
Whenviewingacurrentlyrunningjob,thestatusofthejobisdisplayed.IfyouareviewingtheJobHistory,alljobs
aredisplayedwiththecompletedjobstatus."ViewCurrentJobs"onpage332.
ThefollowingtableliststhestatusesinManagementCenter,thecolorsassociatedwiththem,anddescriptionsofeach
status.
29
Management Center Configuration &Management
30
Management Center Configuration &Management
LogintotheWebConsole
LogintoManagementCenterwebconsoleusingasupportedbrowser.Foralistofsupportedbrowsers,refertotheMan-
agementCenterReleaseNotes.
TLS1.0isdisabledonManagementCenter.TosecurelyconnecttotheManagementCenterwebinterfaceusing
InternetExplorer10orlater,youmustenableTLS1.1and1.2onthebrowser.Inthebrowser,selectInternet
Options>Advanced,andenableUseTLS1.1andUseTLS1.2.
1. Inthewebbrowser,enteroneofthefollowingURLs:
l http://IP_address:8080
l https://IP_address:8082
Thebrowserdisplaystheloginscreen.
Whenenabled,theconsentbannerpagedisplaysbeforetheloginscreen.Iftheuserrecognizesboth
thetextandimage,theuserconfirmsthatthesystemwillbeusedforthepurposeshown,byclicking
Accept."ConfigureConsentBanner"onpage403.
2. Enteryourusernameandpassword,andclicklogin.
.Thedefaultusername/passwordisadmin/admin.Torestorethedefaultadminpassword,see"Resetor
RestoreAdminAccountPasswords"onpage283.
3. Youcanrequestapasswordreset.ClickResetPassword.Formoreinformation,see"ResetPassword"on
page280.Foraddedaccesscontrol,administratorsshouldenablepasswordresetsettingsforuserswiththe
correctpermissions.See"AutomatePasswordResetProcess"onpage429.
4. Uponsuccessfullogin,ManagementCenterdisplaysthemainDashboard.
See"WebConsoleOverview"onpage25and"DashboardsandWidgets"onpage393.
31
Management Center Configuration &Management
NavigatetheWebConsole
Refertothefollowingforanoverviewofnavigationaltoolsinthewebconsoleinterface.
Tabs
Thewebconsoleorganizesinformationontabsintwokeyareasatthetopofthescreen.Thefunctionalgroupingoftabs
thatincludetheDashboards,Network,Configuration,Jobs,Reports,andAdministrationtabsareorganizedforman-
agingdevicesfromManagementCenter.
l Functionalareasinthewebconsolearedividedintotabsatthetopofthescreen,underthebanner.Clickatablabel
toperformspecifictasks.Forexample,clickNetworktomanageyourdevices.
l InDashboards,youcanseetheHomeandStatisticsMonitoringdashboards.Tocloseareport,clicktheXonthe
tab.
TheAdministrationtabhasnumeroussectionsthatarespecifictomanagingManagementCenteritself:
l Auditing
l Settings
l Users
l Groups
l Roles
l HardwareAttributes
l Logs
l UsersSessions
l License
SplitScreens
Insomeareasofthewebconsole,splitbarsdividescreensintopanes:
l FromtheNetworktab,youcanmanagealldevicesinyournetwork.Thescreensaredividedintoaleftpaneanda
rightpanewithafilterspaneontheright.ThetoppanedisplaysthefiltersandasearchfieldiftheDetailsdrop-down
listhasDetails(ratherthanTiles)selected.
Ifasplitbarhasanarrowonit,youcanclickthearrowtocollapseorexpandthesplitscreen.
Youcanalsomoveasplitbartoresizepanes:hoveroverthesplitbaruntilthepointerchangestodivider.Then,dragthebar
toanewlocation.
InformationonMultiplePages
Inthefollowingareasofthewebconsole,itemsdisplayonmultiplepagesifmorethan50itemsexist:
l LogsinAuditing
l PolicyandScriptObjectsinConfiguration
l DevicesearchresultsinNetwork
Usethefollowingfeaturesofthenavigationbaratthebottomofapagetonavigatepages:
l Click<>tomovebackorforwardonepageatatime.
l Click<<>>togotothefirstpageorthelastpageofresults.
32
Management Center Configuration &Management
l EnterapagenumberinthePagefield.
Therightsideofthenavigationbarindicateswhichitemsaredisplayedandthetotalnumberofitemsinthelist:
RequiredPorts,Protocols,andServices
ManagementCenterusesthefollowingportswhileoperating.EnsurethatyouallowtheseportswhensettingupMan-
agementCenter.
Management Center 22 Management Center Management Center communication
TCP with failover partner
Management Center 22 User's Client Management Center CLI
TCP
Management Center 8080 User's Client Management Center's UI (web con-
8082 sole)
TCP
EnsureconnectivitytothefollowingURLs.
33
Management Center Configuration &Management
34
Management Center Configuration &Management
VerifyWebConsoleAccess
Afteryouinstallanewlicenseorupdateanexistinglicense,verifythatyoucanaccessthewebconsole.Refertothe
ReleaseNotesforalistofsupportedbrowsers.
TLS1.0isdisabledonManagementCenter.TosecurelyconnecttotheManagementCenterwebinterfaceusing
InternetExplorer10orlater,youmustenableTLS1.1and1.2onthebrowser.Inthebrowser,selectInternet
Options>Advanced,andenableUseTLS1.1andUseTLS1.2.
1. Openawebbrowser.
2. Intheaddressbar,entertheURL.
https://ip_address:8082
Youcannotchangetheportnumber.
Thewebbrowserdisplaystheloginscreen.
35
Management Center Configuration &Management
MoveItems
Tocompletesometasksinthewebconsole,youmoveitemsfromoneareaorcontainertoanother.Forexample,youmove
itemstoadddevicestogroups,associatedeviceswithpolicy,removeusersfromgroups,andremoverolesfromusers.
ThefollowingexampleshowstheEditUserdialog,whereyoucanaddorremoverolestoauser:
Ifthelistofitemsislong,youcanscrolldowntolocatetheitemtomove.Youcanalsosearchusingthesearchfieldabove
it.
Thewebconsoleallowsseveralwaystomoveitems:
Draganitemfromoneareatoanother.Howtodragitems
Forexample,toaddaroletoauser,selecttheroleunderAvailableRoles.Clickandhold;thepointerturnsintoa .Drag
theroletoAssignedRoles.ThedialogdisplaysagreenlineunderAssignedRolesandthepointerturnsintoa ,indic-
atingthattherolecanbemovedthere.
36
Management Center Configuration &Management
Letgoofthemousebuttontomovetherole.
Dragaselecteddevicetoadevicegroup.AssociateDeviceswithDeviceGroups
1. ClicktheNetworktab.Intheleftpane,clickUnassignedDevices.Unassigneddevicesdisplayontherightpane.
See"EnsureDevicesBelongtoDeviceGroups"onpage105.
2. Selectedthesaveddevice.
3. Toassignthedevicetoagroup,selectthedeviceanddragitintothedevicegroupintothetreeontheleft.
4. Dropthedeviceintothedevicegroup.Confirmthemove.ClickOK.
37
Management Center Configuration &Management
EncryptSensitiveSystemData
InManagementCenter1.6andlater,eachdevicehasauniqueencryptionkeythatisusedtoencryptdatainthesystem.
TheadministratorgeneratesthiskeyintheAdministration>DataProtectionpage.Whenthekeyisgenerated,arecovery
keyisalsogeneratedincaseyoulaterneedtorestoretheencryptionkey.Makesuretosavetherecoverykeyinasafe
place.
PotentialDataLoss
n Aspartofthisprocess,youshouldkeeptherecoverykeyinasafeplaceintheeventthatyouneedtorestorethe
encryptionkeylater.DONOTLOSETHEKEY.Ifyoulosethekey,youwillnotbeabletorecoveryourencrypted
data.
n Youshouldnotrecoverakeyunlessyouarecertainthatyouneedto.IfyouusetheRestorepreviouskeyfeature
andthecurrentdatainthedatabasewasnotencryptedwiththatkey,thatdatawillnotbeabletobedecryptedand
youwillhavetoreenterallofthedevicepasswords.
NewManagementCenterApplianceRecommendations
Uponreceivinganewappliance,youshoulddothefollowing:
1. SelectAdministration>DataProtection.
2. ClickGenerateKey.
Anewencryptionkeyiscreatedandarecoverykeyisdisplayed.
3. Recordtherecoverykeyandsecureitinasafelocation.
4. ClickRestartSystem.
5. Configuretheappliance.
6. RunaManagementCenterbackup.See"BackUptheManagementCenterConfiguration"onpage408.
Thisprocessensuresthatyoucanrestoreyourconfigurationasnecessary.
UpgradeRecommendations
IfyouareupgradingManagementCenter,BlueCoatrecommendsregeneratinganewkeyandthentakinganewbackup.
Doingsowillensurethatyouhavethelatestprotectionschemesandavalidbackupthatcanberestoredtothedeviceif
necessary.
1. SelectAdministration>DataProtection.
2. ClickGenerateKey.
Anewencryptionkeyiscreatedandarecoverykeyisdisplayed.
3. Recordtherecoverykeyandsecureitinasafelocation.
4. ClickRestartSystem.
5. RunaManagementCenterbackup.See"BackUptheManagementCenterConfiguration"onpage408.
Thisprocessensuresthatyouwillbeabletorestorethepreviousconfigurationiftheupgradehasissues.
38
Management Center Configuration &Management
HowDoI?
WhatdoyouwanttodoinManagementCenter?Seethefollowingtopicsforassistance.
Manage Dashboards 50
AddandMonitorDevices
TheNetworkdashboardpresentsdataaboutmanageddevicesandenablesyoutoperformoperationsonthem.Beforeyou
canviewappliancedata,youmustaddthedevicetoManagementCenter.Toimportmultipledevices,see"AddMultiple
DevicesatOnce"onpage70or"MigrateDeviceMetadatainDirectorasManagementCenterScripts"onpage55.
Torunoperationsonmanageddevices,see"PerformanOperationonaManagedDevice"onpage104.
Youcanmanageupto500devicesinManagementCenter.
39
Management Center Configuration &Management
Clickthecalloutsinthegraphicaboveformoreinformation.
CreateHierarchyandGroupViews
Yourequireawaytoadministerandmonitordevicesinyournetwork,whichmightcompriseacomplexorganizationalorgeo-
graphicalscheme.InManagementCenter,youcanmanagethedevicesinyournetworkwithinahierarchicalstructure.
ManagementCentercomeswithapredefinedstructurefordevicemanagement,asfollows:
l Location(Hierarchy)
l World(Group)
l France,Canada,Germany,andothers(Subgroups)
l Organization(Hierarchy)
l Company(Group)
l Finance,Sales,Legal,andothers(Subgroups)
Youcanusethesepredefinedhierarchiesandgroups,butifyoumustorganizethedevicesinyournetworkusingdifferent
criteria,youcancreateyourownhierarchiesandgroups.Then,createdevicegroupsandsubgroupstologicallyrepresent
thestructureofyournetwork.
CreateandManageJobs
ManagementCenterallowsyoutocreatejobsforrunningavarietyofoperationsonadefinedschedule.Forexample,you
cancreatejobsforbackingupManagementCentereachday,installingpolicyonagroupofProxySGappliancesimme-
diately,orexecutingaProxySGscriptonamonthlybasis.Jobsdon'tnecessarilyneedapreciseschedule,though;ifyou
40
Management Center Configuration &Management
don'tdefineascheduleforajob,youcanrunthejobmanually.Inaddition,youmayoverridethedefinedscheduleforajob
andrunitimmediately.
Schedulingajobandrunninganoperationrequiredifferentpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.
1. Planthejob:
n Determinewhichoperationyouwanttocreateajobfor.See"JobOperations"onpage325.
n Whichdevicesdoyouwanttoperformtheoperationon?Thesewillbethetargetsofthejob.
n Decidehowoftenthejobshouldrun.Thiswillbethejobschedule.See"JobSchedulingOptions"on
page328.
2. Createthejob.See"AddaJob"onpage324.
3. Monitorscheduledjobs,andrununscheduledjobsasneeded.See"MonitorJobs"onpage330.
4. Monitorjobsastheyarerunning.See"ViewCurrentJobs"onpage332.
5. Viewjobhistory.SeeJobHistory.
UploadFilestoManagementCenter
UsetheConfiguration>FilespagetoaddfilestoManagementCenter.Thesefilescanbeusedforvariousoperations,
includingupgradingManagementCenter.
Allfiletypesexcept.execanbeuploaded.Ifyouuploadafilewithoneoftheseextensions:.bcl,.bcsi,.nru,.nsu,
.pac,.patch,.si,.txt;thefileisautomaticallyassociatedwiththeproperfiletypeconfig,image,license,text.If
thefiletypeisnotoneofthepreceding,ManagementCenterlabelsitasunknown.
YoucanlimittheactionsusersareallowedtoperformonthispagebyaddingtheFilepermissiontoaneworexistingrole.
ManagementCenterreplacesspecialcharactersinfilenames.
UploadFiles
1. SelectConfiguration>Files.
2. Addthefileusingoneofthefollowingmethods:
l Bybrowsing:
a. ClickAddFile.
b. ClickSelectFileandbrowsetothefile(s).
c. Selectthefile.
d. ClickOpen.
e. ClickUpload.
Bydragginganddroppingoneormorefiles:
a. ClickAddFile.
b. DraganddropthefilesintotheUploadFileswindow
c. ClickUpload.
3. ManagementCenterindicatestheprogressoftheupload,asshownbelow.
41
Management Center Configuration &Management
Ifafilewithsamenamealreadyexists,thesystempromptsyoutochoosewhethertouploadandreplacethe
existingfile,skipthedownload,ortokeepbothanduploadthefilewithanewname.Iftheuploadwillexceed
theavailablespaceondisk,youarepromptedtodeletefilestomakeroomforthenewfile.
Youcancanceltheuploadafteritbeginsbyclicking ortheXiconasshownbelow.
TransferFiles
ClickTransferFiletoretrievefilesfromaURL.
42
Management Center Configuration &Management
1. ClickTransferFile.ThesystemdisplaystheFileTransferwindow.
2. EntertheURLintotheServerURLfield.
3. SelecttheFileType.
4. Selectthebehaviortooccurifthefilealreadyexists.
5. ClickRunNowtostartthejobimmediatelyorcreateascheduledjob.
AssociateFilewithDeviceType
Ifyouuploadanimagefilewiththeintentionofupgradingoneofyourmanageddevices,youmustassociatethefilewitha
devicetype.
1. Selectthefile.
2. RightclicktheDeviceTypefieldinthatrowandclickEdit.
43
Management Center Configuration &Management
ThesystemdisplaystheEditFilewindow.
3. SelectthedevicetypefromtheDeviceTypedrop-down.
4. ClickSave.
EditUploadedFiles
Toeditafile,selectthefileandclickEdit.ThesystemdisplaystheEditFiledialog.Here,youcaneditthefollowing:
l DisplayName
l FileType
l DeviceType
l Description
Sort,Group,andModifyUploadedFileData
Clickthearrowtotherightofthecolumnheadingstosortandgroupuploadedfiles.
44
Management Center Configuration &Management
HoveroverColumnstochangethedisplayedcolumns.SelectGroupbythisfieldtogroupthetabledatainaccordance
withthatcolumnheading.DeselectShowingroupstoputdataintoaplainlist.
DeleteUploadedFiles
Todeleteafile,selectthefileandclickDelete.
CopyFileURL
Tocopythefile'sURL,clickCopyURL.TheURLopensinasmallsub-window.Youcanthenright-clickthe
URLandselectCopyorenterCTRL-CtocopytheURL.youcanthenpasttheURLintoManagementCenter
CLIcommands(forexample,installinganewimage),andotheroptionsoroperationsthatacceptURLs.
AddUsersandGrantPermissions
ManagementCenteremploysarole-basedsecuritymodelforaccesscontrol,whichconsistsofdefiningrolesandthen
addinguserstorolesratherthangrantingexplicitrightstofeaturesandfunctions.
Youshouldcreatearolestructurethatensures:
l Usershaveenoughaccessandnomoretoperformtheirday-to-dayjobs.
l Onlyauthorizeduserscanaccesssensitivefeaturesanddata.
l Thepermissionsthatadefinedrolerequires.
l Enforcementofyourorganizationsaccesscontrolpolicies.
ToconfigureaccesscontrolinManagementCenter,createarolestructurethatmeetsyourtechnicalandbusinessrequire-
ments.Asyourorganizationchanges,youmayneedtochangeroledefinitionsandassignmentstobecertainthatusers
continuetohaveappropriateaccess.
45
Management Center Configuration &Management
l Users(basedontheirrole)shouldonlymanagespecificdevices,includingreportsonthosedevices.
l Userrolescontroltheactionsthatindividualswithinanorganizationshouldperformondevicesforwhichtheyhave
access.
l Usersrolesshouldbeorganizedintoahierarchicalcontrolmodeltoconformtoanorganization'sITstructure.
DefineRolesandUsers
TocontrolaccesstoManagementCenter,youshouldfirstcreateeachroletoallowaccesstospecificareasandtheoper-
ationsthatuserscanperformthere;then,youcanassigntheserolesinaccordancewithusers'functionsandrespons-
ibilities.
1. DefinerolestoprovideaccesstodifferentareasandfunctionsintheManagementCenter.
l Tocreateanewrole,see"DefineRoles"onpage288.
l Toduplicateanexistingrole,see"DuplicateanExistingRole"onpage290
l (Optional)"EditanExistingRole"onpage290.
2. "AddLocalUsers"onpage264afteryouhavecreatedarolestructureanddefinedroles.
(Optional)"AddUserGroups"onpage284.IfmultipleusersrequirethesametypeofaccesstoManagementCenter,
usergroupsmakeiteasytoapplyrolesandpermissionstoalargenumberofusersatonetime.Usergroupscontain
usersthatcontrolaccesstoManagementCenter;youshouldfirstcreateeachroletoallowaccesstospecificareas
andtheoperationsthatuserscanperformthere;then,youcanassignrolesinaccordancewithusers'functionsand
responsibilities.
GrantPermissions
TograntpermissionstoManagementCenterthatarolerequires,youshouldunderstandhowpermissionsworkwithroles.
Grantpermissionstousersbasedontheactionsyouneedthemtoperformonspecificobjects.See"Reference:
46
Management Center Configuration &Management
PermissionsInterdependencies"onpage250.
l "GrantPermissions"onpage291tousers.See"Reference:PermissionsFiltersObjectandAttributes"on
page259.
l (Optional)Grantjobpermissionstousers.See"Reference:UnderstandingJobPermissions"onpage261
(Optional)FilterDevicesinPermissions
(Optional)Filterdevicesordevicegroupsinpermissions.Somepermissionsallowaccessatthedeviceanddevicegroup
levels.
l Tospecifydevicesordevicegroupsinspecificpermissions,see"FilterDevicesorDeviceGroupsinaPermission"
onpage294.
l Tospecifyobjectfilters,see"Reference:PermissionsFiltersObjectandAttributes"onpage259.
(Optional)AddUsersfromExternalDirectoryServices
ToauthenticateusersusingRADIUS,LDAPorActiveDirectoryservices,seeAddUsersfromanExistingDirectorySer-
vice.Availabledirectoryservicestowhichyoucanauthenticateusersinclude:
l "AuthenticateUsersAgainstActiveDirectoryLDAP"onpage270
l "AuthenticateUsersAgainstLDAPorLDAPS"onpage267
l "AuthenticateUsersAgainstRADIUS"onpage272
MonitorDeviceHealth
ManagementCentercollectshealthstatusinformationondevicecomponentsincludingsystemresources,licensevalid-
ity,anduser-definedhealthchecks,anddisplaystheaggregatehealthstatusinseveralareas.
Devicehealthisalwaysrepresentedbystatuscolors:Error(red),Warning(yellow),andOK(green).Adevice'shealth
statusisdeterminedbysystem-definedthresholdsonthedevice:ifaserviceorothermonitoredcomponentexceedsa
threshold,thedevicegoesintoaWarningorErrorstate.
IfyoucannotgetthedeviceoutoftheErrorstate,regardlessofwhatyoutry,youmayneedtoRMAthedevice.See"Per-
formanOperationonaManagedDevice"onpage104.
AgraystatuscolorindicatesanabsenceofhealthstatusandrepresentsanInactivedevice.Somejobsandoperations
cannotoccuroninactiveorpre-deployeddevices.
See"AboutColor-CodedStatusIndicators"onpage28formoreinformationonstatuscolorsinvariousareasoftheweb
console.
FormoreinformationonmonitoringhealthstatusontheProxySGappliance,refertotheSGOSAdministration
Guide.
ViewDeviceHealthStatusontheDashboard
TheDashboarddisplaysoverallhealthstatusinformationinwidgets.Twowidgetsdisplaybydefault,butyoucanclose
thembyclickingtheXinthetoprightcorner.
TheDeviceHealthwidgetgivesanoverallpictureofthehealthofmonitoreddevicesinacirclegraph.
47
Management Center Configuration &Management
Clickastatusiconbelowthecharttoseethedevicesthathavethatstatus.
TheTopProblemDeviceswidgetliststhedevicesthatareconsistentlydisplayingwitherrorsorwarnings.
Forexample,IfyouclickonSanClemente,theDeviceOverviewdisplaysYellowwiththespecificwarningsforeach
devicevalue.
IfyouhaveremovedawidgetfromtheDashboard,youcandisplayitagain.See"ChangetheDashboardLayout"on
page396forinstructions.
ViewHealthStatusintheBanner
Inthewebconsolebanner,lookforthedevicestatusicons.
Clickastatusicontoseethedevicesthathavethatstatus.Thesetotalsarethesameasthedevicestatustotalsthatdis-
playundertheDeviceHealthwidgetontheDashboard;becausetheseareinthebanner,theyarevisibletoyounomatter
whichtabyouareworkingon.
ViewDeviceHealthStatus
1. SelecttheNetworktab.
2. Selectthedevicewhosehealthyouwanttoview.Overview,SystemMetrics,Dashboard,HealthChecksand
Backuptabsdisplayatthebottomofthescreen.
3. ClickHealthChecks.Thewebconsoledisplaysinformationaboutthesystemresources.Scrolltothebottomofthe
48
Management Center Configuration &Management
screentoviewthefollowing:
ViewDeviceDashboards
Adynamicallygenerateddashboardisavailablefordevicemonitoring.CASandMAarecurrentlysupported.
1. SelecttheNetworktab.
2. Selectthedevicewhosehealthyouwanttoview.Overview,SystemMetrics,Dashboard,HealthChecksand
Backuptabsdisplayatthebottomofthescreen.
3. ClickDashboard.Thewebconsoledisplayssystemstatusmetrics.Thecontentavailablewillvarywiththe
device:
ProxySG/AdvancedSecureGatewayDashboard
MADashboard
CASDashboard
49
Management Center Configuration &Management
Themetricsmaybedisplayedinoneofseveraldifferentways:
n Counters:Displaysacountforaspecifictimeperiod.
Examples:ObjectCount,TotalScan.
n State:Displaysatextvalue.
Examples:Condition-Green/Yellow/Redconditionindicator.
n Series:Displaysvaluesoveraperiod;thispresentationmaybeinanareadisplay,abar,acolumn,apiechart,ora
donutchart.
Examples:CPU,ICAPScan.
ResolveDeviceErrors
Toresolvedeviceerrors,seeResolveDeviceErrors.
ManageDashboards
Dashboardsallowyoutoquicklyviewimportantdevicedata.Thisdataisrepresentedbywidgets.Widgetsrepresentdata
frommanageddevices.Dashboardsarehighlycustomizableandcanhelpyouquicklyviewtheinformationyoudeem
important.
Tomonitordevicesfromasinglescreen,adddashboardsandaddwidgetstothosedashboardsusingtheoptionsonthe
Dashboards>ManageDashboardspage.
50
Management Center Configuration &Management
1, 2, 3, etc. The The name of Reporter - dis- Each dashboard can display mul- The description helps
order is displayed the dash- plays only tiple widgets. For a quick ref- to differentiate the
from left to right on board as it Reporter widgets erence of what is displayed on dashboard type, and
the dashboard tab appears on on the dash- each dashboard, view the widget the widgets within
beginning with 1 on the Dash- board. count for each dashboard. the dashboard.
the left. board tab.
WAF Reporter -
displays only WAF
widgets on the
dashboard
Mixed - Can dis-
play data from all
widgets on the
dashboard.
Statistics Mon-
itoring - displays
only Statistics
Monitoring wid-
gets on the dash-
board.
Notes
l ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
l Dashboardsaredependentonthereportsthatyoucangenerateforeachmanageddevice.Togenerateadvanced
reportsandviewadvancedreal-timedatawithindashboards,see"AddReporterasaManagedDevice"on
page338.
AddaDashboard
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethenumberofdashboardsthatdisplay,aswell
asdefinethelayoutofthedashboards.Youmustalsodefinethedashboardtype.Layoutsarrangewidgetsinonetofour
columnsofequalwidth,withthecolumnsexpandingtofitthewidthofthescreen.Whenyouselectalayout,yourchange
persists(beyondthecurrentsession)untilyouchangethelayoutagain.
Althoughyoucanaddmultipledashboards,rememberthatdashboardsdisplaydatafromdatabasesthatmaynot
betheonlydatabaseavailable.Forexample,aReporterEnterpriseServercanprovidedatafrommultipledata-
bases.WhenaddingReporterwidgetstodashboards,youcanchoosefromtheavailabledatabases.
1. FromDashboards>ManageDashboards,clickAddDashboard.Aredasterisk(*)denotesfieldsthatare
mandatory.
51
Management Center Configuration &Management
2. EnteradescriptiveDashboardNameandDescription.
3. ChooseaType:
n Mixed-AdashboardthatdisplaysbothProxySGapplianceandReporterwidgets
n Reporter-AdashboardthatdisplaysReporterwidgets
IfyouselectReporterasthedashboardType,fromtheTemplatedrop-downlist,selectfromthefollowing
templatestopre-populatewidgets:
n WebApplicationUsage
n ThreatDetection
n ContentFiltering
n WAFReporter-AdashboardthatdisplaysReporterWebApplicationFirewall(WAF)widgets.
IfyouselectReporterWAFasthedashboardType,selectWebApplicationFirewalllfromtheTemplate
drop-downlist.
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets.
4. SelecttheLayoutforthedashboard.
5. ClickSave.ThesaveddashboardisdisplayedintheDashboarddrop-downwiththenamethatyougaveit.
52
Management Center Configuration &Management
Afteryouhavecreatedadashboard,youcannoteditthetype.
ReorderDashboardList
Whenyouaddanewdashboard,themostrecentlyaddeddashboardisappendedtotheendofthelist.Forexampleifyou
havethreedashboardsandaddone,thenewdashboardbecomesthefourthdashboardonthelistandwillappeartothe
rightofthepreviouslyaddeddashboards.Tochangetheorderdashboardsaredisplayed:
1. FromDashboards>ManageDashboards,selectthedashboardyouwanttomove.
2. ClickMoveUporMoveDowntochangetheorder.
DuplicateaDashboard
Touseadashboardasatemplateforadashboardthatyoumaywanttoclone(andperhapseditlater),youcanduplicatea
dashboardthatalreadyexists.Youareunabletochangethetypeofdashboardwhenyouduplicate.
1. FromDashboards>ManageDashboards,clickDuplicate.
2. FromtheDuplicateDashboarddialog,givethedashboardauniquename.
3. ClickDuplicate.TheduplicateddashboardisdisplayedunderManageDashboards.
IntegrateReporterintoManagementCenter
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
Prerequisites
n ObtainorverifyadministratoraccesstoReporterEnterpriseServer10.1.xorlater.
n VerifythatReporterEnterpriseServerisdeployedinlinewithProxySGapplianceswithinyournetwork.
n EnsurethatyouhaveaccesstoaReporterEnterpriseServer(usernameandpassword).
n TobeabletoviewReporterreportsonmanageddevices,youwillneedtoaddaReporterEnterpriseServerfromthe
Networktab.
Procedure
TointegrateReportersothatyoucanviewReporterreportsintheManagementCenterwebconsole:
1. Verifyprerequisitesabove.
2. AddReporterasamanageddeviceinManagementCenter.
3. "ViewaReporterReport"onpage339.
ViewConsolidatedReports
WhenusingManagementCentertomanageandmonitorProxySGdevices,youcanproducereportsthatconsolidatethe
datafromallthesedevicesoragroupofdevices,allowingyoutogetacompletepictureofactivityonyournetwork.For
example,youcanviewthebandwidthsavingsforallMACH5appliancesorgetalistofthetopwebapplicationsseenon
thenetworksyourProxySGappliancesareconnectedto.
DeviceReports
ToviewreportsaboutthenetworktrafficseenbyagroupofProxySGdevices,orbyallProxySGdevicesmanagedin
53
Management Center Configuration &Management
ManagementCenter:
1. (Optional)CreatedevicegroupsfortheProxySGdevicesyouwanttoreporton.See"AddaDeviceGroup"on
page68.
2. DecidewhichDevicesreporttoview(suchasTrafficMixorTrafficStatistics).Fordescriptionsofeachreport,see
"DevicesReports"onpage377.
3. SelectReports>StatisticsMonitoringandchoosethereportfromtheDevicespanel.Bydefault,thereport
displaysdatafromallProxySGdevicesmanagedinManagementCenter.
4. (Optional)Tonarrowdowntheconsolidatedreporttoagroupofdevices:
a. ClickDeviceFilter:AllDevicesorclicktheOptionsbutton.TheFiltersdialogdisplays.
b. FromtheFilterdrop-down,selectDeviceGroup.
c. Click andselectthedevicegroup.
d. ClickSave.
WANOptimizationReports
TodisplayconsolidatedreportsforProxySGapplianceswithProxyorMACH5Editionlicenses:
1. (Optional)CreatedevicegroupsfortheProxySGdevicesyouwanttoreporton.See"AddaDeviceGroup"on
page68.
2. DecidewhichWANOptimizationreporttoview.Fordescriptionsofeachreport,see"WANOptimizationReports"
onpage379.
3. SelectReports>StatisticsMonitoringandchoosethereportfromtheWANOptimizationpanel.Bydefault,the
reportdisplaysdatafromallProxySGdeviceswithaProxyorMACH5Editionlicensethatarebeingmanagedin
ManagementCenter.
4. (Optional)Tonarrowdowntheconsolidatedreporttoagroupofdevices:
a. ClickDeviceFilter:AllDevicesorOptions.TheFiltersdialogdisplays.
b. FromtheFilterdrop-down,selectDeviceGroup.
c. Click andselectthedevicegroup.
d. ClickSave.
ReporterReports
IfyouhaveintegratedBlueCoatReporterintoManagementCenter,thefollowingadditionalcategoriesofreportsareavail-
able:Security,WebApplications,UserBehavior,LogDetail,andBandwidthUsage.TheReporterreportsconsolidatedata
fromallProxySGappliancesintheselectedReporterdatabase.
1. MakesureyouhaveaddedReporterasamanageddeviceinManagementCenter.See"IntegrateReporterinto
ManagementCenter"onpage337.
2. SelectReports>Reporter>Databaseandselectthedatabasefromwhichyouwanttoproduceaconsolidated
report.
3. DecidewhichReporterreporttoview.Fordescriptionsofeachreport,see"Reference:ReportDescriptions"on
page351.
4. Viewthereport.See"ViewaReporterReport"onpage339.
54
Management Center Configuration &Management
MigrateDeviceMetadatainDirectorasManagementCenter
Scripts
TomigrateaBlueCoatDirectordevicehierarchy(includingoverlays)intoManagementCenter,youneedtoexportthe
devicemetadatafromDirector,placingthemigrationfileinalocationthatManagementCentercanaccess.
Prerequisites:
n ObtainorverifyaccesstotheBlueCoatDirectorCLI.
n ObtainorverifyaccesstoanHTTP,SCP,orFTPserver,andensurethatyouhaveaccessprivilegestoupload
datatoit.
n ObtainorverifyaccesstotheManagementCenterwebconsole.
ExportMetadatafromDirectorasanEncryptedFile
1. LogintotheDirectorCLIandgointoconfigmode.
2. Typethefollowingcommandtogeneratethemigrationfile:
(config)# mc-migration generate
TheCLIpromptsyoutoenterapassphrase.Youwillberequiredtoenterthispassphrasetogeneratethemetadata
andimportitintheManagementCenterapplication.
3. EnterapassphraseconsistingofatleastfourcharactersandpressEnter.
TheCLIgeneratesthedevicemetadata.ThemetadataisencryptedandcompressedinaGnuPrivacyGuard
(GPG)encrypted(*.tgz.gpg)file.Forexample:SGME-Director-to-MC-Migration-2015.03.13-154907.tgz.gpg.
Makenoteofthefilename.
4. UploadthecompressedandsecuredfiletoanexternalHTTP,SCP,orFTPserver.Enterthecommand:
(config)# mc-migration upload fileserver
where:
fileisthefilenameyourecordedinthepreviousstep.
serveristhehostnameorIPaddressofanexternalserver:
http://hostname_or_address[:port]/path_and_filename
ftp://hostname_or_address/path_and_filename
scp://hostname_or_address//path_and_filename
Ifnecessary,copyormovethefiletoalocationthatManagementCentercanaccess.
ExportMetadatafromDirectorasanUnencryptedFile
1. LogintotheManagementCenterwebconsole.
2. ClicktheNetworktab.
3. SelectOperations>ImportfromFile.ThewebconsoledisplaystheImportfromFiledialog.
55
Management Center Configuration &Management
4. OntheImportfromFiledialog,selectDownloadJSONSchematodownloadtheschematowhichtheJSONfile
mustconform.
5. LogintoDirectorandpreparetheJSONfile.Tohelpyouunderstandtheschema,refertotheexamplebccm-data-
sample.jsonfoundinthedownload.
BlueCoatrecommendsthatyoufamiliarizeyourselfwiththeJSONSchemaasdefinedbytheIETFindraft4
(seehttp://tools.ietf.org/html/draft-zyp-json-schema-04).ThiswillhelpyouunderstandBlueCoat'sJSON
schemaforimport.BlueCoatisnotyetstrictlyconformingtothisstandard,noristhecustomer'sJSONfile
validatedagainstthisschema.However,theintentionisthatManagementCenterstrictlyconformswhenthe
IETFdraftbecomesastandard.Inthemeantime,shouldtheyexistintheJSONdocument,Management
Centerreturnshelpfulerrorstoindicateproblemareasanderrors.
6. AfteryourJSONdocumentisprepared,compressitin*.tar.gzor*.tgzformat.
7. (Optional)Secureyourcompressedfile.
a. TosecureyourcompressedfilewithGnuPrivacyGuard(GPG)encryption(*.gpgformat),useconfigmodein
Director.
TheCLIpromptsyoutoenterapassphrase.Youwillberequiredtoenterthispassphrasetogeneratethe
metadataandimportitinManagementCenter.
b. EnterapassphraseconsistingofatleastfourcharactersandpressEnter.
TheCLIgeneratesthedevicemetadataintoanencryptedandcompressedfile(*.tgz.gpg).Forexample,
SGME-Director-to-MC-Migration-2015.03.13-154907.tgz.gpg.
8. Makenoteofthefilename.
9. UploadthecompressedfiletoanexternalHTTP,SCP,orFTPserver.Enterthecommand:
(config)# mc-migration upload fileserver
where:
fileisthefilenameyourecordedinthepreviousstep.
56
Management Center Configuration &Management
serveristhehostnameorIPaddressofanexternalserver:
http://hostname_or_address[:port]/path_and_filename
ftp://hostname_or_address/path_and_filename
scp://hostname_or_address//path_and_filename
Ifnecessary,copyormovethefiletoalocationthatManagementCentercanaccess.
ImportDirectorMetadataasScriptsintoManagementCenter
FromtheManagementCenterwebconsole,importthedevicemetadatafilethatiscurrentlysavedonanexternalserver.
1. LogintotheManagementCenterwebconsole.
2. ClicktheNetworktab.
3. SelectOperations>ImportfromFile.ThewebconsoledisplaystheImportfromFiledialog.
4. SelecttheImportfromfileexportedfromanexternalsystemcheckbox,thenclickLaunchImportWizard.
5. OntheImportfromFile:SelectFiledialog,selectthefilethatyouwanttoimport.TheGPGencryptedfilecheck
boxisselectedbydefaultfor(*.gpg)files.Clearthecheckboxifyourfileisnotencrypted(*.tar.gzor*.tgzformat).
Filesmusthavetheextensions*.gpg(GnuPrivacyGuard[GPG]encryptedcompressedfile),*.tar.gz,or
*.tgz(unencryptedcompressedfiles).
57
Management Center Configuration &Management
6. Ifnecessary,enterthepassphrasethatyouspecifiedwhengeneratinganencryptedfile,thenclickNext.Ared
asterisk(*)denotesfieldsthataremandatory.
7. Selectdevicesanddevicegroupstoimportfromahierarchy.Ifanydeviceisnotamemberofahierarchy,apseudo-
hierarchyisavailable,namedUnassigned.Ifanyerrorsorwarningsexist,foranydevice,thestatusisshownonthe
right.Toselectalldevicesinallhierarchies,selectAllHierarchies.
58
Management Center Configuration &Management
Adevicecanonlyexistinonegroupforagiven,distincthierarchy.Devicescanbemembersofdifferent
hierarchies.
8. TheavailablescriptsshowontheImportfromFile:SelectScriptsdialog.Bydefault,allscriptsareselected.Clear
thecheckboxforanyscriptyoudonotwanttoimport.Whenfinishedselectingscripts,clickImport.
AnyProxySGappliancesthatarerunningSGOS5.xareimportedinadeactivated(pre-deployment)status.
9. TheImportfromFilewizarddisplaystheDeviceImportStatusdialog.TheOverlaysSummaryandlistofimported
overlaysshowatthebottom.Whenfinishedviewingtheimportstatus,clickClose.
59
Management Center Configuration &Management
10. Viewthesuccessfullymigrateddevices,devicegroups,andhierarchiesintheManagementCenterNetworktab.
11. ViewimportedoverlaysbyselectingConfiguration>Scripts.
(Optional)DeleteMigrationFileinDirector
AfteryouhavesuccessfullyimporteddevicesfromDirector,youcandeletethemigrationmetadatafilefromDirector.
1. LogintotheDirectorCLI.
2. Typethefollowingcommand:
(config)# mc-migration delete file
wherefileisthenameofthemigrationfile.
Afterthefileisdeleted,theCLIdisplaysthe(config)#promptagain.
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Ensure that all devices belong to a hierarchy and group "Ensure Devices Belong to Device Groups" on page105
60
Management Center Configuration &Management
Whatdoyouwanttodonext? Refertothistopic
ViewAuditLog
YoucanviewthehistoryofalltransactionsinManagementCenterintheAuditLog.Thelogisachronologicalrecordof
changesmadebyusersofthesystem.
AuditLogrecordsare:
l Comprehensive.Recordsarecreatedautomaticallyandcannotbedeleted.
l Centralized.Multiplelevelsoftransactionsareloggedanddisplayedononescreen.
l Security-oriented.Theoperatinguserforeachtransactionislogged.
AuditLogrecordscangiveyouinsightintodailyactivitiesatahighlevelaswellashelpyoudiagnoseandtroubleshoot
issues.Forexample,ifanumberofdevicesexperiencepolicy-relatedissues,youcouldcheckthelogforpolicy-related
transactionswithinaselecteddaterange.YoucanalsoexaminerecordsintheAuditLogtoensureprocessintegrity.
Theauditlogdisplayssystem,web-accessandweblogs,ifconfigured.Toaccessremotesystemlogs,fromthe
CLIenter"#rsyslog-output"onpage458.
AuditLogrecordscanbeprintedinauser-friendlyformat.Beforeprinting,checkthebottomofthepageoftheAuditLog
Viewertoseehowmanypagesofrecordswillprint.
1. LearnaboutthetypesoftransactionsrecordedintheAuditLog.See"UnderstandingTransactionTypes"below
below.
2. Inspectthedatarecordedfortransactions.See"AuditTransactions"onpage420.
3. (Optional)"CustomizetheAuditLog"onpage423tofocusonspecifictransactiondata.
Youcanexporttheinformationintheauditlog.FromtheNetwork>ExportData.Youwillbepromptedtoname
the.csvfilethatyouareexporting.ClickOK.
UnderstandingTransactionTypes
TheAuditLogrecordstwolevelsoftransactions:
l EVENT:High-leveltransactionsthatoccurasaresultofauseraction,suchasaddingordeletingadevice
l AUDIT:Low-levelinternalsystemactions,suchasdeletingconnectioninformation
Eachrecordcontainsthetargetoftheoperation,theoperationdetected,theuserwhoexecutedtheoperation,
andadditionaldatadependingupontransactiontype.
61
Management Center Configuration &Management
Inthepreviousexample,theObjectTypeisRoleandtheAUDITtransactionsarechangesatthesystemandadminlevels.
Filterswereappliedtotherecordtype.Youmightfindthatinmostcases,EVENTrecordsprovideenoughdetailabouttrans-
actionsandtheireffectsonthesystem.
RegularlyBackUpaGroupofDevices
Tobeabletorestoreorrollbackaconfigurationincaseitgetscorrupted,youneedtobackupyourconfigurationsonareg-
ularbasis.Inthisexample,wewillbackupadevicegrouponaweeklybasis,duringatimewhenthenetworkislessbusy
(suchasaweekend).
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. Createadevicegroupforthedevicesyouwanttobackuponaschedule.See"AddaDeviceGroup"onpage68.
2. CreateaBackupDevicesjob.Selectthedevicegroupyoucreatedinstep1,andschedulethejobtorunona
Periodicbasis,every7daysstartingonaweekendday.See"BackUpDeviceConfigurations"onpage78.
3. Verifythebackupsarebeingcreatedforeachdeviceinthegroup.See"ViewDeviceBackups"onpage83,
4. Restoreabackupwhennecessary.See"RestoreDeviceBackups"onpage87.
62
Management Center Configuration &Management
ManageDevices
Refertothefollowingtopicsforassistance.
"AddaDevice"onthefacingpage
"AddaDeviceGroup"onpage68
"AddMultipleDevicesatOnce"onpage70
"EditaDevice"onpage72
"EditaDeviceGroup"onpage74
"LaunchaDeviceConsole"onpage75
"BackUpDeviceConfigurations"onpage78
"UseDeviceInformationforBackupJobImageMetadata"onpage81
"ViewDeviceBackups"onpage83
"RestoreDeviceBackups"onpage87
"ExportDeviceBackups"onpage85
ImportDeviceBackups
"SettheNumberofBackupSlots"onpage399
"MonitorDeviceHealthandStatistics"onpage90
"StopManagingaDevice"onpage95
"AboutPre-DeployedandDeactivatedDevices"onpage96
"RestartaDevice"onpage96
"SynchronizeDevices"onpage97
"ConfigureHierarchyforDevicesandDeviceGroups"onpage100
"SearchforManagedDevices"onpage103
"PerformanOperationonaManagedDevice"onpage104
"EnsureDevicesBelongtoDeviceGroups"onpage105
"MonitorDeviceHealth"onpage106
VerifyDeviceDetails
"ViewSystemMetrics"onpage112
"RMAaDevice"onpage114
"PutDeviceinMonitor-OnlyMode"onpage115
AddDeviceGroupAttributes
64
Management Center Configuration &Management
AddaDevice
Beforeyoucanmanageandmonitoryourdevices,youmustaddthemtoManagementCenter.Devicesthatcanbeadded
toandmanagedbyManagementCenterincludethefollowing:
n ContentAnalysisAppliances
n MalwareAnalysisAppliances
n PacketShapers
n ProxySGAppliances
n AdvancedSecureGateways
n Reporter
n SSLVisibilityAppliances
Toaddadevicethathasnotarrivedinyourorganizationyetorisnotsetup,selectUnavailable(pre-
deployment)forthedeploymentstatusinstep4inthefollowingprocedure.
1. SelecttheNetworktab.(Optional)Browsetothehierarchyandfolders/subfolderswhereyouwanttoaddthe
device.
Configurehowoftendevicesarepolled.See"SettheDevicePollingInterval"onpage399.
2. ClickAddDevice.ThewebconsoledisplaystheAddDevicewizard.Aredasterisk(*)denotesfieldsthatare
mandatory.
3. SpecifythefollowingConnectionParameters:
l IntheDeploymentStatusdrop-downlist,selectExistingdeviceifthedeviceisalreadyinstalled,or
Unavailable(pre-deployment)ifthedeviceisnotavailableyet.See"AboutPre-DeployedandDeactivated
Devices"onpage96forinformationonpre-deploymentdevices.
l (ifapplicable),IntheDeviceTypedrop-downlist,selectthedevicetype/OS.Enterthefollowing:
l TheIPaddressorhostnameofthedevice.
l Theusernameandpasswordyouusetoauthenticatetothedevice.
65
Management Center Configuration &Management
l Yourenablepasswordforadministratoractions.
l TheSSHport.
l TheManagementStatus.SelectMonitorOnly(noconfigchanges)ifyouwanttodisallowconfiguration
changestothedevice.See"PutDeviceinMonitor-OnlyMode"onpage115formoreinformation.
4. ClickTestConnection.ManagementCenterattemptstoconnecttothedeviceusingtheinformationyouentered.
Iftheconnectiontestfails,youwillreceiveanerror.Makesurethattheinformationyouenterediscorrectand
tryagain.Iftheconnectiontestsucceeds,youreceiveasuccessmessageandthewizardpromptsyouto
continue.
5. ClickNext.ThewizarddisplaystheAddDevice:Namedialog.
6. Enteranametoidentifythedevice;thisnamedisplaysontheStatisticsMonitoringDashboardandotherareasinthe
webconsole.
7. ClickNext.IntheAddDevice:Membershipscreen,selecttheappropriategroupsfromthedrop-downlists.
Bydefault,thesystempopulatesthefieldswiththehierarchy/groupyouwereviewingwhenyoustartedtheAdd
Devicewizard.
66
Management Center Configuration &Management
8. ClickNext.Aredasterisk(*)denotesfieldsthataremandatory.See"AddAttributes"onpage298.
9. ClickCollectstatisticsforthisdevicetohaveManagementCentercollectstatisticsandreportonthedevice.See
"ViewStatisticsMonitoringReports"onpage376.
10. ClickFinish.TheNetworktabdisplaysthedeviceandthewebconsoledisplaysanalertindicatingthatthedevice
wasaddedandactivated.
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Ensure that all devices belong to a hierarchy and group. "Ensure Devices Belong to Device Groups" on page105
Check information specific to the selected device. "Monitor Device Health " on page106
Check device metrics. "View System Metrics" on page112
67
Management Center Configuration &Management
AddaDeviceGroup
Adevicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontainsdevicesor
sub-folders.
1. SelecttheNetworktab.Intheleftpane,selectthehierarchyinwhichyouwanttocreatethedevicegroup.
2. (Ifapplicable)Browsetothefolderinwhichyouwanttocreatethedevicegroup.SelectAddGroup.TheAdd
GroupwizarddisplaystheAddGroup:BasicInfodialog.
3. OntheAddGroup:BasicInfodialog,enteranameandadescription.Aredasterisk(*)denotesfieldsthatare
mandatory.
4. SelectaparentgroupfromtheParentGroupdrop-downlist.Aredasterisk(*)denotesfieldsthataremandatory.
ClickNext.
5. OntheAddGroup:Attributesdialog,usetheup/downarrowstospecifyBandwidthCost.BandwidthCostisa
multiplierandisthusnotexpressedinaspecificcurrencyunit.Forexample,youcanenteravaluetorepresenton
averagehowyoupaypergigabitfordatausageonyournetwork."SetBandwidthCostforReports"onpage399.
6. (Optional)SpecifyyourPrimaryContactforthedevicegroup,aswellastheLocationdevicegroup.
7. ClickNext.TheAddGroupwizarddisplaystheAddGroup:Membership.
8. SelectdevicesfromtheAvailableDeviceslistandaddthemtotheAssociatedDeviceslist.
9. ClickFinish.Thenewdevicegroupisdisplayedunderthenetworktab.Ifyoucannotseethenewdevicegroup,
selectUnassignedDevicesand"EnsureDevicesBelongtoDeviceGroups"onpage105or"ConfigureHierarchyfor
DevicesandDeviceGroups"onpage100.
Youcandefineattributesforaparticularadevice,devicegroupspolicyandscriptobjects.See"Manage
Attributes"onpage297.
SettheDevicePollingInterval
YoucanspecifythefrequencywithwhichManagementCenterlooksforupdatesonmanageddevices.Specifyanappro-
priateintervaltoensurethatdevicehealthstatusesdisplayaccurately.Thedefaultintervalis10seconds.
1. Inthewebconsolebanner,selecttheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.Generalfieldsdisplayontheright.
68
Management Center Configuration &Management
3. SelectDevicePollingInterval(sec).
4. Enteravalueinseconds.
5. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
69
Management Center Configuration &Management
AddMultipleDevicesatOnce
ToaddmultipledevicesusingaCSVfile,youcanuseManagementCenter'stemplateCSVfile,oryoucancreateyour
own.Youcanimportmultipledevicesofvarioustypes,including:
l ProxySGappliances
l ContentAnalysisappliances
l MalwareAnalysisappliances
l PacketShaperappliances
l SSLVisibilityappliances
l Reporter
ImportDevicesUsingaCSVFile
1. Fromthewebconsole,clickNetwork.
2. SelectOperations>ImportfromFile.ThewebconsoledisplaystheImportfromFiledialog.
3. SelecttheImportdevicesfrommanuallycreatedCSVfile.
4. ClickLaunchImportWizard.ThewebconsoledisplaystheImportDeviceswizard.
5. FromtheSelectDeviceTypedialog,selectthedevicetypethatyouwanttoimport.ClickNext.
6. YoucaneitherDownloadCSVTemplateorSelectFileandbrowsetothelocationoftheimportfilecontainingallof
thedevices.ClickNext.
IfyoudownloadtheCSVtemplate,openitandaddyourdevicestoit.Refertothefollowingtablefor
descriptionsoftheCSVfilecolumns.
7. Afterthedevicesaredownloaded,theyaredisplayedintheImportDevices:AssignGroupsdialog.
8. Selectthefromtheimporteddeviceswhichdevicestoassigntoadevicegroup.
9. Afterthedeviceshavebeenselected,fromDeviceGroup,selecttheobjectselector.Fromtheavailabledevice
groupsorhierarchies,selectdevicegroup.Theselecteddevicegroupisdisplayedwhenyouselectit.ClickOK.To
applytheimporteddevicestothedevicegroup,clickApply.
10. (Optional)RepeatStep9untilallimporteddevicesbelongtoadevicegrouporhierarchy.
11. Whenyouarefinishedassigningtheimporteddevicestodevicegroups,clickFinish.
70
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Ensure that all devices belong to a hierarchy and group. "Ensure Devices Belong to Device Groups" on page105
View information about an imported device. "Verify Device Details" on page110
Edit device information. "Edit a Device" on the next page
Check device metrics. "View System Metrics" on page112
71
Management Center Configuration &Management
EditaDevice
Youcaneditdevicemetadata,connectionparameters,andthemembershipwithinahierarchyanddevicegroup,andview
theeffectivepolicyforeachslot.
Procedure
1. SelecttheNetworktab.(Optional)Browsetothehierarchyandfolders/subfolderswherethedeviceyouwanttoedit
belongs.Aredasterisk(*)denotesfieldsthataremandatory.
2. SelectaDevice.
3. ClickEdit.FivetabswithintheEditDevicewizarddisplayeditablefields:
l BasicInfo
l ConnectionParameters
l Membership
l Attributes
l Policies
4. ClicktheBasicInfotab.Editthedevicenameanddescriptionandviewthedeploymentstatus,modelnumber,serial
number,andOSversion.See"AboutPre-DeployedandDeactivatedDevices"onpage96.
5. ClicktheConnectionParameterstab.Thefollowingfieldsareallrequired:
l TheIPaddressorhostnameofthedevice
l Theusernameandpasswordyouusetoauthenticatetothedevice
l Theenablepasswordforadministratoractions.
l TheSSHport.
6. ClickTestConnection.ManagementCenterattemptstoconnecttothedeviceusingtheinformationyouedited.
7. ClicktheMembershiptab.(Optional)Editmembershipwiththedrop-downlistsassignedtoHierarchyandthe
following:
l DeviceGroups
l Location
l Organization
8. ClicktheAttributestab.Mandatoryattributesforthedevicearemarkedwitharedasterisk(*).Youcanchangethe
valueonmandatoryattributes,butyoucannotdelete"MandatoryAttributes"onpage300.
9. SelectthePoliciestab.TheEditDevicedisplaystheeffectivepolicyforeachslot.ThePolicyNamemappedto
eachslotisdisplayedandthefollowingassignmentsaredisplayed:
l Directassignment-Thepolicywasinstalleddirectlytotheslot.
l Inheritedfrom[DeviceGroupName]-Thepolicywasinheritedfromdevicegroupthatthedevicemembership
isfrom.
TheLocal,Central,andForwardslotsdisplayCPLpolicyonly.See"CreateaCPLPolicyObject"on
page167orsee"CreateaCPLPolicyFragment"onpage188
10. Afteryouhavecompletededitingthetabsforeachdevice,clickSave.
ViewEffectivePolicyforEachSlotontheDevice
YoucanviewtheeffectivepolicyforeachslotonthedevicefromthePoliciestab.
72
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Ensure that all devices belong to a hierarchy and group. "Ensure Devices Belong to Device Groups" on page105
View information about the device. "Verify Device Details" on page110
Choose Operations for a Device or Device Group. "Perform an Operation on a Managed Device" on page104
Edit device attributes. "Edit Attributes" on page301
Edit policy attributes. "Edit Attributes" on page301
73
Management Center Configuration &Management
EditaDeviceGroup
Youcaneditanydevicegroup,includingthesystem'spredefinedparentgroups(thetop-levelfoldersintheLocationand
Organizationhierarchies).
1. SelecttheNetworktab.
2. IneitherTilesvieworDetailsview,browsetotheparentfolderofthegroupyouwanttomodify.
3. SelectthegroupandclickEdit.ThewebconsoledisplaystheEditGroupwizard.
4. Edittheinformationoneachtabasrequired:
l BasicInfo-Changethedevicegroupnameanddescription.
l Attributes-UnderSystem,changethestatisticscollectionoptionandbandwidthcost.Forinformationonthe
User-definedattributes,see"FilterDevicesorDeviceGroupsinaPermission"onpage294.
l Membership-Addorremovedevices.
5. ClickSave.
74
Management Center Configuration &Management
LaunchaDeviceConsole
ManagementCenteroffersacentrallocationfromwhichyoucanopentheconsoleofanymanagedBlueCoatdeviceso
thatyoucanlogintothedevice.
1. SelecttheNetworktab.
2. Intheleftpane,selectthedevicegroup,andthenselectthedeviceintherightpane.
3. Selectoneofthefollowing:
l FromtheOperationsdrop-downlist,clickLaunchConsole.
or
l Atthebottomofthewebconsole,makesuretheOverviewtabisselectedandclickLaunchConsole.
4. Logintothedevice.
UpgradeSystemImagesonManagedDevices
Toinstallsystemimagesonmanageddevices,completethefollowingsteps.
1. EnsurethatthesystemimagehasbeenuploadedtoManagementCenterandthatithasbeenassociatedwiththe
correctdevicetype.See"UploadFilestoManagementCenter"onpage41formoreinformation.
2. SelectJobs>ScheduledJobs>NewJob.ThesystemdisplaystheNewJob:BasicInfowindow.
3. IntheBasicInfodialog,enteranameforyourjob.Aredasterisk(*)denotesfieldsthataremandatory.
4. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.Click
Next.
5. SelectInstallSystemImagefromtheOperationdrop-downlist.
75
Management Center Configuration &Management
6. ClicktheSystemImagefield.ThesystemdisplaystheSelectSystemImagedialog.
7. SelectthesystemimageandclickOK.
8. Choosewhethertodothefollowing:
l Installoversecureconnection
ChoosethisoptiononlyifManagementCenterhasacertificatefromatrustedcertificateauthority(CA).If
ManagementCenterusesaself-signedcertificatethatisnottrusted(acommonscenario),choosingthis
optioncausestheconnectiontofail.
Ifyouchoosetouseaself-signedcertificate,HTTPmustbeenabledonManagementCenter.Toenable
HTTP,enterthefollowingCLIcommands:
#en
l Restartdevice(s)afterinstallation
76
Management Center Configuration &Management
Selectingthisoptionwillrestartthetargetdeviceafterinstallation,loadingtheinstalledimage.
9. ClickNext.
10. Selectthetargetdevice(s)andclickNext.
11. SelectajobscheduleandclickFinish.
Troubleshooting
Iftheupgradeoperationisnotsuccessful,checkthefollowing:
n VerifyHTTP/HTTPSconnectivitybetweenManagementCenterandthetargetdevice(s).
n Verifythattheimagebeinginstalledisassociatedwiththecorrectdevicetype.
n CheckManagementCenterandtargetdevicelogsforerrors.
77
BackUpDeviceConfigurations
ManagementCenterallowsyoutoinitiateandautomatetheconfigurationbackupofsupporteddevices.Youcanselectone
ormoredevicesordevicegroupstobackupimmedatelyorscheduleajobforthebackup.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. FromtheNetworktab,selectthesupporteddevicesordevicegroupstobackup.
2. FromtheOperationsdrop-downlist,selectBackupDevices.ThedevicesthatyouselectedappearintheSelected
list.
3. ClickNext.ThesystemdisplaystheBackupDevices:ImageSettingsscreen.
4. EntertheBackupNameandBackupDescription.Optionally,youcanusevariables,asshowninthefollowing
graphic.(See"UseDeviceInformationforBackupJobImageMetadata"onpage81.)
Management Center Configuration &Management
5. Toincludeprivatekeydatainthebackup,selectIncludePrivateData.
Currently,onlytheProxySGandSSLVisibilityappliancessupportthisfeature;theoptionisignoredforotherdevice
backups.FortheProxySGappliance,keyringscanonlybebackedupiftheywereconfiguredtoshow(Showkey
pairoption)whencreated.Keysthatwerenotconfiguredtoshowarenotincludedinbackups,evenifInclude
PrivateDataisselected.
Note:Completedbackupsthatincludeprivatekeydataincludepkiinthecontentdetails.ProxySGexample:
6. Dooneofthefollowing:
l Toimmediatelybeginthebackupoftheselecteddevices,selectRunNow.
79
Management Center Configuration &Management
l Toexecutethebackupoftheselecteddevicesatalatertime,selectCreateJob...
a. IntheNewJob:BasicInfodialog,enterauniquenameandclickNext.
b. IntheNewJob:Operationdialog,usethedefaultnameorenteranewone.
c. VerifythatthedevicesyouselectedappearintheDevicestabandclickNext.
d. Definewhenyouwanttoschedulethedevicebackuptooccur.See"JobSchedulingOptions"
onpage328fordescriptionsofeachoption.
e. ClickFinish.
NextSteps
Task Topic
List the configuration backups for a device and view the content of a "View Device Backups " on
backup file page83
Restore a device configuration "Restore Device Backups" on
page87
Export a device backup "Export Device Backups" on
page85
Import a device backup Import Device Backups
80
Management Center Configuration &Management
UseDeviceInformationforBackupJobImageMetadata
Administratorscancontrolthenameanddescriptionofthebackupcreatedbyajob(basedonthespecificdevicethatis
backedup).Tousethedeviceinformationinabackupjob,administratorsneedtostartabackupjobfromtheNetworktab
ratherthantheJobstab.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. SelectadevicefromtheNetworktab.Aredasterisk(*)denotesfieldsthataremandatory.
2. FromtheOperationsdrop-downlist,selectBackupDevices.Selectthedevice(s)tobackup.
3. ClickNext.ThewebconsoledisplaysBackupDevices:ImageSettingsdialog'ManualBackup(04/04/15)'inthe
BackupNamefield.
Althoughthebackupnameisshownasmandatory,use"UseSubstitutionVariablesinPoliciesandScripts"on
page176toreplacethewords'ManualBackup'.Intheexampleshown,thedevicenamevariablewillbereplaced
whenthejobisrun.
Use${today}intheDescriptionfieldofthebackuptodisplaythedatethatthebackupisrun.Ifyourunthe
backupnow,today'sdatedisplaysinthebackupdescription.
4. ClickRunNow.TheJobProgressdialogdisplaysthebackupwhileitruns.YoucanselectContinuein
BackgroundorclickClosewhenthebackupStatusisComplete.ViewallbackupsperformedfromtheBackuptab
81
Management Center Configuration &Management
ofthedevice.
82
Management Center Configuration &Management
ViewDeviceBackups
Foranydevicewhoseconfigurationyouhavebackedup,youcanviewalistofbackupfilesaswellasviewthecontentof
thebackupfiles.Oncethelistisdisplayed,youcandeleteorrestorethebackups.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. ClicktheNetworktab.
2. Selectadevicegroupintheleftpane,andthenselectthedevicenameintherightpane.
Toconfigurethemaximumnumberofbackupsstoredperdevice,see"SettheNumberofBackupSlots"on
page399.
3. SelecttheBackuptabdisplayedatthebottomofthescreen.Thewebconsoledisplaysallofthesuccessful
backups,includingeachbackup'sname,description,date/timeofthebackup,devicetype,OSversion,date/timeit
waslastexported,anddate/timeitwaslastrestored.
4. Selectabackupfromthelist.
5. ClickView.TheManualBackupViewerdisplaysthebackupinatexteditor.
6. Ifthebackupexceedsthetexteditorlimit,awarningdisplays:
ClickDownload.ThefilewilldownloadtoyourlocalDownloadsfolder.Whenthefileisfinisheddownloading,you
canopenitinNotepadorothertexteditor.
7. Topinorunpinabackup,clickinthePinnedcolumn.Athumbtackiconappearsonpinnedbackups.Apinned
backupcannotbemanuallydeletedorautomaticallypruned(replacedwithanotherbackup).
8. Todeleteanunpinnedbackup,selectitandclickDelete.
9. Toapplyaparticularbackupconfigurationtothedevice,selectitandclickRestore.See"RestoreDeviceBackups"
onpage87formoreinformation.
83
Management Center Configuration &Management
RestoreDeviceBackups
Whenyourestoreadevicebackup,ManagementCenterreplacesthedevice'scurrentconfigurationwiththebackedup
configuration.Youcanrestoreaconfigurationimmediately,orscheduletherestoreforalatedate.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. SelecttheNetworktab.
2. Selectadevicegroupintheleftpane,andthenselectthedeviceintherightpane.
3. SelecttheBackuptabatthebottomofyourscreen.
4. Inthelistofbackups,choosethebackupversionyouwanttorestore.
Ifthebackupyouwanttorestoreisn'tlisted,it'spossiblethatitwasexportedandprunedfromtheappliance.
Inthiscase,youwouldneedtoimportthebackupbeforeyoucanrestore.SeeImportDeviceBackups.
5. ClickRestoreThewebconsoledisplaystheRestoreConfigurationdialogthatdisplaysthefollowinginformation:
l Device-Thedevicename
l BackupImage-Thenameofthebackup
l Description-Thedescriptiongivenatthetimethatthebackupwasmade
l Created-Thedateandtimeofthebackup
l LastRestored-Thedateandtimethatthebackupwaslastrestored
6. (Optional)Toviewthecontentsofthebackup(configuration),clickViewContents.
7. Torestorethebackuplater,gotoStep9.
Torestoretheconfigurationimmediately,clickRestore.ThewebconsoledisplaystheJobProgressdialog.The
Statuscolumndisplaystherunningandcompletedjobandmoredetailsaboutthejob.
8. (Optional)Toviewthedeviceoutputfromtherestoredbackup:
a. Selectmoredetails.TheDeviceOutputdialogdisplaysthenumberandtypeofwarnings.
b. Youcannavigateinbetweentheerrorsandwarnings.
c. SelectDownloadasTextorClose.
9. Torestorethebackuplater,clickCreateJobandfollowthestepstoconfigurethejob.See"AddaJob"on
page324forjoboptions.
84
Management Center Configuration &Management
ExportDeviceBackups
TheExportBackupoperationallowsyoutocopyormoveconfigurationbackupstoanexternalserver.Copyingbackupsto
anotherserverprovidesextrainsurancebyessentiallycreatingabackupofabackup.Or,ifyoumovethebackupsoffMan-
agementCenterandputthemonanexternalserver,youcanmakeroomformorebackupsontheManagementCenterappli-
ance.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. FromtheNetworktab,selectadeviceoradevicegroupwhoseconfigurationbackupyouwanttoexport.
2. FromtheOperationsdrop-downlist,clickExportbackups.Ifyouhaveconfiguredalocationforthebackup
already,ManagementCenterimmediatelyexportsthebackuptotheconfiguredlocation.However,ifyouhavenot
configuredalocationforthebackup,theNewJobwizardbegins,displayingtheNewJob:BasicInfodialog.
3. EnterauniquenameandadescriptionfortheExport.ClickNext.
4. TheNewJobwizarddisplaystheNewJob:Operationdialog.TheOperationisalreadydisplayedasExport
Backups.
l Operation(*)-ExportBackups
l ExporttoServer(*)-EntertheserverlocationusingFTP,HTTP,HTTPS,orSCP
l Username-Entertheserverusername.
l Password-Enterthepasswordforthisuser.
l PruneBackups-Selectthisoptiontoremovethebackupsfromthebackupslotsafterexportingthe
backups.Youareessentiallymovingthebackupsifyouselectthisoption.Ifyouleavethisoptioncleared,
youarecopyingthebackupstoanexternalserver.
l RetentionCount(*)-Enterthenumberofbackupstokeepforeachdevice.Thisoverridesthedefaultnumber
ofbackupslotsconfiguredperdevice.(See"SettheNumberofBackupSlots"onpage399.)
l PrunePinned-Selectthisoptiontoremovebackups,eveniftheyhavebeenpinned(locked).ClickNext.
5. IntheNewJob:Targetsdialog,selectadditionaldevicesorgroupswhoseconfigurationsyouwanttoexport.
SelecteddevicesandgroupsdisplayinSelectedpane.ClickNext.
85
Management Center Configuration &Management
6. DefinewhenyouwanttoscheduletheexporttooccurorselectRunNowtoexporttheconfigurationsimmediately.
See"JobSchedulingOptions"onpage328.
7. ClickFinish.
86
Management Center Configuration &Management
RestoreDeviceBackups
Whenyourestoreadevicebackup,ManagementCenterreplacesthedevice'scurrentconfigurationwiththebackedupcon-
figuration.Youcanrestoreaconfigurationimmediately,orscheduletherestoreforalatedate.
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. SelecttheNetworktab.
2. Selectadevicegroupintheleftpane,andthenselectthedeviceintherightpane.
3. SelecttheBackuptabatthebottomofyourscreen.
4. Inthelistofbackups,choosethebackupversionyouwanttorestore.
Ifthebackupyouwanttorestoreisn'tlisted,it'spossiblethatitwasexportedandprunedfromtheappliance.
Inthiscase,youwouldneedtoimportthebackupbeforeyoucanrestore.SeeImportDeviceBackups.
5. ClickRestoreThewebconsoledisplaystheRestoreConfigurationdialogthatdisplaysthefollowinginformation:
l Device-Thedevicename
l BackupImage-Thenameofthebackup
l Description-Thedescriptiongivenatthetimethatthebackupwasmade
l Created-Thedateandtimeofthebackup
l LastRestored-Thedateandtimethatthebackupwaslastrestored
6. (Optional)Toviewthecontentsofthebackup(configuration),clickViewContents.
7. Torestorethebackuplater,gotoStep9.
Torestoretheconfigurationimmediately,clickRestore.ThewebconsoledisplaystheJobProgressdialog.The
Statuscolumndisplaystherunningandcompletedjobandmoredetailsaboutthejob.
8. (Optional)Toviewthedeviceoutputfromtherestoredbackup:
a. Selectmoredetails.TheDeviceOutputdialogdisplaysthenumberandtypeofwarnings.
b. Youcannavigateinbetweentheerrorsandwarnings.
c. SelectDownloadasTextorClose.
9. Torestorethebackuplater,clickCreateJobandfollowthestepstoconfigurethejob.See"AddaJob"onpage324
forjoboptions.
87
Management Center Configuration &Management
SettheNumberofBackupSlots
Bydefault,ManagementCenterstoresuptofivebackupsperdevice,witheachbackupplacedinaslot.Afterfive
backups,ManagementCenterprunes(deletes)anunpinnedbackuptomakeroomforthenewbackup.(Backupsthatare
pinnedarepreservedandcannotbemanuallydeletedorautomaticallypruned.)IfyouwantManagementCentertostore
moreorfewerbackupsperdevice,youcanadjustthenumberofbackupslots.
1. ClicktheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.
3. IntheNumberofbackupslotsenteranewvalue.
4. ClickSave.
YoucanoverridethedefaultnumberofbackupsthatareretainedforadevicebyenteringaRetentionCountwhen
exportingbackups.See"ExportDeviceBackups"onpage85.
SSLVisibilityAppliance-WhatisBackedupandSynchronized?
ThispagedescribestheSSLVisibilityapplianceconfigurationitemsthatarebackeduporsynchronized.
Policy
l FIPSconfigurationandversion
l Policyversions
l Systemoptions
l Rulesets
l Lists(IPaddress,ciphersuites,certificates,etc.)
PKI
l FIPSconfigurationandversion
l RSAandECDHdata
l Certificateauthoritydata
l Trustedandknowncertificatedata
l HSMdata
Users
l Usernames
l Passwords
l Roles
l UserIDs
l FIPSconfigurationandversion
Platform
l Versioninformation
l FIPSconfigurationandversion
l Networksettings
l NTPsettings
l Remoteloggingsettings
88
Management Center Configuration &Management
l SNMPsettings
l Loginbannersettings
Alerts
l Mailconfigurationandroles
l FIPSconfigurationandversion
Remoteauthentication
l TACACSsettings
89
Management Center Configuration &Management
MonitorDeviceHealthandStatistics
Devicescanbeactivatedordeactivated.ManagementCenteractivelymonitorsthehealthstatusofactivateddevices.
Deactivateddevicesarenotmonitored.Whetheryouchoosetoactivateordeactivateadevicedependsonyourbusiness
requirements.Forexample,youmighthavealreadysetupapre-deployeddevicethatisnowreadytobeactivated,orwant
todeactivateadevicethatmustbetakenofflineformaintenance.
AnyoftheChangeMonitoringStatusactionscanbesavedtoajobandscheduled.See"AddaJob"onpage324
formoreinformation.
ChangeHealthMonitoringStatus
DeactivatingadeviceisNOTthesameasdeletingadevice.See"StopManagingaDevice"onpage95.
1. SelecttheNetworktab.
2. Locatethedeviceyouwanttoactivateordeactivate.See"FilterDevicesorDeviceGroupsinaPermission"on
page294.
3. Selectthedeviceorgroup,andclicktheOperationsdrop-downlist.
4. SelectChangeMonitoringStatus...
ThesystemdisplaystheChangeMonitoringState:Devicesdialog.
90
Management Center Configuration &Management
5. SelectoneormoredevicesandclickNext.
ThesystemdisplaystheChangeMonitoringStatus:OperationStatesdialog.ThedevicesselectedinStep3are
preselectedinthisview.
6. VerifythatChangeHealthMonitoringstateisselectedanddooneofthefollowing:
a. Toactivateadeactivateddevice,selectActivateDevice.
91
Management Center Configuration &Management
b. Todeactivateanactivateddevice,selectDeactivateDevice.
Deactivatingadevicedisablesallstatisticsmonitoring.
Ifyoutrytoactivatethedevicewhentheconnectionparametersarenotspecified,youreceiveanerror.Tospecify
connectionsparameters,see"EditaDevice"onpage72.
7. ClickRunNow.ThesystemdisplaystheActivateDevices-JobResultswindow.
(ThisistheDrop-downtext)
Thedevicestatuscantakeupto30secondstochange.
EnableorDisableStatisticsMonitoring
Usetheseoptionstoenableordisablestatisticsmonitoring.Youcandisablestatisticsmonitoringwithoutdeactivatingthe
device.However,ManagementCentercanonlycollectstatisticsfromactivateddevices.
1. SelecttheNetworktab.
2. Locatethedeviceyouwanttoactivateordeactivate.See"FilterDevicesorDeviceGroupsinaPermission"on
page294.
3. Selectthedevice,andclicktheOperationsdrop-downlist.
4. SelectChangeMonitoringStatus...
ThesystemdisplaystheChangeMonitoringState:Devicesdialog.
92
Management Center Configuration &Management
5. SelectoneormoredevicesandclickNext.
ThesystemdisplaystheChangeMonitoringStatus:OperationStatesdialog.
6. VerifythatChangeStatisticsMonitoringstateisselectedanddooneofthefollowing:.
a. Toenablestatisticsmonitoring,selectEnableStatisticsMonitoringcollections.
Youcanonlyenablestatisticsmonitoringforactivateddevices.
b. Todisablestatisticsmonitoring,selectDisableStatisticsMonitoringcollections.
7. ClickRunNow.ThesystemdisplaystheActivateDevices-JobResultswindow.
93
Management Center Configuration &Management
Thedevicestatuscantakeupto30secondstochange.
94
Management Center Configuration &Management
StopManagingaDevice
TostopmanagingadeviceinManagementCenter,youdeleteit.Youshouldonlydeleteadevicefromyournetworkifyou
arecertainthatyouwillnotneedtomanageanditinthefuture.
Whenyoudeleteadevice,youremoveitpermanentlyfromManagementCenter,andtheonlywaytorestoreitisto
additagain.Ifyouwanttostopmonitoringadevicetemporarily,deactivateitinsteadofdeletingit.
1. ClicktheNetworktab.
2. Locatethedeviceyouwanttodelete.See"SearchforManagedDevices"onpage103.
3. (Recommended)Verifythatthedeviceistheoneyouwanttodelete.See"VerifyDeviceDetails"onpage110.
4. Selectthedevice,andthenclickDelete.Thedeviceandallrelatedinformation,includingreportsispermanently
removedfromthesystem.
Deletioncannotbeundone.Onceremovedfromthenetwork,thedeviceneedstoberegisteredagain.
5. Confirmthatthedevicewasdeleted.Deletingadeviceconfigurationcantakeupto60secondstocomplete.
95
Management Center Configuration &Management
AboutPre-DeployedandDeactivatedDevices
YoucanmanagedevicesinManagementCenterevenifyoudonothavetheabilitytomonitortheiractivityandstatistics.
ThesedeviceshaveanInactivestatusinthesystem;whenyouselectthem,theSystemMetricsandHealthChecks
tabsatthebottomofthescreendisplaynodata.
Tolookforinactivedevicesinthesystem,clicktheNetworktabandclearallthestatusesbesideFilterbyexceptInact-
ive:
TheNetworktabdisplaysonlytheInactivedevices.
Inactivedevicesconsistoftwotypes:pre-deployeddevicesanddeactivateddevices.Thefollowingareexamplesofwhy
youmightneedtomanageinactivedevices:
l Youaddadevicethathasnotarrivedinyourorganizationyetorisnotsetup.Inthisscenario,intheAddDevice
wizard,youselectUnavailable(pre-deployment)forthedeploymentstatus.Connectionparametersarenot
requiredwhenyouselectthepre-deploymentstatus,soyoumustspecifythembeforeyouactivatethedevicelater.
l Toallowforscheduledmaintenanceorotherscenarioswheredevicesmustbepoweredoff.Inthisscenario,to
preventerroralertmessages,youcoulddeactivatetheaffecteddevicesbyselectingthemandclicking
Deactivate.Then,reactivatethedeviceswhenmaintenanceiscomplete.
Formoreinformationaboutdevicestatusandtheuseofcolorinthewebconsole,see"AboutColor-CodedStatus
Indicators"onpage28.
RestartaDevice
Ifyouneedtorebootamanageddevice,youcanrestartitfromManagementCenter'swebconsole.
1. SelecttheNetworktab.
2. Intheleftpane,selectthedevicegroup,andthenselectthedeviceintherightpane.
3. FromtheOperationsdrop-downlist,clickRestart.
4. ClickOKtoconfirmthereboot.
96
Management Center Configuration &Management
SynchronizeDevices
ManagementCentersupportssynchronizationofthefollowingdevicetypes:SSLVisibility,ContentAnalysis,andMalware
Analysis.
Whendeviceshavesimilarorexactconfigurations,youcancopytheconfigurationofonedevice(thesource)tooneormore
similardevicesrunningthesameorlaterOSversions.Asanexample,youcan'tsynchfromanon-FIPSimagetoaFIPS
image.
Prerequisites
n Determinewhichdevicehastheconfigurationsettingsyouwanttosynchronizetootherdevices.Thisdevicewillbe
yoursourcedevice.
n UnderDevicesontheNetworktab,identifythetargetdevicesandverifythattheirOSversionisthesameorlater
thanthesourcedevice.TheOSversionisdisplayedinthedevice'sOverviewtab.See"ViewSystemMetrics"on
page112.
DeviceSyncDetails
Differentsettingsmaybesynchedforeachdevice.
SupportforSSLVisibilityAppliance
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderversion.
Forexample.youcannotsynchronizea3.8.3operatingsystemversiontoa3.8.2operatingsystem.
Whattosynchronize:
n Alerts-alertingandnotificationsusedonthedevice
n Users-namesandpasswordsonthedevice
n PKI-certificate(orthedatabasestore)
n Policy-rulesfordecryptingtraffic
n Remoteauthentication-controlsthewaythedeviceauthenticates,asforTACACS
SSLVisibilityappliancesdonotreportplatforminformationinthedeviceoverview.PlatformisdisplayedasN/Aas
shownintheexample.
SupportforContentAnalysis
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderversion.
WhattoSynchronize:
l SelectConfiguration.NotallelementsofyourContentAnalysisapplianceconfigurationcanbesaved/restored.
Administrationdetailsandnetworkinformationdefinedintheinitialdeploymentofyourappliancemustbemanually
assigned.Thefollowingcomponentsareincluded:
97
Management Center Configuration &Management
o GlobalAnti-VirusPolicy
o KasperskyPolicy
o SophosPolicy
o AlertSettings
o AlertTemplates
o SMTPSettings
o ConsentBanner
o CustomLogo
o NTPSettings
o TimezoneConfiguration
o HTTPSettings
o SNMPSettings
o SandboxingSettings
o StaticAnalysisSettings
SupportforMalwareAnalysisAppliance(MA)
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderver-
sion.
WhattoSynchronize:
l Settings-Allsettingswithinthesegroupsaresynced:
o Filereputation(enabled/disabled)
o Cleanupdaemon
o ProxyServer
o YARAstate(enabled/disabled)
o VirusTotalkey
o TaskDefaults
o Updates(enabled/disabled)
o WebPulse
l Patterngroupscreatedbyusers
PerformDeviceSynchronization
Followthisbasicprocedure.
1. ClicktheJobstab.
2. SelectNewJob.ThewebconsolerunstheNewJobwizard.Aredasterisk(*)denotesfieldsthataremandatory.
3. EnteraName(*)andDescription.
4. ClickNext.
5. FromtheOperation(*)drop-downlist,selectSynchronizeDevices.
6. SelectaSourceDevice(*)fromthelistofavailabledevices.Afterselectingasourcedevice,clickOK.
7. SelectthecheckboxestodefineWhattosynchronize(*).Availablechoicesarespecifictothedeviceandarenot
98
Management Center Configuration &Management
platformspecific.
8. ClickNext.Selecttargetdevicesordevicegroupsthatyouwanttokeepinsyncwiththesourcedevice.Ifyou
selectadevicegroupthatincludesdevicesthatarenotsupported,thesynchronizationjobautomaticallyfiltersout
anydevicesthatarenotthecorrectdevicetype.
9. ClickNext.DefineascheduletoruntheSynchronizeDevicesjob.See"JobSchedulingOptions"onpage328.
99
Management Center Configuration &Management
ConfigureHierarchyforDevicesandDeviceGroups
TheHierarchyisthehighestlevelinthedevicestructureinManagementCenter.Anyhierarchiesthatyoucreateareatthe
samelevelasthepredefinedLocationandOrganizationhierarchies.Becauseyoucanmanage500devices,creatinghier-
archiesiscriticalinmanagingdevicehealth,status,deployingpolicyandhandlinglargejobs.
TheHierarchicalstructureofManagementCenterenablesuserstomanagepolicyacrossalargenumberofdatacentersin
awaythatuserscansegregatetheadministrationofpolicy.
HierarchicalConfigurations
ManagementCenterorganizesitsmanymanageddevicesintohierarchieswithparentandchildconfigurations.Thekeyto
understandingManagementCenterhierarchicalconfigurationsistorememberthebasicrulesofmanagingdevicegroups,
devices,andmanagingpoliciesthatcanbedeployedtoallthedevicesinyourorganization.
Usingthehierarchicalstructure,multipledevicescanmergetheirpolicyattributes,devicescaninheritpolicyattributes
fromaparentdevicegroup,orchilddevicescanbedirectlyassignedpolicy.
DeviceGroupscanbelongtootherDeviceGroups,butcannotbelongtomultipleHierarchies(forexample,youcan-
nothavethesameDeviceGroupinbothLocationandOrganization).
Createhierarchiestorepresentgeographicalregions,organizationalordepartmentalstructure,deploymenttype,orany-
thingelseappropriateforyournetwork.Youcanthenadddevicegroupstoasmanyhierarchiesasneeded.
1. ClicktheNetworktab.Intheleftpane,totherightoftheGroupBydrop-downlistbox,clicktheManage
Hierarchiesicon .ThewebconsoledisplaystheManageHierarchiesdialog.
100
Management Center Configuration &Management
2. ClickAddHierarchy.IntheHierarchyNamefield,enterauniquename.
3. IntheCommentsfield,enterusefulcommentstodifferentiatethishierarchyfromothers.Fieldsmarkedwithared
asterisk(*)arerequiredsettings.
4. Thenameyouenteredinstep2automaticallypopulatestheRootFolderNamefield.Acceptthenameifyoudonot
wanttocreatearootfolderwithinthehierarchy.
5. Tocreateanewrootfolder,enteranameforitintheRootFolderNamefield.ClickSave.
Therootfolderistheparentfolderforallsubfolders.Forexample,intheBeachNameshierarchy,BeachNamesis
theparentfolderforthesubfolders(WestCoastBeaches,EastCoastBeachesandGulfCoastBeaches).
101
Management Center Configuration &Management
EditaHierarchy
1. Toeditahierarchy,fromGroupsselectadevicegroupname,clickEdit.TheEditHierarchydialogdisplays.
2. Editthename,comments,androotfoldernameasneeded.Fieldsmarkedwitharedasterisk(*)arerequired
settings.
3. ClickSavetosaveyourhierarchychangesorclickCanceltoreturntotheManageHierarchiesdialog.
YoucandeleteanyhierarchyexceptfortheLocationhierarchy.
DeleteaHierarchy
1. Todeleteahierarchy,fromGroupsselectahierarchy,clickDelete.ADeleteConfirmationdisplays.
2. Confirmthedeletion;clickDelete.
Ifyoudeleteahierarchythatcontainsdevices,thedevicesarestillmembersofanyotherhierarchiestowhichthey
belong.Ifyoudeletethelasthierarchytowhichadevicebelongs,youcanclickUnassignedDevicestoseethe
device.
ToaddadevicegrouptotheHierarchy,see"AddaDeviceGroup"onpage68.
102
Management Center Configuration &Management
SearchforManagedDevices
Youcansearchfordevicesinyournetworkusingseveralmethods.
SearchbyNameorIPAddress
Inmostcases,searchingbythenameorIPaddressisthemostefficientwaytolocateadevice.
1. ClicktheNetworktab.
2. Inthesearchfieldatthetopofthetab,enteroneofthefollowing:
l Devicename
l Stringinthedevicename
l IPaddressofthedevice
l OctetorpartofanoctetinthedeviceIPaddress
3. PressEnterorclickthesearchicon(magnifyingglass).
ThesystemreturnsalistofalldevicesthatmatchthesearchcriteriainaSearchwindow.
Selectadevicetoviewit,orclicktheXinthetoprightcornerofthewindowtocloseit.
BrowsetheHierarchy
SelecttheNetworktabandbrowsethehierarchyandfoldersforthedevice.Thismethodisconvenientifyouknowwhere
thedeviceislocatedinthefolderstructure,orifthefolderstructureisnottoodeeporcomplex.
103
Management Center Configuration &Management
PerformanOperationonaManagedDevice
Thestatusofamanageddevicecancontrolwhichoperationsareallowedonadevice.See"MonitorDeviceHealth"on
page106.
OperationsthatarenotavailablefortheselecteddeviceordevicegrouparegrayedoutintheOperationsdrop-
downlist.
1. SelecttheNetworktab.
2. Selectthedevicegroupintheleftpane,andthedeviceintherightpane.
3. ClickOperationstodisplaythedrop-downlistofoptions.
4. Selectthedesiredoption:
n LaunchConsole
n Restart
n Delete
n ChangeMonitoringStatus
n BackupDevices
n ExportBackups
n ImportBackups
n ImportfromFile(AddMultipleDevices)
n RMADevice
n PurgeStatsMonitoring
n RemoveUnusedTenantPolicy
104
Management Center Configuration &Management
EnsureDevicesBelongtoDeviceGroups
BlueCoatrecommendsthatyouperiodicallyverifythatalldevicesareassignedtogroups.Adevicemightbecomeunas-
signedifnogroupswereselectedwhenthedevicewasaddedtoManagementCenter,orifthegroupstowhichthedevice
wasassignedweredeleted.See"EditaDeviceGroup"onpage74.
Becauseunassigneddevicesdonotdisplayinanygroups,usersmightnotmanagethemorevenbeawareofthemifthey
workonlyindevicegroupsoronlyhaveaccesstospecificdevicegroupsintheirrolefilters.
Adevicegroupcanbeinsideanotherdevicegroup,butadevicegroupcannotbeinmultiplehierarchies.
1. ClicktheNetworktab.Fromtheleftpane,clickUnassignedDevices.Unassigneddevicesdisplayintheright
pane.
2. SelectadeviceyouwanttoassigntogroupsandclickEdit.Thewebconsoledisplaysawizardwiththefollowing
tabs:
l BasicInfo
l ConnectionParameters
l Membership
l Attributes
l Policies
Anerrormessagedisplaysatthebottom,citingthereasonwhythedeviceisnotassignedtoadevicegroup.
3. ClickMembership.Enteralocationforthedevice.
4. ClickSave.Amessagestating:[devicename]wassavedsuccessfully.
5. (Optional)Toassignbydragginganddroppingthedevicetoadevicegroup,selectthedeviceanddragitintothe
devicegroupintothetreeontheleft.Dropthedevice.Confirmthemove.ClickOK.
105
Management Center Configuration &Management
MonitorDeviceHealth
ManagementCentercollectshealthstatusinformationondevicecomponentsincludingsystemresources,licensevalid-
ity,anduser-definedhealthchecks,anddisplaystheaggregatehealthstatusinseveralareas.
Devicehealthisalwaysrepresentedbystatuscolors:Error(red),Warning(yellow),andOK(green).Adevice'shealth
statusisdeterminedbysystem-definedthresholdsonthedevice:ifaserviceorothermonitoredcomponentexceedsa
threshold,thedevicegoesintoaWarningorErrorstate.
IfyoucannotgetthedeviceoutoftheErrorstate,regardlessofwhatyoutry,youmayneedtoRMAthedevice.See"Per-
formanOperationonaManagedDevice"onpage104.
AgraystatuscolorindicatesanabsenceofhealthstatusandrepresentsanInactivedevice.Somejobsandoperations
cannotoccuroninactiveorpre-deployeddevices.
See"AboutColor-CodedStatusIndicators"onpage28formoreinformationonstatuscolorsinvariousareasoftheweb
console.
FormoreinformationonmonitoringhealthstatusontheProxySGappliance,refertotheSGOSAdministration
Guide.
ViewDeviceHealthStatusontheDashboard
TheDashboarddisplaysoverallhealthstatusinformationinwidgets.Twowidgetsdisplaybydefault,butyoucanclose
thembyclickingtheXinthetoprightcorner.
TheDeviceHealthwidgetgivesanoverallpictureofthehealthofmonitoreddevicesinacirclegraph.
Clickastatusiconbelowthecharttoseethedevicesthathavethatstatus.
TheTopProblemDeviceswidgetliststhedevicesthatareconsistentlydisplayingwitherrorsorwarnings.
106
Management Center Configuration &Management
Forexample,IfyouclickonSanClemente,theDeviceOverviewdisplaysYellowwiththespecificwarningsforeach
devicevalue.
IfyouhaveremovedawidgetfromtheDashboard,youcandisplayitagain.See"ChangetheDashboardLayout"on
page396forinstructions.
ViewHealthStatusintheBanner
Inthewebconsolebanner,lookforthedevicestatusicons.
Clickastatusicontoseethedevicesthathavethatstatus.Thesetotalsarethesameasthedevicestatustotalsthatdis-
playundertheDeviceHealthwidgetontheDashboard;becausetheseareinthebanner,theyarevisibletoyounomatter
whichtabyouareworkingon.
ViewDeviceHealthStatus
1. SelecttheNetworktab.
2. Selectthedevicewhosehealthyouwanttoview.Overview,SystemMetrics,Dashboard,HealthChecksand
Backuptabsdisplayatthebottomofthescreen.
3. ClickHealthChecks.Thewebconsoledisplaysinformationaboutthesystemresources.Scrolltothebottomofthe
screentoviewthefollowing:
ViewDeviceDashboards
Adynamicallygenerateddashboardisavailablefordevicemonitoring.CASandMAarecurrentlysupported.
107
Management Center Configuration &Management
1. SelecttheNetworktab.
2. Selectthedevicewhosehealthyouwanttoview.Overview,SystemMetrics,Dashboard,HealthChecksand
Backuptabsdisplayatthebottomofthescreen.
3. ClickDashboard.Thewebconsoledisplayssystemstatusmetrics.Thecontentavailablewillvarywiththe
device:
ProxySG/AdvancedSecureGatewayDashboard
MADashboard
CASDashboard
Themetricsmaybedisplayedinoneofseveraldifferentways:
n Counters:Displaysacountforaspecifictimeperiod.
Examples:ObjectCount,TotalScan.
108
Management Center Configuration &Management
n State:Displaysatextvalue.
Examples:Condition-Green/Yellow/Redconditionindicator.
n Series:Displaysvaluesoveraperiod;thispresentationmaybeinanareadisplay,abar,acolumn,apiechart,ora
donutchart.
Examples:CPU,ICAPScan.
ResolveDeviceErrors
Toresolvedeviceerrors,seeResolveDeviceErrors.
109
Management Center Configuration &Management
VerifyDeviceDetails
Toverifyadevice'sinformationafteryouhaveaddedit,ortohelpidentifyadevice,dothefollowing:
1. ClicktheNetworktabandselectadevicetoview.Selectthedevicewhosedetailsthatyouwanttoview.
2. Atthebottomofthescreen,clicktheuparrow .Themonitorwindowexpandsfromthebottomofthescreen.
3. Overview,SystemMetrics,andHealthChecksandBackuptabsdisplayatthebottomoftheexpandedwindow.
4. ClickOverview.Thewebconsoledisplaysinformationaboutthesystemresources.
5. InsidetheOverviewtab,clickLaunchConsoletolaunchtheconsoleofthedevice,orclickRefreshtoquerythe
deviceforthelatestvaluestodisplaywithinthesedevicetabs.
Afteryouupgradeordowngradethedevice,usetheRefreshbuttontodisplaythelatestvaluescorrectly.
See"Upgrade/DowngradeSystemImages"onpage406.
6. Toclosethedevicemonitorwindow,clickthedownarrow .
DeviceOverviewTab
Value Description
DeviceIcon The icon used to depict a certain device type, for example a ProxySG appliance is
Example:
<20sago
6/1/156:02PMGMT-05:00
The example shown is when <6/1/15> equals the date in short format, <6:02 PM>
equals the time on a 12-hour clock and <GMT-05:00> equals the time zone <Green-
wich Mean Time minus 5 hours> which at the time of this documentation equals
Central Daylight Time.
Systemstarted Thedateandtimethatthesystemstarted.
Example:
5/26/1511:42AMGMT-05:00
Theexampleshowniswhen<5/26/15>equalsthedateinshortformat,<11:42AM>equals
thetimeona12-hourclockand<GMT-05:00>equalsthetimezone<GreenwichMeanTime
minus5hours>whichatthetimeofthisdocumentationequalsCentralDaylightTime.
110
Management Center Configuration &Management
Value Description
Model Theappliancemodeloftheappliance.
Example:
VA
Theexampleshowniswhere<VA>equalsavirtualappliance.
Platform TheBlueCoatplatforminformationthatthesoftwareisrunningon.
Example:
BlueCoatSGVASeries
TheexampleshowniswhenBlueCoat<SGVA>SeriesequalsProxySGVirtualAppliance
Series.
Serial Number The serial number assigned to the selected device.
Host The host IP address of the selected device.
OS version Theversionoftheoperatingsystem,includingtheversionnumberandedition.
Example:
SGOS6.5.5.410SWGEdition
Theexampleshowniswhen<SGOS>equalstheProxySGOperatingSystem,<6.5.5.410>
equalstheversionnumberand<SWG>equalsSecureWebGatewayEdition.
Build Thebuildnumberofthesoftwarerunningontheselecteddevice.
Example:
15078864-bit,gbd,optimized
Theexampleshowniswhen<150788>equalsthebuildnumber,<64-bit>equalsthecapa-
cityatwhichbitscanbeprocessedandstoredand<optimized>equalsclockoptimization
forthisparticularbuildnumber.
111
Management Center Configuration &Management
ViewSystemMetrics
InManagementCenter,devicemetricsrefertokeyhardwarecomponentssuchasCPUusage,diskstatus,fanstatus,
andmotherboardtemperature.Refertothesemetricstoverifyavailabilityandperformanceofsystemresources.
1. SelecttheNetworktab.Selectadevicetoviewmetrics.
2. Atthebottomofthescreen,clicktheuparrow .Themonitorwindowexpandsfromthebottomofthescreen.
3. ThewebconsoledisplaystheO verview,SystemMetrics,andDeviceHealthandBackuptabs.
4. (Optional)Ifthedeviceisalwaysisanerrorstate(yelloworred)andyouareunabletoupdatethelicenseorrestore
agoodconfiguration,youmayneedtoperformanRMAforthedevice.See"RMAaDevice"onpage114.
5. ClickSystemMetrics.Thewebconsoledisplaysinformationaboutthesystemresources.Ifavailable,scrolldown
toseeallofthemetricsavailablefortheselecteddevice.Toseedevicedetailsintheoverviewtab,seeVerify
DeviceDetails.
ManagementCentercancollectmetricsonlyfromactivateddevices.Ifyouselectadeactivatedorpre-
deploymentdevice,theOverview,SystemMetrics,HealthChecksandBackuptabsdisplayno
information.
TheSystemMetricsTab
TheSystemsMetricstabprovidesasnapshotglanceofthediskstatusaswellasthepercentagethatboththeCPUand
Memoryarecurrentlybeingused,andthethresholdsettingsforbothWarningandCritical.Toconfigurewarningandcrit-
icalthresholdsdisplayedintheSystemMetricstab,see"ConfigureHardwareMonitorSettings"onpage405Anexample
ofaProxySGapplianceisdisplayedinthetableshownbelow.
TheHealthChecksTab
TheHealthCheckstabdisplaysinformationbasedonthetypeofdevicethatyouhaveselected.AnexampleofanSSL
Visibilityapplianceisdisplayedinthetableshownbelow.ThetoprowdisplaysGeneralwiththenumberofhealthchecks
thatareroutinelyperformedonthedevice.Toseeotherplaceswithinthewebconsoletoviewdevicehealth,see"Monitor
DeviceHealth"onpage106.
- General (4)
License OK Up
Load OK Up
Network OK Up
System OK Up
112
Management Center Configuration &Management
TheBackupTab
TheBackuptabdisplaysallofthedevicebackupsfortheselecteddevice.TheBackuptabalsodisplayswhetheradevice
backuphasbeenexportedtoanexternalserver,andwhetherithasbeenrestored.Perhapsmostimportantly,youcanpina
backuptoensurethatitdoesn'tgetdeletedwhenManagementCenterdeletesoldbackupswhenperformingroutinedisk
maintenance.Whenimportingabackup,ManagementCenterwillnotreplacepinnedbackupsunlessspecifiedwhenyou
"RestoreDeviceBackups"onpage87.YoumustselectabackupfromthelisttoView,Restore,orDeleteabackup.See
"MonitorDeviceHealth"onpage106.AnexampleofaProxySGappliancebackupinformationisdisplayedinthetable
shownbelow.
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
113
Management Center Configuration &Management
RMAaDevice
IfyouneedtoreturnadevicetoBlueCoatusingReturnMerchandiseAuthorization(RMA),followtheprocedurebelowto
replacethedefectivedevicewiththereplacementdeviceinManagementCenter.Thisprocedureassumesyouhaveini-
tiatedtheRMAprocesswithBlueCoat.
1. Recordtheserialnumberofthedefectivedevice.YouwillneedthisnumberwhenperformingtheRMADevice
operationbelow.
2. (Optional)Deactivatethedefectivedevice.See"MonitorDeviceHealthandStatistics"onpage90.
DeactivateddevicesshowontheNetworktabwithagraystatus.Ifyoudon'tdeactivatethedevice,itwill
showontheNetworktabwitharedstatus.
3. ReturnthedefectivedevicetoBlueCoat.
4. Installthereplacementdeviceinthenetwork.IfyouassignitthesameIPaddressandcredentials,youdonotneed
toaddthedeviceintoManagementCenter;otherwise,youwillneedto"AddaDevice"onpage65.
5. GototheNetworktabandselectthereplacementdevice.
6. FromtheOperationsdrop-downlist,selectRMADevice.Aredasterisk(*)denotesfieldsthataremandatory.
ManagementCenterwillattempttoconnecttothedeviceandretrieveitsserialnumber.Ifitsucceeds,itwill
displayitnexttoSerialNumberdetectedondevice.
7. IntheProvidepreviousSerialNumberfield,entertheserialnumberofthedefectivedevice.
8. (ProxySGsonly)DecidewhetheryouwanttoapplyexistingStatisticsMonitoringdatafromthedefectivedevice
andmigrateittothereplacementdevice.Selectthedesiredoption:
n migrateStatisticsMonitoringdata
n ignoreStatisticsMonitoringdata
9. ClickUpdateDevice.
10. FromtheOperationsdrop-downlist,clickRestart.
114
Management Center Configuration &Management
PutDeviceinMonitor-OnlyMode
Youmightwanttomonitorsomedeviceswhilealsopreventingconfigurationchangesonthem.Thisiscalledmonitor-only
mode.ManagementCenterdisplaysalocknexttodevicesinmonitor-onlymode,asshownbelow.
Monitor-onlydevicescanbeselectedastargetsforjobs,scripts,etc.,butthatjobstepwillfail.
AllowedOperations
Thefollowingtabledescribesthemonitor-only
Operation Allowed?
Edit Metadata Yes
Edit Attributes Yes
RMA Yes
Purge Stats Monitoring Yes
Import from file Yes
Assign Group Membership Yes
Use as a policy target Yes
Install Policy No
Remove unused policy No
Execute script No
Backup Device Yes
Export Backup Yes
Restore Backup No
Launch Console Yes
Activate Device Yes
Deactivate Device Yes
Restart Device Yes
Device sync as a source Yes
Device sync as a Target No
115
Management Center Configuration &Management
AddADeviceinMonitor-OnlyMode
1. SelecttheNetworktab
2. SelectAddDevice.
3. Entertheconnectiondetails.
IfyouaddadevicewiththeDeploymentStatussettoUnavailable(predeployment),changingthe
monitoringstatushasnoeffect.
4. IntheManagementStatusfield,selectMonitorOnly(noconfigchanges).
5. ClickNext.
6. FollowtherestoftheAddDeviceprocedure.
PutanExistingDeviceinMonitor-OnlyMode
1. SelecttheNetworktab.
2. Locatethedevice,selectit,andclickEdit.
ThesystemdisplaystheEditDevicedialog.
3. ClicktheConnectionParameterstab.
116
Management Center Configuration &Management
4. IntheManagementStatusfield,selectMonitorOnly(noconfigchanges).
5. ClickSave.
117
Management Center Configuration &Management
UseWAFPolicyToProtectServersFromAttacks
Asmoreandmoreorganizationsmovetowebapplications,theyareexposedtonewandsophisticatedthreats.Whiletra-
ditionalfirewallsandIPSsystemsareeffectivefordetectingthreatsinlayers3and4,theycannotinterpretthelogicinside
theapplicationlayer,makingthemineffectiveagainstwebapplicationthreats.WebApplicationFirewalls(WAF)were
designedforjustthispurpose.W AFdevicesprotectwebapplicationsbyinspectingtrafficandcontrollingaccesstoapplic-
ations.
Asthefollowingdiagramshows,theProxySGWAFapplianceistypicallydeployedbehindthefirewallandinfrontofthe
back-endcontentservers.ItistypicallypairedwiththeMalwareAnalysisandContentAnalysisappliances,whileReporter
andManagementCenterprovidereportingandremotemanagementservices.
InManagementCenter1.5.xandlater,youcanuseManagementCentertoconstructWebApplicationFirewall(WAF)
policiesforyourProxySGappliances.TheseWAFpoliciesaredesignedtoprotectback-endwebapplicationsandservers
inareverseproxydeploymentfromexternalsecuritythreats.TheProxySGWAFsolutionprovidesthefollowing:
n OWASPtop10threatsprotection
n ContentNatureDetection
n VirtualPatching
n Cookiesigning
n DenialofService(DoS)protection
n Whitelistingandblacklisting
n Advancedpolicies(CSP,HSTS,HPKP,etc.)
n Analyticsfilter(heuristicsanomalydetection)
n GEOlocationintelligence
n Normalization
n Signatureversionsperapplication
n JSON/XMLsecurity
119
Management Center Configuration &Management
Requirements
TousetheWAFfeatures,youmustpurchasethefollowing:
l WebApplicationProtection(WAP)Subscription(includedwithManagementCenterbutmustbepurchasedforyour
ProxySGappliances).
Ifyouhavepurchasedasubscription,itisautomaticallydownloadedtoManagementCenter.Tomanageyour
subscription,see#subscriptionsintheManagementCenterConfigurationWebGuide.
InManagementCenter1.6.1.1,thesubscriptionscommandcontrolsonlytheWebApplication
Protection(WAP)subscription.TouseWebApplicationFirewall(WAF)features,youmustensurethat
ManagementCentercanconnecttohttps://subscription.es.bluecoat.comtodownloadtheWAP
subscriptionbundle.IftheWAPsubscriptioncannotbedownloaded,theBlacklistandAnalyticsFilterrules
tableintheSecurityProfilewillnotbeavailable.However,allotherWAFfeaturesshouldstillbeavailable
andfunctioning.TheWAPsubscriptioncannotcurrentlybeloadedwhenManagementCenterisinoffline
mode.
l Multi-TenantPolicyLicense.
TheselicensesarepurchasedonaperProxySGappliancebasis.
SoftwareVersionRequirements
l ProxySGappliance:MustrunSGOS6.6.3orlater.
l Reporter:Mustrun10.1.3orlater,whichprovidesthenewWAFdatabase.
l ManagementCenter:Mustrun1.5orlater,whichprovidesthenewWAFinterface.
BeforeusingtheseWAFfeatures,BlueCoatstronglyrecommendsreadingandfamiliarizingyourwiththeWebApplication
FirewallSolutionsGuide.
SolutionSteps
1. LearnaboutWAFpolicy.
2. Selectatenant.
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachtenanthasauniqueinstanceofpolicy
governingitstraffic.Tobegin,firstdeployWAFpolicytothedefaulttenant.Youcanaddadditionaltenantslaterif
yourequireWAFApplicationobjectswithdifferentsecurityprofiles.
3. CreateaTenantDeterminationFile.
Thisobjectcontrolshowrequestsareroutedtothetenantslotsinpolicy.ATenantDeterminationFilealways
referencesthedefaulttenant.Optionaltenantreferencesandrulescontrollingtheirselectioncanbeaddedas
neededwhenadditionaltenantslotsarecreated.
4. DeploytheTenantDeterminationFiletotheappropriateProxySGappliances.
5. CreateandconfigureaWAFSecurityProfile.
AWAFSecurityProfiledefinesthesecurityrulesfortheWebApplicationFirewall.
120
Management Center Configuration &Management
6. CreateandconfigureaWAFApplicationobject,associatingatenantandWAFSecurityProfile.
AWAFApplicationObjectrepresentsawebapplication(orgroupofWebapplications)anditsassociatedWAF
securitysettings.
7. AddtargetsanddeploytheWAFApplicationObjecttothosetargets.
8. RunwebapplicationtrafficthroughtheWAFandreviewyourlogsforfalsepositives.
Thebcreporterwarp_v1accesslogformatisrecommendedforreverseproxyWAFdeployments.Formore
information,refertotheWebApplicationFirewallSolutionsGuide.
9. RefineyourWAFSecurityPolicy:
a. AddexemptionstoyourWAFsecuritypolicy.
b. ChangeWAFprotectionscontrolsfromMonitor-modetoBlock-mode.
c. OptionalConfigureEffectiveDatetointelligentlyhandlesubscriptionupdates.
AboutWAFPolicy
Asdescribedin"UseWAFPolicyToProtectServersFromAttacks"onpage119,WAFpoliciesaredesignedtoprotect
backendwebapplicationsandserversinareverseproxydeploymentfromexternalsecuritythreats.
TheManagementCenterWAFpolicyfeatureusesthefollowingpolicyelements:
Tenants.ManagementCenterWAFpolicyiscenteredaroundtheconceptoftenants.Tenantsareadministrativeentities
definedontheProxySGappliancethatallowpolicytobeappliedtoarequestmatchingspecificpropertiesorconditions.Ten-
antsrepresentoneormorewebapplications.EachWAFapplicationobject(seebelow)isassociatedwithatenant.
TenantDeterminationFile.ATenantDeterminationfileincludespolicyconditionsthatcontrolwhichtenantpolicyslotis
evaluatedforanHTTPrequest.Whenpolicymatchesarequest,thetenantisidentifiedandallpolicyassociatedwiththe
tenantIDisappliedtotherequest.Forexample,atenant'srulescouldindicatethatalltraffictoport80musthavethisten-
ant'spolicyappliedtoit.AftersettingtheserulesonManagementCenter,youdeploythisfiletoyourProxySGappliances.
WAFSecurityProfile.AWAFSecurityProfileisasharedobject(apolicyelementthatcanbereferencedbymultiplepolicy
objects)thatdefinestheWebApplicationFirewallsettingsfortheassociatedWAFapplicationobject.Foritsrulestobe
enforced,aWAFsecurityprofilemustbeassociatewithaWAFapplicationobject.
WAFApplicationObject.WAFpolicyisconfiguredthroughtheuseofaWAFapplicationobject.AWAFapplicationrep-
resentsatenant(awebapplicationorgroupofwebapplications)anditsassociatedWAFsecurityprofilesettings.There-
fore,tocreateaWAFapplication,youmustassociateitwithatenant(webapplication)andaWAFsecurityprofile(security
settings).
AbouttheDefaultTenant
FornewWAFdeployments,youbeginbyassociatingaWAFapplicationwiththedefaulttenant.Thedefaulttenantcontains
thepolicyrulesappliedtoallrequeststhatdonotmatchaspecifictenant.Thisensuresthatallrequestshaveabaselevelof
WAFprotection,andsimplifiesthedeploymentprocess.
Afterdeployingpolicytothedefaulttenant,createadditionaltenantsasneeded.Forexample,youcandefineatenantfor
yourSalesforceapplicationandanothertenantforyourSharePointapplication.Then,youcancreateandapplyspecific
policytoprotectandcontroleachofthosetenants.
121
Management Center Configuration &Management
AboutTenantDetermination
Thecriteriathatdeterminesthecorrecttenantpolicytoapplytoarequestarecalledtenantdeterminationrules.Asshown
below,tenantdeterminationiscontrolledthroughtheuseofa<tenant>layerintheLandlordCPLslotontheProxySG
appliance.
OnManagementCenter,youconfiguretheLandlordslotbycreatingaTenantDeterminationFile.Inotherwords,
theLandlordslotontheProxySGapplianceisreferredtoasaTenantDeterminationFileonManagementCenter.
The<tenant>layerintheLandlordslotspecifiesconditionsandtenant()properties.Withinthislayer,asmallsubset
ofCPLconditionsaresupported.Theseconditionsareusedlikeaswitchstatement(conditionallogicflow)tospecify
whichtenantslotCPLshouldbeevaluatedforagivenrequest.Whentheconditionsonalineevaluatetotrue,thetenant
()propertyissetandevaluationofthecurrentlayerends.
Aftertenantdetermination,therequestisroutedthroughatenant,whosepolicyisevaluatedforthattransaction.Whenno
specifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Tenantdeterminationcriteriagovernswhich
tenant'spolicyappliestoagivenrequest.
Reference:ConditionsandExamples
SupportedConditions
ThefollowingtableshowsthetenantconditionssupportedinManagementCenter.
122
Management Center Configuration &Management
ThefollowingCPLrulesprovideanexampleoftenantdeterminationintheLandlordslot.
<tenant>
url.path.substring="/Webapp/portal" tenant(webapp_portal)
url="http://domain.com/mail" tenant(domain_mail)
tenant(default)
IntheprecedingCPL,theconditiononeachlineisevaluated.Iftheconditionisamatch,thetenant()propertyonthatline
issetappropriatelyandtheevaluationofthe<tenant>layerexits.Ifnotenantisdetermined,thetenant(default)is
used.
Thetenant(default)propertyisimplicitanddoesnotactuallyneedtobeincludedintheCPLrules.Always
deployWAFpolicytothedefaulttenanttoensurethatallrequestsareprocessedbytheWAF.Specificapplications
(orgroupsofapplications)thatrequiredifferentWAFsecuritysettingscanthenbesplitoffintouniquetenantsas
required.
WAFPolicyEvaluationExample
TheexamplebelowdescribesWAFpolicyevaluation:
1. TheProxySGapplianceinterceptsarequest.
2. Theapplianceexaminestheinitialconnectionparameters(source,destination,port,URL).
3. Theapplianceappliespolicytothetraffic.
4. TheLandlordpolicy(TenantDeterminationFile)isexamined.
5. Therequestissettoaspecifictenantslot,ortothedefaulttenantslot.
6. Theappliancere-evaluatestherequestusingaCPLstackthatcontainstheappropriatetenantpolicy.
7. Ifallowedbypolicy,theProxySGappliancesendsthetraffictotheappropriateserver.
123
Management Center Configuration &Management
ManageTenants
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachrequestisroutedthroughatenant,whosepolicy
isevaluatedforthattransaction.Whennospecifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Ten-
antdeterminationcriteriagovernswhichtenant'spolicyappliestoagivenrequest.AddthesetenantstoManagement
Centertocreateanddeploytenant-specificpolicy.
OntheProxySGappliance,therearetwooptionsforcontrollingtenancydetermination:
2. Usingthe<tenant>layerintheLandlordCPLslottospecifyconditionsandtenant()properties.
TheManagementCenterWAFinterfaceleveragesoption#2tocontroltenancydeterminationviatheTenant
Determinationobject.See"AboutWAFPolicy"onpage121formoreinformation.
WhenevaluatinganHTTPrequest,ifthetenantdeterminationrulesproduceamatchagainstaninstalledtenant,thenthat
tenant'spolicywillbeevaluated.Ifthatfailstosetthetenant()property,orthetenant()propertysettingdoesnotcor-
respondtoaninstalledtenantpolicy,thenthedefaulttenantpolicyisappliedtothistraffic.Defaulttenantpolicyappliesto
allrequestswheretenancycouldn'tbedeterminedduringtheinitialconnection.
Obtainthetenantidentifiersbeforeyouwritemulti-tenantpolicyinManagementCenter.Formoreinformationonmulti-ten-
antpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
WAFPolicyUse
Selectingatenantisstep2in"UseWAFPolicyToProtectServersFromAttacks"onpage119.Abase-levelofWAF
policyshouldbeinstalledtothedefaulttenantbeforeanyadditionaltenantsarecreated.Thisensuresthatallrequestsare
processedbytheWAF.
AddaTenant
Aredasterisk(*)denotesfieldsthataremandatory.
1. SelectConfiguration>Tenants.
2. ClickAddTenant.ThewebconsoledisplaystheAddTenantdialog.
124
Management Center Configuration &Management
3. EnteraDisplayName.
4. EntertheTenantID.Thiscontrolsthenameofthetenantslotwherepolicywillbeinstalled.ThisIDisalsousedin
thetenantdeterminationCPLusingthetenant()property.
5. (Optional)EnteraDescription(upto1024characters).
6. ClickSave.
Bydefault,theTenantslistissortedinalphabeticalorderbyDisplayName.YoucanalsosortbyTenantIDorDescription
byclickingthecolumnheadings.Ifthelistislong,usetheKeywordSearchfieldtosearchforanystringinthename,ID,or
description.Thesearchiscase-sensitive.
ModifyaTenant
1. SelectConfiguration>Tenants.
2. FromtheTenantslist,selectthetenanttomodifyandclickEdit.ThewebconsoledisplaystheEditTenantdialog.
3. EdittheDisplayNameorDescription.Aredasterisk(*)denotesfieldsthataremandatory.
4. ClickSave.
DeleteOneorMoreTenants
125
Management Center Configuration &Management
1. SelectConfiguration>Tenants.
2. FromtheTenantslist,selectoneormoretenantstoremove.
3. ClickDelete.
4. SelectYestodeletetheselectedtenants.
YoucannotdeletethedefaulttenantoranytenantthatiscurrentlyreferencedinManagementCenterpolicy.
Attemptingtodeletethedefaultorareferencedtenantresultsina"Deletefailed"errormessage.
SpecifyTenantDeterminationRules
ATenantDeterminationfileincludespolicyconditionsthatcontrolwhichtenantpolicyslotisevaluatedforanHTTP
request.Whenpolicymatchesarequest,thetenantisidentifiedandallpolicyassociatedwiththetenantIDisappliedto
therequest.OntheProxySGappliance,thisfileiscalledthe"LandlordPolicy."See"AboutWAFPolicy"onpage121for
moreinformationabouttheLandlordpolicy.
WAFPolicyUse
SpecifyingTenantDeterminationrulesisstep3in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
Step1CreateaTenantDeterminationFile
1. SelectConfiguration>PolicyandclickAddPolicy.
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotesfieldsthat
aremandatory.
126
Management Center Configuration &Management
2. Enteranameforthepolicyobject.
3. SelectTenantDeterminationFileforthePolicyType.
4. (Optional)IntheReferenceIdfield,enteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
5. (Optional)EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,enteringa
descriptioncanhelpyouunderstandthepurposeofthepolicywhenyoulaterrefertoit.
6. ClickNext.
7. Enterorselectvaluesforthedefinedattributes.
8. ClickFinish.
ThenewtenantdeterminationpolicyobjectappearsinthePolicyObjectseditor.WheninstalledonaProxySG
appliance,thistenantdeterminationfileconfiguresthepolicyintheProxySGLandlordslot.Becausenoothertenants
haveyetbeendefined,thispolicyobjectdirectsrequeststothedefaulttenant.(Thedefaulttenantcontainsthepolicy
rulesappliedtoallrequeststhatdonotmatchaspecifictenant.)Forinitialsetups,WAFpolicyshouldbeinstalledto
thedefaulttenant.Toproceed,deploythetenantdeterminationfiletoyourProxySGappliancesandcontinueto
"ConfigureWAFSecurityRules"onpage130tocreateaSecurityProfile.
9. (Optional)AddTargetDevices.
10. (Optional)InstallPolicy.
Step2Optional:AddTenantDeterminationRulesforOtherTenants
UsethisoptionalproceduretoaddadditionaltenantsafterdeployingWAFpolicytothedefaulttenant.Youwouldonlycom-
pletethesestepsifyourequireWAFApplicationobjectswithdifferentsecurityprofiles.
127
Management Center Configuration &Management
Tenantdeterminationrulesspecifythepropertiesusedtoidentifyatenant.Youspecifythesepropertiesusingasimple,
naturallanguageinterfacethatgeneratesequivalentCPLrules.
1. SelectConfiguration>Policy.
2. ClickthepolicynamehyperlinkorhighlighttherowandclickEdit.
TheselectedfiledisplaysintheEditortab.
3. ClickAddRule.
ThesystemdisplaystheAddRulewindow.
4. ClicktheTenantfieldandselectatenantfromtheSelectTenantwindow.
TheSelectedTenantswindowdisplaysexistingtenantsinManagementCenter.Formoreinformation,see
"ManageTenants"onpage209.
5. ClickOKtoexittheSelectTenantwindow.
128
Management Center Configuration &Management
6. IntheDeterminationRulesfield,usethenaturallanguagefieldstocreatethetenant'sdeterminationrules:
a. SelectAllorAnyofthefollowingrules.
b. Selectarulecondition,forexample,URLExtension.
Thefollowingconditionsareavailable:ClientAddress,ClientEffectiveAddress,Port,ProxyAddress,
ProxyPort,URL,URLDomain,URLExtension,URLHost,URLPath,URLQuery.
c. Selectanoperator,forexample,equals.
Theavailableoperatorsmaychangebasedonthespecifiedrulecondition.
d. Enteravalue,forexample,.pdf.
AddressfieldssupportIPv4andIPv6singleandsubnetaddresses.Forexample:
7. Usethe iconstoaddmorerules.
l Toaddanotherrule,click .
l Todeletearule,click .
l Toaddanestedsetofrules,click .
8. Whenyouarefinishedmakingchanges,clickSave.
9. (Optional)AddTargetDevices.
10. (Optional)InstallPolicy.
Tenantdeterminationrulesareenabledbydefault.Todisablearule,highlighttheruleandclickDisable.
TenantDeterminationRuleExample
129
Management Center Configuration &Management
ConfigureWAFSecurityRules
AWAFSecurityProfileisasharedobject(apolicyelementthatcanbereferencedbymultiplepolicyobjects)thatdefines
theWebApplicationFirewallsettingsfortheassociatedWAFapplicationobject.YouassociatetheWAFSecurityProfile
withaWAFApplicationobjecttodefinethesecurityrulesforthatobject.YoucancreateasmanyWAFSecurityProfiles
asyouneedbutaWAFApplicationobjectcanbeassociatedwithonlyonesecurityprofile.
WAFPolicyUse
ConfiguringaWAFSecurityProfileisstep5in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
Step1CreateaWAFSecurityProfile
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.
ThewebconsoledisplaystheCreateNewSharedObject:BasicInformationwizard.Aredasterisk(*)denotes
fieldsthataremandatory.
130
Management Center Configuration &Management
3. Enteranameforthepolicyobject.
4. SelectWAFSecurityProfilefortheObjectType.
5. (Optional)IntheReferenceIdfield,enteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
6. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,enteringadescriptioncan
helpyouunderstandthepurposeofthepolicywhenyoulaterrefertoit.
7. ClickNext.
8. Enterorselectvaluesforthedefinedattributes.
9. ClickFinish.
ThenewWAFSecurityProfileobjectappearsinthePolicyObjectseditor.
Step2ConfigureWAFSecurityRules
1. SelectConfiguration>SharedObjects.
2. ClickthepolicynamehyperlinkorhighlighttherowandclickEdit.
131
Management Center Configuration &Management
TheselectedfiledisplaysintheEditortab.
3. Reviewthefollowingsettingsandadjusttocreatethedesiredsecuritysettings:
RefertotheWebApplicationFirewallSolutionsGuideforinformationaboutthesesettings.
ControlsgeneralHTTPrequestpropertiessuchassizerestrictions,WAFvalidation
RequestValidation
properties,allowedmethods,andallowedfiletypes.
Enablestherecommendednormalizationsettingsforeachrequestpart,andwhataction
Request
totakewhennormalizationissuesareencountered.Foradvancednormalizationcontrol,
Normalization
refertotheContentPolicyLanguageReference.
Enables/disablestheblacklistengineandsetsblock/monitorbehaviorwhenarequest
Blacklist triggersoneoftheblacklistrules.Thesignature-basedblacklistdiscoverswell-known
attackpatternsquicklyandefficiently.
Enables/disablestheAnalyticsFilterengineandsetsAnalyticsFilterblock/monitor
AnalyticsFilter behavior.AnalyticsFilterisascoringenginethatdetectsattackcharacteristicsand
triggersintelligentlybasedonthesumoftheanomalies.
Specifiessecurityenginesettings(theseareknownasWAFenginesintheProxySG
SecurityEngines documentation).ThecontentnaturedetectionenginesincludeHTMLInjection,
CommandInjection,CodeInjection,SQLInjection,XSS,andDirectoryTraversal.
132
Management Center Configuration &Management
Introducedin1.6.1.1,theseoptionsensuretheXMLisvalidandcheckforpotentially
XMLValidation
maliciousconstructs.
Additionalsecuritycontrolsthatblockcommonwebapplicationattacktechniquesand
AttackPrevention
controlHTTPresponsebehavior.
Exemptions DefineexemptionstoyourWAFpolicytohandlefalsepositives.
Optimizations DisableWAFcontrolsforPOSTrequestsconsistingofbinarydata.
ManyoftheoptionsincludeaBlock/Monitor/Ignoresetting.Thissettingindicatestheactiontakenwhensuspicious
contentisidentified.FornewWAFdeployments,BlueCoatrecommendssettingtheactiontoMonitor.
4. (Optional)Aftermakingoneormorechanges,clickComparetoreviewaside-by-sidecomparisonofthechanges.
5. ClickSave.
TocreateexemptionstoyourWAFpolicy,modifytheBlock/Monitor/Ignorebehavior,orconfiguretheBlacklistorAnalytics
Filtereffectivedate,see"ManageWAFSecurityPolicy"onpage140.
ConfigureWAFApplicationObjects
AWAFApplicationObjectrepresentsawebapplication(orgroupofapplications)anditsassociatedWAFsecuritysettings.
TheWAFapplicationobjectisassociatedwithaspecifictenantandWAFSecurityPolicy.Youinstallthispolicyon
ProxySGappliancestoconfigureWAFsettings.
WAFPolicyUse
ConfiguringaWAFApplicationObjectisstep6in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
CreateaWAFApplicationObject
1. SelectConfiguration>PolicyandclickAddPolicy.
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotes
fieldsthataremandatory.
133
Management Center Configuration &Management
2. Enteranameforthepolicyobject.
3. SelectWAFApplicationObjectforthePolicyType.
4. (Optional)IntheReferenceIdfield,enteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
5. ClicktheTenantfield,selectatenantfromtheSelectTenantwindow,andclickOKtoexittheSelectTenant
window.IfthisisanewWAFdeployment,selectthedefaulttenant.
134
Management Center Configuration &Management
TenantsonlydisplayintheSelectTenantwindowiftheyhavealreadybeencreatedonManagementCenter.For
moreinformation,see"ManageTenants"onpage209.
AWAFApplicationshouldfirstbedeployedtothedefaulttenantslottoensurethatallrequestsareprocessed
bytheWAF.AdditionalWAFApplications,SecurityProfiles,andTenantscanthenbecreatedtohandle
specificwebapplicationrequirements.
6. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,thedescriptionhelps
differentiateversionsofthesamepolicy.
7. ClickNext.
8. Enterorselectvaluesforthedefinedattributes.
9. ClickFinish.
ThenewWAFSecurityProfileobjectappearsinthePolicyObjectseditor.
ConfiguretheWAFApplicationObject
1. SelectConfiguration>Policy.
2. ClickthepolicynamehyperlinkorhighlighttherowandclickEdit.
135
Management Center Configuration &Management
TheselectedfiledisplaysintheEditortab.
3. SelectaWAFSecurityProfile.
a. ClicktheWAFSecurityProfiletextfieldorpencilicon.
b. IntheWAFSecurityProfiledialog,selectthedesiredWAFSecurityProfile.
c. ClickOKtoclosetheWAFSecurityProfiledialog.
4. SpecifytheWAFSecurityProfileversiontouse.SelectAlwaysUsetheLatestVersionorspecifyaspecific
versionintheUseSpecificVersion:field.
136
Management Center Configuration &Management
5. (Optional)TooverrideallWAFSecurityProfilesettings,selectDisableentireSecurityProfile.
6. (Optional)TogloballychangeallBlock/Monitorverdicts,selectChangeallBlock/Monitorverdictsto:toMonitoror
Block.
TosetthebehaviortoIgnore,disabletheentireWAFSecurityProfile.
7. Specifytheusernotification(exception)pagetouseforblockedrequests.Showscreen.
8. SetthecriteriaforallowingtraffictotheProxySG.Specifytheserulesusingrulesassociatedwithatenant,a
CPLfragment,orbymanuallyenteringthemusingtheCustomRulesoption.
BecausereverseproxydeploymentshaveaglobalDenypolicy,youmustspecifyrulestoallowtraffic.Ifthis
WAFapplicationisassociatedwiththedefaulttenant,youwillreceiveanerror(becausethedefaulttenant
hasnoallowrules)andmustspecifytheallowrulesusingoneoftheothermethods.
9. (Optional)AddaCPLfragment.
AddvalidCPLlayersonly.DonotaddindividualCPLrules.Addingindividualrulescanleadtoerrorsand
unpredictableresults.
137
Management Center Configuration &Management
a. ClickAddCPLFragment.ThesystemdisplaystheAddCPLFragmentdialog.
b. ClicktheCPLFragmenttextfieldorpencilicon.ThesystemdisplaystheSelectPolicydialog.
c. SelecttheCPLFragment.See"CreateaCPLPolicyFragment"onpage188forinformationaboutcreating
CPLfragments.
d. ClickOK.
e. SelectAlwaysUsetheLatestVersionorspecifyaspecificversionintheUseSpecificVersion:field.
IfAlwaysusethelatestversionisselected,ManagementCenterwillalwaysincludethelatestavailable
versionoftheSecurityProfilewheninstallingtheWAFApplicationtoaProxySGappliance.Ifyouare
concernedaboutdeployinguntestedchanges,selectUseSpecificVersion.
10. (Optional)Aftermakingoneormorechanges,clickComparetoreviewaside-by-sidecomparisonofthechanges.
11. Whenyouarefinishedmakingchanges,clickSave.
12. (Optional)AddTargetDevices.
13. (Optional)InstallPolicy.
138
Management Center Configuration &Management
AnalyzeandRefineWAFPolicy(MitigateFalsePositives)
AfterinstallinganinitialversionofWAFpolicyononeormoretargetdevices,youcananalyzetheresultsofthetrafficto
determinewhatattackshavebeendetected.Thereisachancethatthedetectionengineshaveflaggedalegitimaterequest
asanattack.Forexample,ifablogpostincludesanexampleofacross-sitescripting(XSS)attack,theapplianceinterprets
theexampleasanactualattackandblocksthepost.Thismightbeundesirablebehaviorandconsideredafalsepositive.
Addressthisandotherkindsoffalsepositiveswiththefollowingworkflow.RefertotheWebApplicationFirewallSolutions
Guideformoreinformation.
WAFPolicyUse
AnalyzeandRefineWAFPolicydescribessteps8and9in"UseWAFPolicyToProtectServersFromAttacks"on
page119.
AnalyzeandRefineWAFPolicyWorkflow
Step Overview References
1 Check access logs to determine which rules or engines you "View a Reporter Report" on page339
must update to address false positives, false negatives, and
other wanted behavior. "Reference:Report Descriptions" on
page351
A useful search criteria is the transaction ID. For example,
when a user tries to visit a page and receives an exception "Search for Specific Report Data
page, you can use the associated transaction ID to run a (Search and Forensic Report)" on
forensics report. The Full Log Detail report then displays page360
the log line matching that transaction ID.
2 Optional-Perform a policy trace. "Launch a Device Console" on page75
To enable policy tracing on the ProxySG
appliance, select Configuration>
Policy>PolicyOptions . Under Default
PolicyTracing, select Traceallpolicy
execution and click Apply .
3 Based on your analysis of the access logs, create policy "Manage WAFSecurity Policy" on the
exemptions to eliminate false positives and other facing page
unwanted behavior.
4 Run traffic through the appliance and confirm through Repeat steps 1 through 3 in this table
access logs (and optionally, other troubleshooting tasks) as often as required.
that requests match both general rules and exceptions
appropriately.
139
Management Center Configuration &Management
ManageWAFSecurityPolicy
Asdescribedin"AnalyzeandRefineWAFPolicy(MitigateFalsePositives)"onthepreviouspage,youwillneedtorefine
yourWAFsecuritypolicytoensureitisworkingproperly.
WAFPolicyUse
RefiningyourWAFSecurityPolicyisstep9in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
AddExemptions
AfterinstallingtheWAFprotectionpolicyandreviewingtheaccesslogs,youwilllikelyfindseveralsitesthatwereincor-
rectlycharacterizedasthreats.Totroubleshootthis,addexemptionstoyourWAFSecurityPolicy.
1. SelectConfiguration>SharedObjects.
2. SelecttheWAFSecurityPolicyandclickEdit.
3. ClickExemptions>AddExemption.ThesystemdisplaystheAddExemptionDialog.
140
Management Center Configuration &Management
4. AddtheURLExemption.
a. EntertheURL.
b. (Optional)Enteradescription.
c. SpecifywhethertoexempttheURLfromtheentireWAFpolicyorfromspecificengines.
d. IfyouselectedSpecificengines,rules,orproperties,selectthedesiredoptions.
a. AllBlacklistorperrule(byspecifyingaCSVlistofruleIDs)
b. AllAnalyticsFilterorperrule(byspecifyingaCSVlistofruleIDs)
c. Perengine(byspecifyingengines)
e. ClickSave.
ThesystemaddstheexemptionfortheURL.Iftheexemptionlistislong,filterforspecificexemptionsusingthesearchbox
abovethetable.Toclearthefilter,deletethetextandpressEnter(orclickthemagnifyingglass).
SetBlock/Monitor/IgnoreActions
WhenfirstimplementingaWAFprotectionpolicy,itisimportanttoobservetheeffectsofrulesbeforeinadvertentlyblocking
traffic.Tobegin,ensurethatnewruleactionsaresettoMonitor.Thenreviewaccesslogstoidentifyfalsepositives,create
policyexemptions(asdescribedabove)toaddressthoseissues,andrepeatuntilfalsepositivesnolongeroccur.Then,
updatepolicyactionsfromMonitortoBlock.
OptionsthatsupporttheBlock/Monitor/Ignoreactionincludeanactiondrop-downmenu.Toset,selecttheappropriate
actionandclickSave.
Forexample,tosettheBlacklistactiontoBlock:
141
Management Center Configuration &Management
1. SelectConfiguration>SharedObjects.
2. SelecttheWAFSecurityPolicyandclickEdit.
3. ClickBlacklist.
4. VerifythatEnableBlacklistisselected.
5. SelectBlockandclickSave.
Someoptionsallowyoutobeevenmoregranular,allowingyoutomodifyindividualrules,asshownbelow.
UseEffectiveDatetoManageNewRuleUpdates
WhenApplicationProtectionSubscription(APS)updatesarepublished,theupdatedBlacklistandAnalyticsenginecon-
tentisimmediatelyavailable.BecausetheupdatedenginerulescanpotentiallychangethebehavioroftheexistingWAF
securitypolicy,ManagementCenterenablesyoutousethisactivationdateasadecisionpoint.TheEffectiveDateoption
isthatdecisionpoint,enablingyoutocontrolruleselectionbasedonthedatetheruleswereadded.
Forexample,rulesqualifiedinapre-productionenvironmentcanbesettoblock-mode,andnewrulescanbesettomonitor
mode.Thisfunctionalityenablesanorganizationtotakeadvantageofnewrulesimmediately,butinamannerthatwillnot
introducenewfalsepositivesthatcauserequeststobeblocked.Afterthenewrulesaresufficientlyqualified,theeffective
datecanbemigratedforward,therebysettingthenewrulesintoblockmode.
Additionally,byusingmulti-tenancythiscanbecontrolledonaper-tenantbasis.Thisfacilitatesdifferentupdatestrategies
andatenant-configurableupdatecadence.Forexample,sometenantsmaychoosetoalwaysusethelatestrules,
142
Management Center Configuration &Management
whereassomerisk-adversetenantsmayemployaverydeliberateAPSupdatequalificationprocess.Multi-tenancy
providesflexibilityfordiverseinfrastructureswhereaone-size-fits-allapproachmaynotbeideal.
OnlyBlacklistandAnalyticsFilterusetheEffectiveDateoption.
143
Management Center Configuration &Management
DistributeConfigurationstoDevices
TheBlueCoatManagementCenterenablesyoutodistributecommonconfigurationsandpoliciesthatyoucreatedand
wantenactedacrossothermanagedProxySGappliances.Yourenterprisemighthavedisperseddatacentersthatcontain
hundredsofhierarchies,devicegroupsanddevices.Groupsofdevicesmighthavedifferentfunctions,thusrequiringdif-
ferentsetsofconfigurationsorpolicies.
Twomethodsprovidethisability.
n ScriptMethodCreatescriptsthatcontaincommondeviceconfigurationsforspecificmanageddevices.Give
varioususers(withthecorrectpermissions)theabilitytocreateandmodifyscriptobjects.
ExecuteaProxySGConfigurationScriptonMultipleDevices
n PolicyMethodUseBlueCoatContentPolicyLanguage(CPL)ortheVisualPolicyManager(VPM)todefinepolicy
andvalidateitbeforedistributingtoothermanageddevices.
DistributeProxySGPolicytoMultipleDevices
144
Management Center Configuration &Management
CreateandDistributeConfigurationsUsingScripts
Onemethodfordistributingconfigurationsiscreatingandmodifyingexistingscriptstoexecuteoncommandacrossdis-
perseddatacentersthatcontainhundredsofhierarchies(manageddevicegroupsanddevices).
CreateaScript.
1. SelectConfiguration>Scripts.
2. FromtheScriptObjectspage,clickAddScript.ThewebconsoledisplaystheAddScriptdialog.
Enterthefollowinginformation(aredasterisk(*)denotesafieldthatismandatory).
a. Namethescript.
b. SelectadeviceTypefromthedrop-downlist
c. (Optional)ADescriptionhelpstodifferentiatebetweensimilarlynamedscripts.
d. (Optional)SelectSubstitutionVariables.TheManagementCenterattemptstoreplacevariableswiththe
valuesassociatedwiththedevicewherethepolicyisinstalledorthescriptisexecuted.Formoreinformation,
see"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
3. ClickSave.ThenewscriptdisplaysintheScriptObjectslist.
4. SelectthescriptandclickEdit.TheManagementCenterdisplaysthescriptEditor.
5. Createthescript.
6. ClickSave.
ExecuteaScriptonaDevice.
TheManagementCenterprovidestwoplaceswhereyoucanrunascriptonadevicenow.
1. SelectConfiguration>Scripts.
2. SelectascriptfromtheScriptObjectlist.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. ClickExecuteonDevice.SelectthedeviceTargetandclickExecute.
OR
4. SelectEditandclicktheEditortab.Attimes,administratorswiththecorrectprivilegeswanttoexecuteascript
immediatelyafterupdatingascript.Whileintherichtexteditorensuresthatalleditshavebeensavedandclick
ExecuteonDevice.SelectthedeviceTargetandclickExecute.
Eachtimeyoustartajobmanually,theManagementCenterdisplaysaJobProgressdialog.Torunthescript
inthebackground(nowindow)whileyouperformothertasks,clickContinueinBackground.
PreviewaScriptWithVariablesReplaced
ManagementCenterenablesyoutocheckthevalidityofascriptbeforeyouexecutethescripttoadevice.BlueCoatrecom-
mendsthatyoupreviewscriptsbeforeexecutingascript.Devicesthatareinyournetworkdeploymentshouldnotbeused
totestconfigurations.Previewingascriptavoidsinadvertentlychangingadeviceconfiguration.
Forscriptsthatusecommandsnotinconfiguremode,youmustexitconfiguremodebeforeexecutingthescript.Mostcom-
mandsareexecutedinconfiguremode.Licensingcommandsaretheexception,andcannotexecuteinconfiguremode.
145
Management Center Configuration &Management
1. SelectConfiguration>Scripts.
2. Selectascriptobject.
3. FromtheEditortab,clickPreview.
4. SelectadevicetopreviewthescriptandclickOK.
5. ThePreviewScriptwindowdisplaystheentirescript.
146
Management Center Configuration &Management
6. ClickClose.
(Optional)CreateaJobtoExecuteaScriptonaSchedule.
ManagementCentermakesiteasytocreateajobtoExecuteascriptwithoutthehassleofgoingthroughtheentirejobwiz-
ard.
1. SelectConfiguration>Scripts.
2. SelectascriptfromtheScriptObjectlist.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. ClickExecuteonDevice.SelectthedeviceTargetandclickCreateJob.ThewebconsoledisplaystheNewJob
dialog.
a. Namethejob;clickNext.
b. SelectanOperation;forthisexample:ExecuteScript;clickNext
c. SelecttheDevicestoreceivethisconfiguration;clickNext
d. OntheSchedulescreen,selectatimingoption:Periodic,Daily,Weekly,orMonthly.Eachoptionpresents
moregranularoptions.
e. ClickFinish.
ManageScripts
Navigatetothefollowingsectionsformoreinformation.
n "CustomizeObjectFilters"onpage149Limitviewofscriptobjects.
n "ViewScriptInformation"onpage157Viewversionsandattributes.
n "ManageAttributes"onpage297Viewcurrentandaddnewattributes.
n "FilterbyAttributesandKeywordSearch"onpage151Findascriptbytheattributesassignedtothescript.
n "ImportScriptfromaDevice"onpage153Importaconfigurationfromaselecteddevice.
n "RestoreaVersionofScript"onpage156Rollbacktoapreviousconfigurationwhileyouperformmodificationsto
thecurrentversion.
n "CompareVersionsoftheScript"onthefacingpageUsefulfortroubleshooting.
147
Management Center Configuration &Management
CompareVersionsoftheScript
Asatroubleshootingsteporaspartofperformanceevaluation,youmightwanttoidentifythechangesbetweenanearlier
versionandalaterversionofascript.ManagementCentershowsthechangesmade.
1. SelectConfiguration>Scripts.FromtheScriptObjectslist,selectthescriptname.Ifneeded,searchforthe
object;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Afteryouselectthescript,clickEdit.ClicktheVersionstab.
3. Selectanearlierversionofthescripttocomparewiththecurrentversion.
4. PressandholdtheCTRLkeywhileselectingthelaterversionofthescripttocompare.
5. ClickCompare.ThewebconsoledisplaystheCompareScriptsdialog.
Thetwoscriptsaredisplayedside-by-side;thewebconsoledisplaystheversionyouselectedfirst(earlierversion)
ontheleftandyoursecondselection(laterversion)ontheright.
n Ascripthighlightedinredexistsintheformerversionandwasremovedinthelaterversion.
n Ascripthighlightedinyellowindicatesthatalineexistsinbothversionsofscript,buttherearedifferencesin
theline.
n Ascriptmarkedingreendoesnotexistintheformerversionandwasaddedinthelaterversion.
See"RestoreaVersionofScript"onpage156.
148
Management Center Configuration &Management
CustomizeObjectFilters
Filterscontrolthespecificobjectsthataresearchable.
1. SelectConfiguration>PolicyorScripts.
2. TheFilterpanelcontainsthefollowingfields.
l NameFiltersbytheObjectName.
l ReferenceIdFiltersbytheOperationtype.
l TypeFiltersbytheObjectType.
l DescriptionFiltersbytheObjectDescription.
l AuthorFiltersbytheuserwholastchangedtheObject.
Tosubstitutevariablesinpolicies,policyfragmentsorscripts,see"UseSubstitutionVariablesin
PoliciesandScripts"onpage176.
3. TheFilterpanelalsoincludesmandatoryattributes.See"ManageAttributes"onpage297.
4. Tocustomizefilters,clickCustomize.
a. SelectthefilterstobevisibleontheFilterpanel.
b. ClickSave.
149
Management Center Configuration &Management
ExecuteaScript
YoucanexecuteanyscriptthatissavedinManagementCenterintheScriptObjectlist.However,beforeyouexecutea
script,previewthescriptwithsubstitutionvariables.Thisisimportantbecauseyoucanseethescriptvariableswithout
committingthemtoadeviceandinadvertentlycausingadeviceconfigurationtochange.Scriptsareautomatically
assumedtoexecuteinconfiguremodeontheProxySGappliance.Forscriptsthatusecommandsnotinconfiguremode,
youmustexitconfiguremodebeforeexecutingthescript.Mostcommandsareexecutedinconfiguremode.Licensing
commandsaretheexception,andcannotexecuteinconfiguremode.
WhenexecutingscriptsontheProxySGappliance,thescriptisinitiallyexecutedinconfiguremode.Ifthefirstcommand
shouldnotbeexecutedinconfiguremode,youmustexitconfiguremode,priortoexecutingthecommands.Seeexample
below.
Example
exit
user-license queue
configure terminal
ToExecuteaScript
1. (Optional)Beforeexecutingascript,"PreviewaScriptWithVariablesReplaced"onpage145.FromConfiguration
>Scripts,selectascriptobject.ClickEdit.
2. (Optional)FromtheScriptEditor,clickPreview.Becauseascriptisspecifictoadevice,variablesubstitution
requiresthatyouselectaspecificdevice.ClickOK.Ratherthanexecutingthescriptonthatdevice,thescriptis
displayedinthePreviewScriptdialogexactlyasitwillbeexecutedonthatdevice.ClickClose.
3. Toexecutethescript,clickExecuteonDevice.
4. Selectatargetdeviceordevicegroup.ClickExecute.
5. (Optional)WhiletheJobProgressdialogdisplaysthescriptexecuting,clickmoredetailstoviewtheOutput.
DownloadasTextorClosethedialog.
6. Ortoexecutethescriptatalatertime(onaschedule),clickCreateJob...
150
Management Center Configuration &Management
FilterbyAttributesandKeywordSearch
Youcansearchforexistingobjectsbyfilteringonattributesandthenusingthekeywordsearch.Whenyouaremanaging
hundredsorpoliciesandscriptsacrossmultipledevices,itisimportanttobeabletofindaparticularaparticularobject
quickly.
YouarenotlimitedtothedisplayedFilterfields.See"CustomizeObjectFilters"onpage149.
1. ClicktheConfigurationtabandselectPolicyorScripts.FromtheFilterslistontherightpane,thefollowingfields
areavailablebydefault.
l NameFiltersbytheObjectName
l ReferenceIdFiltersbytheObjectReferenceId
l TypeFiltersbytheObjectType
l DescriptionFiltersbytheObjectDescription
l AuthorFiltersbywhouserwholastchangedtheObject
Additionalfieldsarecreatedwhenyoucreateanewattribute.See"ManageAttributes"onpage297.
l TenantFiltersbytenantID.
2. Tofilterbyaparticulartypeofpolicy,clicktheTypedrop-downlistandselectapolicytype.
3. Twooptions:
o ClickApplyFilters.ThePolicyObjectsandScriptObjectslistsonlythoseobjectsyoudefinedbyType.
~or~
o Filterbyparticulardevicetypeforwhichyoucreatedascript;selectthedevicetypefromtheTypedrop-down
list.
5. ClickApplyFilters.TheScriptObjectslistdisplaysonlythosescriptsyoudefinedbytype.
SearchbyKeyword
Whensearching,ManagementCenterbreakstextintokeywordsandthensearchesforkeywordsentered.Management
Center'sindexsystemhasaspecialcasefordot.AlthoughManagementCenterseesdotsasseparatingletterswithina
word(forexample,ManagementCenterconsidersdotsasapartofaword).
Thewildcardsymbolis*.ManagementCenterautomaticallyappendsan*attheendofyoursearchtermbutifyou
wanttostartwithawildcardsearch,youhavetoenterityourself.
Colonsaretreatedlikeothernon-lettersbysplittingkeywordsapart.IPv4andIPv6addressesworkdifferentlybecauseof
colons.
Youcannotsearchonspecialcharacters,suchas^%|~.
151
Management Center Configuration &Management
Procedure
1. FromtheKeywordSearchfield,enteryoursearchterm.
2. PressEnterorclickthemagnifyingglassicon.
Canquotesbeusedinasearch?
Usequoteswhennonlettersarepartofthesearchterm.Forexample,yoursearchtermincludesacolon.
Theexceptiontothissearchruleistheuseofadotbecauseadotthatisnotfollowedbywhitespaceisconsidered
partofthekeyword.
Howdoyousearchforwholewords?
Enterthewholeword.Ifthereismorethanoneword,separateeachwordwithaspace.Ifusingspecialcharacters,
encloseeachwordindoublequotes.
Howdoyousearchforpartialwords?
Enterthepartialterm,andManagementCenterattemptstocompletethesearch.Forexample,enterhiandManagement
Centermatchesthattobothhighlightandhigh.
ExampleSearches
IPv4127.0.0.1
l 127.0.0MatchesanyIPv4startingwith127.0.0.
l *.0.0.1MatchesanyIPv4endingin0.0.1.
IPv60:0:0:0:0:1
UsequotesforIPv6addressesbecauseIPv6usescolonsinsteadofdotsastheseparator.
l 0:0:0MatchesanyIPv6startwith0:0:0.
l *0:0:1MatchesanyIPv6endingwith0:0:1.
Hostnames
l abc.comMatchesahostnamedabc.com.
l *.comMatchesahostnameendingin.com.
l *:8080Matchesahostnamewith:8080astheport.
Whatifthesearchfindsnomatch?
Ifthesearchfindsnomatch,therightpanedisplaysamessageindicatingthatnoobjectsmatchthekeywordfilter.You
cansearchagainusingadifferentkeyword.
Whatifthesearchsucceedsinfindingmatches?
Ifthesearchfindsmatches,theresultsdisplayinalphabeticalorderintheObjectslist.
Howdoyouclearthesearchresults?
Toclearsearchresultsanddisplayallobjectsinthesystem,clicktheXinthesearchfield.
152
Management Center Configuration &Management
ImportScriptfromaDevice
Scriptsaresequentially-runningCLIcommandsforadeviceconfiguration.Itmakessensetoimportdeviceconfigurations
thatarecurrentlyonadevicebecauseyouknowthattheconfigurationiscorrect.Importinganentiredeviceconfigurationis
essentiallybackingupadeviceintoManagementCenterandmaynotexistasawholesuchasinthefollowingsituations:
l Youwanttorestoreapreviousversionofscriptthatexistsonlyonadevice.Forexample,youstartededitingscriptin
ManagementCenter,butrealizethatthescriptonthedeviceiscorrectandcomplete.
l Adevicehasafullconfigurationthatyouwanttouseasascript(template)toexecuteonanotherlikedevice.Ared
asterisk(*)denotesfieldsthataremandatory.
1. SelectConfiguration>Scripts.
2. Scriptscanonlybeimportedintoanexistingscriptobject.Selectascriptname.ClickEdit.
3. ClickImport.
4. Selectadevicetoimportthescript.ClickOK.ThewebconsoledisplaystheImportScriptdialog.
5. FromWhattoImport,selectEntireConfigurationorOnlyselectedsub-sections.
6. ClickImport.
Thecommentyouenterissavedasscriptmetadata.
153
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
154
Management Center Configuration &Management
ManageAttributes
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Becauseyouhavedifferentdevicesandappliancestomanage,thosedevicesrequireandareoftenrestrictedtocer-
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Attributes
canbeusedtofilteronspecificdevices,devicegroupsorobjects.
1. SelectAdministration>Attributes.
2. FromtheManageAttributeslist,selectonethefollowing:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onpage298.
4. Toeditanattribute,selecttheattributenameandclickEdit.See"EditAttributes"onpage301.
ViewandSorttheFollowingAttributesLists
n Name
n DisplayNameTheattributename(withnospaces).
n TypeTheformatthatusersmustenterorselectvalues.
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedbyother
variables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
n MandatoryThevalueofattributesthataremarkedasmandatoryisrequiredwhenyoucreateaneworadda
device,devicegroup,createapolicy,andcreateascript.
n InheritableAppliesspecificallytodevicesanddevicegroups.Whenthisisselected,thedeviceordevicegroup
inheritsattributesfromitsparentdevicegroup.
n DescriptionDescribestheattributeandmustbespecifictothedevice,devicegroup,policy,orscripttowhichyou
areapplyingtheattribute.
Youareabletosearchforspecificobjectsbasedontheattributesyoudefine.See"FilterbyAttributesand
KeywordSearch"onpage151.
155
Management Center Configuration &Management
RestoreaVersionofScript
Aftertime,youmightfindthatthescriptexecutedondevicesneedsimprovementormustchangebecauseofchangesin
businessrequirementsorpractices.Insuchsituations,youcanmodifyscriptsasneeded,orreverttoanearlierversionof
ascriptthatisappropriate.Whenyouhavedeterminedwhichversionofscripttorestore,youcanrestoreitusingthever-
sionhistory.
1. ClicktheConfigurationtabandselectScripts.FromtheScriptObjectslist,selectthescriptname.Ifrequired,
searchfortheobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.ClicktheVersionstab.Versionsofthescriptarelistedindescendingnumericalorder.
3. FromtheVersionControlpage,verifythattheversionyouwanttorestoreisthecorrectone.Performoneorboth
ofthefollowingasrequired.
l Checktheversionmetadata.See"ViewScriptInformation"onthenextpage.
l Previewascriptwiththevariablesreplaced.
4. Afteryouhaveidentifytheversiontorestore,selectitandclickRestore.ThewebconsoledisplaystheRestore
dialog.
5. IntheCommentfield,specifythereasonfortherestore.
6. ClickRestore.
TherestoredversionofthescriptisincrementedtothelatestversionintheScriptObjectslist,andthecomment
youenteredinstep6isdisplayedintheCommentscolumn.
156
Management Center Configuration &Management
ViewScriptInformation
Wheneveryoucreateascript,ManagementCenterautomaticallysavesinformationaboutit.Thisinformationiscalled
metadata.
1. SelectConfiguration>Scripts.
2. FromtheScriptObjectslist,selectascriptandclickEdit.Aredasterisk(*)denotesfieldsthataremandatory.
ViewScriptObjectInformation
1. ClicktheInfotab.
2. UnderGeneralInformation,theOverviewdisplaystheinformationyouenteredwhencreatingthescriptobject:
l Name(*)Thenameofthescriptthatyougaveitwhenyoucreatedit
l Type(*)Thedevicetypethatthescriptappliesto
l DescriptionThisdescribesthescript,butisnotarequiredfield
l Replacesubstitutionvariables
3. MetadatadisplaysunderLatestRevision.ClickSave.
IfyoueditedanyofthefieldsinOverview,fieldsmarkedwitharedasterisk(*)arerequiredandcannotbeleft
blank.
ViewScriptVersions
1. ClicktheVersionstab.TheVersionControlpagelistsallversionsoftheselectedscript.Whenascriptobjectis
createditisassignedtheversionnumber1.0.Everytimethatthescriptattributeschangeorthescriptisedited,the
versionincreasesbyincrementsof0.1.
2. Selectanearlyversionofscripttocompare.
3. PressandholdtheCtrlkeywhileselectingthenewerversionofthescript.
l VersionNumberWhenascriptobjectisfirstcreated,itsversionis1.0.Eachsubsequenttimetheobjectis
modifiedforexample,iftheobjectpropertiesareeditedtheversionnumberincrementsby0.1.Forexample,when
youaddscripttexttotheobjectandsaveit,theversionbecomes1.1.
l DateThetimeanddatestampindicateswhenthescriptwaslastupdated.
l AuthorTheauthoristheuserwhosavedthecurrentversionofthescriptdisplayed.
l CommentsIftheauthorenteredcommentsoradescriptionaboutthescript,theyaredisplayedhere.Metadata
displaysautomatically-generatedcommentsasfollows:
o "ScriptObjectcreated"Whenthescriptcontainerisinitiallyiscreatedandscripthasnotbeenaddedyet.
o "Namechanged"Whenthescriptnameisedited.
o "Descriptionchanged-formerscripthasbeenoverridden"Whenthescriptdescriptionisedited.
o "Nameanddescriptionchanged-formerscripthasbeenoverridden"Whenboththenameand
descriptionareedited.
Ofthesemetadata,thecommentsareusuallythemostimportantinhelpingyouandotherusersunderstandthepur-
poseandintentofcreatingthespecificscriptversion.BlueCoatrecommendsthatyoualwaysenterclear,helpful
commentswhencreatingscripts.
ViewScriptAttributes
157
Management Center Configuration &Management
ClicktheAttributestab.TheAttributespagedisplaysallattributescurrentlyassignedtoselectedscript.Theattributesare
customattributesthatyoucreated.See"ManageAttributes"onpage297.
ViewDeviceScriptOutput
Whenyouexecuteascriptonadevice,theJobProgressdialogdisplaysthestatusoftheexecutingscript.Youcanview
thedeviceoutputofcurrentlyexecutingscriptsandscriptsthathavealreadyexecutedonadevicebyclickingMore
Details.Anyoutputlinethatstartswith"%"isconsideredawarning(andisstandardforProxySGappliances).Navigation
buttonsenableyoutojumpbetweenwarningsandareusefulwhenviewingthedeviceoutputforlongscripts.Youcan
viewtherawoutputinatexteditorbyselectingDownloadasText.
SettheMaximumNumberofScriptRevisionstoStoreinManagementCenter
Afteryoucreateorimportascript,youcaneditthescripttoexecuteondevicesofthesametype.Youcanspecifythenum-
berofrevisionsofscriptstostorebeforeManagementCenterbeginstoprune.Youcanspecifyupto999scriptrevisions.
1. SelecttheAdministration>Settings.ClickGeneral.Generalfieldsdisplayontheright.Aredasterisk(*)denotes
fieldsthataremandatory.
2. SelectMaximumnumberofscriptrevisionstostore.
3. Enteranumber(limit)from0to999.
4. Dooneofthefollowing:
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
UseSubstitutionVariablesinPoliciesandScripts
Substitutionvariablesaregenerictermsthatyoucanincludeinpoliciesandscripts.WhenManagementCenterinstalls
policyorexecutesascriptthatincludessubstitutionvariables,itattemptstoreplacethemwithvaluesspecifictothecur-
renttransactionthatis,thecurrentdevice,policy,orscript.Forexample,ifyouinstallpolicythatincludesthesubstitution
variable${device.name},thevariableisreplacedwiththedevicenamesetinManagementCenter.
Toincludeandprocesssubstitutionvariables:
1. EnableReplacesubstitutionvariablesinthepolicyobject(seeCreateaCPLPolicyObject)orscript(seeCreate
andDistributeConfigurationsUsingScripts).
2. IncludesubstitutionvariablesintheCPLorscript.See"SupportedVariables"onthenextpagebelow.
3. Installthepolicyorexecutethescript.Asthetargetdeviceprocessesthepolicyorscript,itattemptstoreplacethe
variableswiththeappropriatevalues.
Ifthepolicyorscriptisassociatedwithadevicegroup,ManagementCenterinspectseverydeviceinthegroup
structureforthevariableandattemptstoreplaceallinstanceswithspecificvalues.
Syntax
Substitutionshavethefollowingform:
${name}
wherenameisanexpressionthatexpandstoastringorblockoftextatruntime.
158
Management Center Configuration &Management
Forexample,thesubstitution${device.description}expandstothedescriptionenteredinthecurrentdevice'sprop-
ertiesinManagementCenter.
Ifthedevicedoesnothaveadescription(becauseDescriptionisanoptionalfield),thesubstitutionexpandstoanempty
stringunlessyoualsospecifyadefaultvalue.See"SpecifyaDefaultSubstitutionValue"onthefacingpagebelowfor
details.
Examples
Substitutethedevice'sserialnumber.
${device.serialNumber}
Substitutethevalueofthedevice'sRackattribute.
${device.attributes.Rack}
Substitutionvariablesarecase-sensitive.Toensurethatyouhaveenteredthemwithcorrectspellingandcase,use
thePreviewoptionbeforeinstallingpoliciesorexecutingscripts.Thepreviewwarnsyouifasubstitutionvariableis
invalid.
SupportedVariables
Device-${device.field}
Thefollowingvariablesareavailableforpoliciesandscripts.
Variable Description
${device.uuid} Internal ID of device
${device.modelNumber} Device model number
${device.description} Text in the Description field in device properties in Management
Center
${device.name} Text in the Device Name field in device properties in Management
Center
${device.serialNumber} Device's serial number
${device.osVersion} Operating system version running on the device
${device.attributes.name} System or user-defined device attribute value, including any values
inherited from the device group
where name is the attribute name
Policy-${policy.field}
Thefollowingvariablesareavailableforpoliciesonly(notscripts).
Variable Description
${policy.author} Last user who edited and saved the policy
${policy.description} Text in the Description field in policy properties
159
Management Center Configuration &Management
PolicyFragment-${fragment.field}
Thefollowingvariablesareavailableforpolicyfragments.
Variable Description
${fragment.author} Last user who edited and saved the policy fragment
${fragment.description} Text in the Description field in policy fragment properties
Script-${script.field}
Thefollowingvariablesareavailableforscriptsonly(notpolicies).
Variable Description
${script.author} Last user who edited and saved the script
${script.description} Text in the Description field in script properties
${script.versionDate} Date of last update
${script.name} Text in the Name field in script properties
${script.type} Selected Type in script properties
${script.revision} Script's current Version number
${script.revisionDescription} Comments entered for the last revision
${script.attributes.name} User-defined script attribute value
SpecifyaDefaultSubstitutionValue
Unlessyouspecifyadefaultvalue,sometransactionscanproduceunsubstitutedvariables,resultinginemptystrings.
Thefollowingareexamplesofsuchtransactions:
160
Management Center Configuration &Management
l AnoptionalfieldsuchasDescriptionisempty
l Anattributethatisnotmarkedasmandatoryhasnovalue
l Afieldisnotapplicable,suchaswhenascriptorpolicyhasnotbeenrevised
Syntax
Adefaultsubstitutionhasthefollowingform:
${name(default_name)}
where:
l nameisanexpressionthatexpandstoastringorblockoftextatruntime
l default_nameisthevaluethatwillbeusedinsteadofanunsubstitutedvariable
Example
Ifapolicyfragmentwasedited,usethecommentsenteredforthelastrevision.Ifthefragmentwasneveredited,usethe
specifiedtext"Norevision".
${fragment.revisionDescription(No revision)}
161
Management Center Configuration &Management
CreateandDistributePolicy
WhenyoufirstconfigureManagementCenter,youcancreatenewpoliciesorimportexistingpoliciesfrommanaged
devices.WhenyouhavebeenmanagingdevicesfromManagementCenterforalongerperiodoftime,youmightalsowant
toeditpoliciestochangecurrentdeviceconfigurations.OneofManagementCenter'smostpowerfulfeaturesistheability
tocreateandmodifypolicyobjectsbeforedeployingmultiplepoliciesacrossdatacenterscontaininghundredsofhier-
archies,devicegroupsanddevices.
PolicyLocking
StartingwithManagementCenter1.6,apolicyfileisautomatically"locked"assoonasauserstartseditingpolicy.If
anotherusertriestoeditthesamepolicy,thatuserwillreceivethefollowingmessage.
Thepolicylockisreleasedaftertheusersavesorcancelsthechanges.Whenapolicylockisactive,anotherusermay
forcethatpolicytounlockbyclickingUnlockonthepolicygrid.
Policylockingaffectsthecontentofpolicyonly.Otherattributes(Targets,Info,etc.)canbechangedevenwhilethepolicy
isbeingeditedbyanotheruser.
CreateandEditCPLPolicies
ContentPolicyLanguageisalanguageforspecifyingthepolicyrulesfortheProxySGappliance.
ForcompleteinformationabouttheContentPolicyLanguage,refertotheContentPolicyLanguageReference.
AnotherwaytocreateCPLpolicyistocreateCPLfragments(orbuildingblocks).See"CreateaCPLPolicyFrag-
ment"onpage188.
ManagementCentergivesyougreatflexibilityforcreatingandmodifyingCPLpolicies,aswellasthepowertodeploymul-
tiplepoliciestoarangeofdevicesordevicegroups.UseCPLtoaccomplishthefollowing:
l CreateandmodifytheCPLdirectlyfromthepolicyeditor(Configuration>Policy>PolicyName >Edit).See
"UseContentPolicyLanguage(CPL)toCreatePolicy"onpage165.
l Createpolicywithoutassigningittodevicesimmediately.See"CreateaCPLPolicyObject"onpage167
l Findandeditsectionsofthepolicy.See"FindaPolicySection"onpage173and"EditaPolicySection"on
page169
l Modifyandtestpolicyandgrouprelatedrulestogether.See"RefineExistingCPLPolicy"onpage171.
l Correctandmodifythebehaviorofexistingpolicybyre-orderingpolicysections.See"ChangetheOrderinwhich
PolicyRulesareEvaluated"onpage175
162
Management Center Configuration &Management
l Createversionsofpolicy,andrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242
l Vieworcomparepolicyversions.
l Enablesubstitutionvariablestobeused,foranyvariable,sothatyoudon'thavetomodifyeachattributeineach
policyifaconfigurationhaschanged.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298.
l Addtargetdevicesandinstallpolicytothem.
l DeploymultiplepoliciestoagroupofdevicesbyusingManagementCenter'sjobfeature.See"InstallMultiple
Policies"onpage231.
l Importexistingpolicyfromamanageddevice.See"ImportPolicyorSharedObjects"onpage232
l Checktheconsistencyofinstalledpolicy.
l Viewthedeployedpolicyonadevice.
l Viewexistingpolicyinformation.See"ViewExistingPolicyInformation"onpage243.
CreateVPMPolicies
TheVisualPolicyManagerenablesyoutospecifythepolicyrulesusingaGUIeditorfortheProxySGapplianceandinstall
thepolicytotheVPMslot.ForcompleteinformationabouttheVisualPolicyManager,refertotheVisualPolicyManager
ReferenceandAdvancedPolicyTasks.
Youcan:
l CreateandeditVPMpolicies:
l SelectareferencedevicetoeditVPMpolicy.See"SelectReferenceDeviceforVPMPolicy"onpage185.
l UsetheVisualPolicyManagerforbothcreatingandeditingVPMpolicies.See"LaunchVisualPolicy
Manager"onpage183.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242.
l ViewtheCPLorXMLsource.
l Vieworcomparepolicyversions.
l Createor"EditAttributes"onpage301andapplythemtopolicyobjects.
l Addtargetdevicesandinstallpolicytothem.
l DeploymultiplepoliciestoagroupofdevicesbyusingManagementCenter'sjobfeature.See"InstallMultiple
Policies"onpage231.
l Importexistingpolicyfromamanageddevice.See"ImportPolicyorSharedObjects"onpage232.
l Checktheconsistencyofinstalledpolicy.
l Viewthedeployedpolicyonadevice.
l Viewexistingpolicyinformation.See"ViewExistingPolicyInformation"onpage243.
CreateTenantDeterminationPolicies
ATenantDeterminationFilecontainsrulesforroutingrequesttraffictothepropertenant.Thisdeterminationcriteriacontrols
whichsetoftenantpolicywillbeevaluatedforagivenrequest.Ifatenantdeterminationcannotbemade,the"default"ten-
antpolicyisused.Youcan:
l Createandedittenantdeterminationpoliciesdirectlyfromthepolicyeditor(Configuration>Policy>PolicyName >
Edit)(withoutassigningthepolicytodevicesimmediately).
l Usetenantdeterminationrulestoproperlyroutetraffictothecorrectwebapplication(orgroupofwebapplications).
See"SpecifyTenantDeterminationRules"onpage126and"UseWAFPolicyToProtectServersFromAttacks"on
page119.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242.
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298
163
Management Center Configuration &Management
l Addtargetdevicesandinstallpolicytothem.
l DeploymultiplepoliciestoagroupofdevicesbyusingManagementCenter'sjobfeature.See"InstallMultiple
Policies"onpage231.
l Checktheconsistencyofinstalledpolicy.
l Viewthedeployedpolicyonadevice.
l Viewexistingpolicyinformation.See"ViewExistingPolicyInformation"onpage243.
CreateWAFApplicationPolicies
AWAFApplicationObjectrepresentsawebapplication(orgroupofapplications)andtheassociatedWAFsecurityset-
tings.TheWAFapplicationobjectisassociatedwithaspecifictenantandWAFSecurityProfile.Youcan:
l UseWAFApplicationpoliciestoassociateaSecurityProfiletoatenant,manageoptionalCPLfragments,and
controlWAFApplicationsettings.See"ConfigureWAFSecurityRules"onpage130and"UseWAFPolicyTo
ProtectServersFromAttacks"onpage119.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"
onpage242.
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298.
l DeploymultiplepoliciestoagroupofdevicesbyusingManagementCenter'sjobfeature.See"InstallMultiple
Policies"onpage231.
l Viewexistingpolicyinformation.See"ViewExistingPolicyInformation"onpage243.
164
Management Center Configuration &Management
UseContentPolicyLanguage(CPL)toCreatePolicy
BeforewritingpoliciesinCPL,BlueCoatstronglyrecommendsthatyouunderstandthefundamentalconceptsunder-
lyingpolicyenforcementinProxySGappliances,aswellashowtowritecorrectCPL.Forcomprehensiveinform-
ationonCPL,refertotheContentPolicyLanguageReference.
YoucancomposeCPLdirectlyinthewebconsoleeditor.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyobjecttoedit.Ensurethatthepolicy's
objecttypeisCPL.Selectthepolicy.Ifyouhavealotofpoliciesnarrowyoursearchusing"FilterandKeyword
Search"onpage303.
2. SelectEditandtheEditortab.Theothertabsavailableforviewingandeditingpurposesarethefollowing:
l Targets
l Versions
l Attributes
l Info
3. Themiddlepanedisplaysthesectionsinthepolicy,andtheQuickNavigationpaneontherightdisplaysasummary
ofthesectionsintheobject.
4. IneitherthemiddlepaneorinQuickNavigation,selectthesectionyouwanttoedit.Ifneeded,expandthesub-
section(default,override,ormandatory)toedit.
Apolicyobjectisorganizedintosections.Eachsectionhasanameandapurpose,andcancontainupto
threesub-sectionsofCPLthatyoucanusetoorganizepolicy:Default,Override,andMandatory.See"Edita
PolicySection"onpage169.
5. EntertheCPLintheappropriatesub-section(s).
6. Repeatsteps3and4asneeded.Aredasterisk(*)denotesfieldsthataremandatory.
7. ClickSave.ManagementCenterpromptsyoutoenteracommentforthesaveoperation.
8. (Optional)ClickComparetoseethedifferencesbetweenthepreviousversionandtheversionyouareaboutto
commit.Forinformationoncomparingversions,see"CompareDifferentVersionsoftheSamePolicy"onpage224
and"ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225.
9. EnteradescriptionofyourchangesandclickSave.
Thecommentyouenterissavedaspolicymetadata.Forinformationonmetadata,see"ViewExistingPolicy
Information"onpage243.
WorkingwithCPLPolicyFragments
AfragmentispieceofCPLthatyoucanincludeinaCPLpolicy.Fragmentsaremeanttobereusable.Forexample,youcan
createalibraryofpolicyfragments,andthenincludethemintolargerCPLpolicieslater.Forinstance,youcandefineahost
blacklistusingjustafragment,andthenincludethathostblacklistfragmentintoalargerpolicyfilelater.See"Createa
CPLPolicyFragment"onpage188and"IncludeaPolicyFragment"onpage204.
IfyoudoNOTenablevariablesubstitutionintheCPL,variablesubstitutionisnotenabledforCPLFragmentsas
well.
165
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
Enable variable substitution for CPL Policy and CPL Policy Fragments. "Use Substitution Vari-
ables in Policies and
Scripts" on page176
Add new attributes that can be made available to the CPL Policy. "Add Attributes" on
page298
Add or edit sections of a CPL Policy. "Add or Edit CPL Policy
Sections" on page169
Import a policy from a device to Management Center. "Import Policy or Shared
Objects" on page232
Modify/test policy and group related rules together. "Refine Existing CPL
Policy" on page171
166
Management Center Configuration &Management
CreateaCPLPolicyObject
YoucancreatepolicyinCPLtospecifythebehaviorsthatyouwantfordevices.ThefirststeptocreatepolicyinMan-
agementCenteristocreatethecontainerfortheCPL,orthepolicyobject.
BeforewritingpoliciesinCPL,BlueCoatstronglyrecommendsthatyouunderstandthefundamentalconceptsunder-
lyingpolicyenforcementinProxySGappliances,aswellashowtowritecorrectCPL.Forcomprehensiveinform-
ationonCPL,refertotheContentPolicyLanguageReference.
1. SelectConfiguration>Policy.
2. ClickAddPolicy.FromtheCreateNewPolicy:BasicInformationdialog,fillinthefollowingfields:Aredasterisk(*)
denotesfieldsthataremandatory.
3. EnterthePolicyname(*)-ThenamethatdisplaysinthePolicyObjectlist.
4. EnterthePolicytype(*)-Thedrop-downlistofpolicytypedisplaysthefollowingchoices:
l CPL
l TenantDeterminationFile
l VPM
l VPMTenant
l WAFApplication
l
YoucanwriteVPMTenantpolicyinCPLaswellasVPM.Fordetails,refertotheMulti-TenantPolicy
DeploymentGuide.
5. SelectCPLfromthedrop-downlist.
6. EntertheReferenceId-EnteraReferenceIdthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIdmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
7. SelecttheTenanttowhichthispolicyobjectwillbeapplied.
8. EnteraDescription.Althoughenteringadescriptionisoptional,thedescriptionhelpsdifferentiateversionsofthe
samepolicy.Formoreinformation,see"ViewExistingPolicyInformation"onpage243.
9. Toenablevariablesubstitution,selectthecheckboxReplacesubstitutionvariables.See"UseSubstitution
VariablesinPoliciesandScripts"onpage176ClickNext.
IfyoudoNOTenablevariablesubstitutionintheCPL,variablesubstitutionisnotenabledforCPLFragments
aswell.See"CreateaCPLPolicyFragment"onpage188.
10. FromtheAttributespage,selecttheattributestoapplytotheCPLPolicy.Allattributesthataremarkedas
mandatorywitharedasteriskarerequired.Youcanchangethevalueoftherequiredattributebeforecontinuing.
ClickNext.
11. SelectthedevicestoinstalltheCPL.Youcanassociatedeviceswiththepolicyatanytime.See"AddorRemove
DevicesAssociatedwithPolicy"onpage220
12. ChoosetheslotwhereyourPolicywillbeinstalled.WithCPLasthePolicytype,thefollowingslotsareavailable:
n Local-Usethisfiletostorepolicyspecifictoyourorganization,suchasdepartmentalpoliciesandcompany-
widepolicies.Thisoptionisselectedbydefault.
n Forward-Thisfilecontainsforwardingrules.
n Central-Thisslotcontainspolicycommontoyourentireorganization.
167
Management Center Configuration &Management
13. ClickFinish.ThenewlycreatedpolicyobjectdisplaysinthePolicyObjectslist.
DetermineYourNextStep
Afteryoucreateapolicyobject,youcanrefineitorleaveitasanemptyobjectwhileyouperformothertasks(forexample,
associatedeviceswithitoreditpolicydetails).Refertothefollowingtabletodeterminethenextsteptotake.
Whatdoyouwanttoaccomplish? Referto
Refine an existing CPL policy. "Refine Existing CPL Policy" on page171
Enable variable substitution for CPL Policy and CPL Policy "Use Substitution Variables in Policies and
Fragments. Scripts" on page176
Validate existing policy. Preview Policy Before Installing It
Import an external CPL policy. "Import External Policy " on page238
Create a new CPL policy section. "Add or Edit CPL Policy Sections" on the
next page
Manage your CPL policies. "Manage CPL Policies" on page239
168
Management Center Configuration &Management
AddorEditCPLPolicySections
Youcanaddapolicysectionusingoneoftwomethods:youcanusepartofexistingpolicytocreatethesection,oradda
newsectionandthenaddpolicytoit.
AddaSectionBasedonanExistingPolicySection
WhilecomposingtheCPLorafterimportingpolicyfromadevice,youmightfindsomepolicyrulesthatshouldbeextracted
fromtheirrespectivesectionsandputintoanewsection.Youcanselectsomeorallofthetextinasectionandconvertthe
selectiontoanewsection.Whenyouconvertaselection,thePolicyEditorpreservestheorderoftheCPLalreadywritten.
1. SelectConfiguration>Policy.
2. InthePolicyObjectslist,selecttheCPLpolicytowhichyouwanttoaddasection.ClickEdit.
3. FromtheEditortab,locatethepolicysectionthatcontainsthetextyouwanttoconverttoanewsection.
4. SelectthetextandclickConverttoSection.ThePolicyEditordisplaysthenewsection.
5. EnterormodifytheCPLasneeded.ClickOK.
6. ClickSave.
AddaNewSection
Youcanaddmoresectionstoaneworexistingpolicyobject.Anewpolicyobjecthasanemptysectionbydefault.
1. SelectConfiguration>Policy.
2. InthePolicyObjectslist,selecttheCPLpolicythatyouwanttoaddasection.Selectthepolicyname.ClickEdit.
3. ClicktheEditortab.Locatethepolicysectionthatcontainsthetextyouwanttoconverttoanewsection.
4. IntheSectionnamefield,enteranameforthesection.
5. FromthePurposedrop-downlist,selectfromthelistofdefinedpolicypurposesoryoucancreateyourownCustom
Solution.
6. ClickOK.ThenewsectionisaddedatthetopoftheEditor.ContinuetoedittheCPLasneeded.
Ifyoudonotnamethesection,andonlygiveitapurpose,thesectionappearsasUntitled.
7. Tocommityourchanges,clickSave.
EditaPolicySection
WhilecreatingaCPLpolicyorafterimportingapolicyfromadevice,youmightitusefultoeditthepolicyruleswithinasec-
tion.Becausepolicyisappliedtodevicesandcancontainmanytypesofrules,youcaneditthoseruleswithinasection
makingpolicyeasiertonavigate,organizeanddeploy.
169
Management Center Configuration &Management
1. SelectConfiguration>Policy.
2. InthePolicyObjectslist,selecttheCPLpolicythatyouwanttoeditandclickEdit.
3. ClicktheEditortab.Locatethepolicysectionthatyouwanttoedit.YoucansearchforasectionintheQuick
Navigationpane.ClickEdit.ThePolicyEditordisplaystheEditSectiondialog.Althoughyoucannamethesection
whatbestsuitsyourneeds,fromthePurposedrop-downlist,selectfromadefinedlistofrulesthatcanbeapplied
toyourpolicysection:
n Connection-AccessControl
n Connection-Termination
n Authorization
n Threatprotection-OutboundPolicy-ForwardProxy
n Threatprotection-OutboundPolicy-ReverseProxy
n Threatprotection-InboundPolicy
n DLPPolicy
n Privacy
n ContentFiltering
n QualityofService
n Caching
n BandwidthManagement
n CustomSolution
4. ClickOK.TheeditedsectionisaddedatthetopoftheEditor.
Ifyoudonotnamethesection,andonlygiveitapurpose,thesectionappearsasUntitled.
5. Tocommityourchanges,enteracommentforthecommitoperationandclickSave.Thecommentyouenteris
savedaspolicymetadata.
6. (Optional)Toexitwithoutsavingyouredits,clickCancel.
7. (Optional)ClickComparetoseethedifferencesbetweentheexistingpolicyversionandtheversionyouareabout
tocommit.
170
Management Center Configuration &Management
RefineExistingCPLPolicy
ThepolicythatyouwriteisdeployedtodevicesasitdisplaysinthePolicyEditor;ManagementCenterdoesnot
attempttocompileorotherwisevalidatetheCPL.Ifthepolicydoesnotcompile,thePolicyEditordisplaysa"Policy
InstallFailed"errormessageafteryouattempttoinstallit.
MuchoftheflexibilityofmanagingpolicyinManagementCenterderivesfromtheabilitytoorganizepolicyrulesinoneor
morepolicysections,whichyoucanusetogroupsimilarorrelatedrulestogether.
CPLPolicyobjectsandsections
PolicyinManagementCenterisstructuredthus:
l PolicyobjectThecontainerforallpolicythatcanbeinstalledtoaspecificslotonadevice.Ithasmetadataandcan
beversioned.Deviceassociationisdoneatthislevel.
l PolicysectionAcontainerforahigh-levelcategoryofpolicy.
l Sub-sectionAcontainerfortheCPL;itspecifiesthedefault,override,andmandatorybehavior
effectedbythepolicy.
AfteryouhavewrittenCPLdirectlyinthePolicyEditororimportedpolicyfromadevice,youshouldattempttorefineitas
muchaspossibleusingthesesections.Writingpolicyinsections,orbreakingdownanimportedpolicyintosections,
makespolicyeasiertoreadandedit.
Configuringpolicyforspecificdevicesormultipledevicesatonceinvolvesseveralmethodsofcreating,testing,andupdat-
ingpolicy.
1. SearchforpolicyobjectsthatcontaintheCPLyouwanttoedit;see"FilterbyAttributesandKeywordSearch"on
page151.
Onceyouhavefoundthepolicyobject,youcandeterminethepolicysectiontoedit;see"FindaPolicySection"on
page173.
2. (Optional)Makesurethatthepolicyyouareeditingistheoneyouwant.See"ViewExistingPolicyInformation"on
page243.
3. (Ifapplicable)EdittheCPLdirectlyinthePolicyEditor.See"UseContentPolicyLanguage(CPL)toCreatePolicy"
onpage165.
RefertotheContentPolicyLanguageReferenceforinformationonCPLsyntax.
4. (Ifapplicable)Ifpolicydoesnotbehaveasintendedormustbeimproved,modifyitbymovingsectionswithinpolicy.
See"ChangetheOrderinwhichPolicyRulesareEvaluated"onpage175.
5. Ifthepolicyisn'tworkingproperly,youmaywanttocomparetheOSversionontheassociateddevicewiththepolicy
version.See"CheckConsistencybetweenPolicyandDevices"onpage222.
6. (Ifapplicable)Addsectionstocontainpolicyforotherpurposes.See"AddorEditCPLPolicySections"onpage169.
7. (Ifapplicable)Editasection'snameorpurpose.See"EditaPolicySection"onpage169.
8. ClickDeletePolicy,ifyouwanttoDeleteaselectedpolicy.Amessagedisplays"Areyousureyouwanttodelete
thepolicy?"ClickYesorNo.
171
Management Center Configuration &Management
WorkwithCPLPolicySections
Ifyourpolicycontainsnumeroussectionsorsub-sections,youcanusefeaturesinthePolicyEditortomakewritingand
reviewingpolicymoremanageable.
Navigatesections
TheQuickNavigationpanedisplaysanoverviewofallthesectionsinthepolicyobjectyouareviewing.Eachsectionis
representedthus:
Name
(Purpose)
default
override
mandatory
whereName isthesectionnameandPurposeisthepurposeyouselectedwhenyoucreatedoreditedthesection.
Whenyouchangetheorderofpolicysectionsorchangeasectionnameorpurpose,theQuickNavigationpanedisplays
theupdateimmediately.
Collapseasection
Policysectionsareexpandedbydefault.
Tocollapseapolicysection,click inthesectiontitlebar.
Toexpandacollapsedsection,click inthetitlebar.
Collapseallsections
Tocollapseallpolicysections,click .
Toexpandallsections,click .
Movesections
Youcanmovepolicysections:
n Clickthe inasectiontitlebartomovethesectionup.
n Clickthe inasectiontitlebartomovethesectiondown.
n Hoveroverthetitlebarofthesectionyouwanttomoveuntilthepointerchangestoa .Dragthesectiontoits
newlocation.
Movingpolicysectionsaffectshowpolicyisevaluated.See"ChangetheOrderinwhichPolicyRulesareEvaluated"on
page175forinformation.
172
Management Center Configuration &Management
FindaPolicySection
Youcansearchforanexistingpolicysectionusingkeywords.Whenyouperformthekeywordsearch,thesystemsearches
policysectionsandmatchespartialandfullstrings.Thesearchdoesnotincludepreviousversionsofpolicy.
1. SelectConfiguration>Policy.FromPolicyObjects,findtheCPLPolicyyouwantunderType.OrfromtheFilters
dialogontheright,gototheTypedrop-downlistandselectCPL.ClickApplyFilters.FromthedisplayedCPL
policies,selectthepolicyyouwant.ClickEdit.
2. ClicktheEditortab.AbovetheQuickNavigationpane,inthesearchfield,enteryoursearchterm.
Youcanperformthissearchwithallsectionscollapsed;anymatcheswillcausesectionstoexpand.
3. PressEnterorclickthemagnifyingglassicon.
Ifthesearchfindsnomatch
Ifthesearchdoesnotfindamatch,thedisplaydoesnotchange.Youcansearchagainusingadifferentkeyword.
Ifthesearchfindsmatches
Ifthesearchfindsmatches:
n Totherightofthesearchfield, andthenumberofresultsdisplay,asinthefollowingexample:
n InthemainPolicyEditorpane,thefirstmatchishighlighted.
n IntheQuickNavigationpane,thesectionthatcontainsthefirstmatchishighlighted.
Togotothenextsearchresult,click .Theresultnumbershowsthenextmatch(forexample,"2of3")andtheselec-
tionsinthemainpaneandQuickNavigationupdatetoreflectthematch.
Clearthesearchresults
Toclearsearchresults,clicktheXinthesearchfield.
173
Management Center Configuration &Management
ManageAttributes
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Becauseyouhavedifferentdevicesandappliancestomanage,thosedevicesrequireandareoftenrestrictedtocer-
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.
Attributescanbeusedtofilteronspecificdevices,devicegroupsorobjects.
1. SelectAdministration>Attributes.
2. FromtheManageAttributeslist,selectonethefollowing:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onpage298.
4. Toeditanattribute,selecttheattributenameandclickEdit.See"EditAttributes"onpage301.
ViewandSorttheFollowingAttributesLists
n Name
n DisplayNameTheattributename(withnospaces).
n TypeTheformatthatusersmustenterorselectvalues.
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedby
othervariables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
n MandatoryThevalueofattributesthataremarkedasmandatoryisrequiredwhenyoucreateaneworadda
device,devicegroup,createapolicy,andcreateascript.
n InheritableAppliesspecificallytodevicesanddevicegroups.Whenthisisselected,thedeviceordevicegroup
inheritsattributesfromitsparentdevicegroup.
n DescriptionDescribestheattributeandmustbespecifictothedevice,devicegroup,policy,orscripttowhichyou
areapplyingtheattribute.
Youareabletosearchforspecificobjectsbasedontheattributesyoudefine.See"FilterbyAttributesand
KeywordSearch"onpage151.
174
Management Center Configuration &Management
ChangetheOrderinwhichPolicyRulesareEvaluated
Youcanchangetheorderofthesectionsinpolicy,whichinturnchangespolicybehavior.TheCPLisevaluatedfromtopto
bottomlowerlayersoverridehigherlayers;thus,theorderofsectionsaffectstheorderinwhichpolicyrulesineachsection
areevaluated.Changingtheorderofpolicysectionscanaltertheeffectivenessofpolicy,resultinaruleoverridingother
rules,orcauseunintendedbehaviors.Seethefollowingexamples.
1. SelectConfiguration>Policy.
2. InthePolicyObjectslist,selectthepolicy.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. (Recommended)Tocollapseasection,clickthe attheleftofthetitlebar.Youcanclickthe onthe
titlebarofacollapsedsectiontoexpandit.
4. Hoveroverthetitlebarofthesectionyouwanttomove.Thepointerchangestoa .
Dragthesectiontoitsnewlocation.
Alternatively,youcanusethe inthetitlebartomovethesectionupordown,respectively.
5. Movesectionsaroundinthepolicyobjectuntilyouaresatisfiedthatthepolicywillevaluateasyouintend.
Ifthepolicyhasmanysections,youcanusetheQuickNavigationpaneontherighttoquicklygotothesectionyou
want.See"WorkwithCPLPolicySections"onpage172forinstructions.
Aredasterisk(*)besidethepolicyobjectnamedenotespendingchanges.
6. ClickSave.
Example
Thefollowingisabasicexampleofhowchangingtheorderofsectionscanchangethebehaviorofpolicy.
ConsiderapolicysectionwiththepurposeThreatprotection-InboundPolicy.ItcontainsthefollowingCPL:
; Deny EXE downloads
url.extension=.exe DENY
AnotherpolicysectionhasthepurposeAccessControl.ItcontainsthefollowingCPL:
; Users in specified subnet are allowed transactions
client.address=192.0.2.0/24 ALLOW
Refertothefollowingtabletoseehowtheorderofpolicysectionscanaffectthebehaviorofpolicy.
175
Management Center Configuration &Management
UseSubstitutionVariablesinPoliciesandScripts
Substitutionvariablesaregenerictermsthatyoucanincludeinpoliciesandscripts.WhenManagementCenterinstalls
policyorexecutesascriptthatincludessubstitutionvariables,itattemptstoreplacethemwithvaluesspecifictothecur-
renttransactionthatis,thecurrentdevice,policy,orscript.Forexample,ifyouinstallpolicythatincludesthesubstitution
variable${device.name},thevariableisreplacedwiththedevicenamesetinManagementCenter.
Toincludeandprocesssubstitutionvariables:
1. EnableReplacesubstitutionvariablesinthepolicyobject(seeCreateaCPLPolicyObject)orscript(seeCreate
andDistributeConfigurationsUsingScripts).
2. IncludesubstitutionvariablesintheCPLorscript.See"SupportedVariables"onthenextpagebelow.
3. Installthepolicyorexecutethescript.Asthetargetdeviceprocessesthepolicyorscript,itattemptstoreplacethe
variableswiththeappropriatevalues.
Ifthepolicyorscriptisassociatedwithadevicegroup,ManagementCenterinspectseverydeviceinthegroup
structureforthevariableandattemptstoreplaceallinstanceswithspecificvalues.
Syntax
Substitutionshavethefollowingform:
${name}
wherenameisanexpressionthatexpandstoastringorblockoftextatruntime.
Forexample,thesubstitution${device.description}expandstothedescriptionenteredinthecurrentdevice'sprop-
ertiesinManagementCenter.
Ifthedevicedoesnothaveadescription(becauseDescriptionisanoptionalfield),thesubstitutionexpandstoanempty
stringunlessyoualsospecifyadefaultvalue.See"SpecifyaDefaultSubstitutionValue"onpage178belowfordetails.
Examples
Substitutethedevice'sserialnumber.
${device.serialNumber}
Substitutethevalueofthedevice'sRackattribute.
${device.attributes.Rack}
176
Management Center Configuration &Management
Substitutionvariablesarecase-sensitive.Toensurethatyouhaveenteredthemwithcorrectspellingandcase,use
thePreviewoptionbeforeinstallingpoliciesorexecutingscripts.Thepreviewwarnsyouifasubstitutionvariableis
invalid.
SupportedVariables
Device-${device.field}
Thefollowingvariablesareavailableforpoliciesandscripts.
Variable Description
${device.uuid} Internal ID of device
${device.modelNumber} Device model number
${device.description} Text in the Description field in device properties in Management
Center
${device.name} Text in the Device Name field in device properties in Management
Center
${device.serialNumber} Device's serial number
${device.osVersion} Operating system version running on the device
${device.attributes.name} System or user-defined device attribute value, including any values
inherited from the device group
where name is the attribute name
Policy-${policy.field}
Thefollowingvariablesareavailableforpoliciesonly(notscripts).
Variable Description
${policy.author} Last user who edited and saved the policy
${policy.description} Text in the Description field in policy properties
PolicyFragment-${fragment.field}
Thefollowingvariablesareavailableforpolicyfragments.
Variable Description
${fragment.author} Last user who edited and saved the policy fragment
177
Management Center Configuration &Management
Script-${script.field}
Thefollowingvariablesareavailableforscriptsonly(notpolicies).
Variable Description
${script.author} Last user who edited and saved the script
${script.description} Text in the Description field in script properties
${script.versionDate} Date of last update
${script.name} Text in the Name field in script properties
${script.type} Selected Type in script properties
${script.revision} Script's current Version number
${script.revisionDescription} Comments entered for the last revision
${script.attributes.name} User-defined script attribute value
SpecifyaDefaultSubstitutionValue
Unlessyouspecifyadefaultvalue,sometransactionscanproduceunsubstitutedvariables,resultinginemptystrings.
Thefollowingareexamplesofsuchtransactions:
l AnoptionalfieldsuchasDescriptionisempty
l Anattributethatisnotmarkedasmandatoryhasnovalue
l Afieldisnotapplicable,suchaswhenascriptorpolicyhasnotbeenrevised
Syntax
Adefaultsubstitutionhasthefollowingform:
${name(default_name)}
where:
l nameisanexpressionthatexpandstoastringorblockoftextatruntime
l default_nameisthevaluethatwillbeusedinsteadofanunsubstitutedvariable
178
Management Center Configuration &Management
Example
Ifapolicyfragmentwasedited,usethecommentsenteredforthelastrevision.Ifthefragmentwasneveredited,usethe
specifiedtext"Norevision".
${fragment.revisionDescription(No revision)}
179
Management Center Configuration &Management
LaunchVisualPolicyManager
BeforelaunchingtheVisualPolicyManagerinManagementCenter,BlueCoatstronglyrecommendsthatyou
understandhowtheVPMEditorworksandunderlyingpolicyenforcementinProxySGappliances.Forcom-
prehensiveinformationoncreatingpoliciesusingVPM,refertotheBlueCoatSystemsProxySGApplianceVisual
PolicyManagerReferenceandAdvancedPolicyTasks.
TolaunchtheVPMeditor,clientsusingJava7mustenableTLS1.1andTLS1.2.IntheJavaControlPanel,select
Advanced.ThenselectUseTLS1.1andUseTLS1.2.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicyobject.TofindeitheraVPMora
CPLpolicytype,youcandoa"FilterbyAttributesandKeywordSearch"onpage151.
2. SelectthePolicyname.SelectEditandtheEditortab.
3. (Optional)Toimportpolicyfromthereferencedevice,clickImport.See"SelectReferenceDeviceforVPMPolicy"
onpage185.
4. ClickLaunchVPMEditor.Whenthefollowingmessagedisplays,clickRun.
5. YoumayseeaSecurityWarning.Ifyoudo,checktheIPaddressandclickContinue.
6. ThewebconsoledisplaystheBlueCoatVisualPolicyManager.
7. Addlayersandrules,asrequiredbyyourpolicy.
8. ClickSavepolicywhenfinished.TheeditedpolicydisplaysinthePolicyObjectslistwithanupdatedrevision
number.
180
Management Center Configuration &Management
IfJavaisnotenabledonyourbrowser,theVPMEditorcannotlaunch.See"SetUpandEnableJavainYourBrowser
"onthefacingpage.
181
Management Center Configuration &Management
SetUpandEnableJavainYourBrowser
ThefollowingisrequiredtolaunchtheVisualPolicyManager(VPM).
1. Fromyourbrowser,installJava(theJavaminimumrequiredisJava1.7.0_51).EnableJavainyourbrowser.
Becauseeverybrowserbehavesdifferently,confirmthatthecorrectJavaversionisinstalledandenabledby(using
theirbrowser)togoto:https://www.java.com/verify
YoumayneedtorestartyourbrowserafterupdatingJava.
2. AfteryouhaveverifiedthatyourJavaversioniscorrectandareferencedeviceisavailable,theLaunchVPM
Editorbuttonisenabled.
3. ClickLaunchVPMEditortoopentheVisualPolicyManagerEditor.However,thefollowingerrorcanoccur:
IfyouseethiserrorafterrelaunchingtheVPMEditoritmeansthatyouneedtoallowjavatoruninyourbrowserand
acceptthecertificatesthatJavarequires.
182
Management Center Configuration &Management
LaunchVisualPolicyManager
BeforelaunchingtheVisualPolicyManagerinManagementCenter,BlueCoatstronglyrecommendsthatyouunder-
standhowtheVPMEditorworksandunderlyingpolicyenforcementinProxySGappliances.Forcomprehensive
informationoncreatingpoliciesusingVPM,refertotheBlueCoatSystemsProxySGApplianceVisualPolicyMan-
agerReferenceandAdvancedPolicyTasks.
TolaunchtheVPMeditor,clientsusingJava7mustenableTLS1.1andTLS1.2.IntheJavaControlPanel,select
Advanced.ThenselectUseTLS1.1andUseTLS1.2.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicyobject.TofindeitheraVPMora
CPLpolicytype,youcandoa"FilterbyAttributesandKeywordSearch"onpage151.
2. SelectthePolicyname.SelectEditandtheEditortab.
3. (Optional)Toimportpolicyfromthereferencedevice,clickImport.See"SelectReferenceDeviceforVPMPolicy"
onpage185.
4. ClickLaunchVPMEditor.Whenthefollowingmessagedisplays,clickRun.
5. YoumayseeaSecurityWarning.Ifyoudo,checktheIPaddressandclickContinue.
6. ThewebconsoledisplaystheBlueCoatVisualPolicyManager.
7. Addlayersandrules,asrequiredbyyourpolicy.
8. ClickSavepolicywhenfinished.TheeditedpolicydisplaysinthePolicyObjectslistwithanupdatedrevision
number.
183
Management Center Configuration &Management
IfJavaisnotenabledonyourbrowser,theVPMEditorcannotlaunch.See"SetUpandEnableJavainYour
Browser"onpage182.
184
Management Center Configuration &Management
SelectReferenceDeviceforVPMPolicy
ThereferencedeviceisthedeviceyoudesignateasthesourcedeviceforVPMpolicyconfigurations.Youmustselectaref-
erencedevicetolaunchtheVPMeditor.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicy.ClickEdit.
Adefaultreferencedeviceisnotautomaticallypopulated.Associatealeastonedeployeddevicewiththe
policyormanuallyconfigureareferencedevicetoenableediting.
2. WhiletheEditortabisselected,selectaReferenceDevice,usingtheobjectselector .
ResolvedisplayedwarningsbeforelaunchingtheVPMeditor.TheLaunchVPMEditorbuttonisgrayedoutif
warnings arepresent.
3. Toassociateareferencedevice,fromtheSelectDevicedialog,selectthecheckboxbythedevicethatyouwantto
useasareference.TheselecteddeviceautomaticallydisplaysintheSelectedview.ClickOK.
185
Management Center Configuration &Management
4. (Optional)YoucancreateandeditaVPMpolicyassoonasyouhaveselectedareferencedeviceandnowarnings
aredisplayed.ClickLaunchVPMEditor.
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
Add or remove devices associated with the policy. "Add or Remove Devices Associated with Policy" on page220
Restore a version of the policy. "Restore a Version of Policy " on page242
Create and edit a VPM policy using the VPM Editor. "Launch Visual Policy Manager" on page183
Import a policy configuration from a device. "Import Policy or Shared Objects" on page232
ViewVPMPolicySource
ManagementCenterenablesyoutoviewtheCPLorXMLpolicysourceofaVPMpolicy.
1. SelectConfiguration>Policy.
2. FromthePolicyObjectslist,selecttheVPMpolicyname.
Ifneeded,searchforthepolicyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
3. Withthepolicyselected,clickEditor.Thesystemdisplaystheeditor.
4. Viewthepolicy:
l ClickGeneratedCPLtoviewtheCPLsource.
l ClickXML(UIMarkup)toviewtheXMLsource.
5. (Optional)Editthepolicy.
186
Management Center Configuration &Management
CreateSharedObjects
Sharedobjectsarepolicyelementsthatcanbereferencedbymultiplepolicyobjects.Asharedobjectcannotbedeployed
byitself;itmustbeincludedinanotherpolicytype,suchasCPLoraWAFApplication.
CreateCPLFragments
CPLpolicyfragmentsarereusablebuildingblocksofCPLpolicy.BecausefragmentsarenotcompleteCPLpolicy,youdo
notdeploythemtodevicesbutincludethemwithinpolicythatyoudeploytodevices.
"CreateaCPLPolicyFragment"onthefacingpage
"IncludeaPolicyFragment"onpage204
CreateaCategoryList
AcategorylistisanamedsetofURLcategoriesthatcanbeeasilyreferencedinpolicy,allowingyoutoassignanallowor
denyconditiontoallthecategoriesinonesimplerule,orreusethelistinmultiplepolicyrules.
"CreateCategoryLists"onpage193
"CategoryListExample"onpage196
CreateaCategoryListTemplate
Acategorylisttemplateprovidesastartingpointfordefiningwhichcategoriestoincludeinacategorylist.Thetemplatecon-
tainsasubsetofthecompletelistofWebPulsecategories,typicallyusedtorestrictthecategoriesaless-priviledgeduser
canselectwhencreatingacategorylist.
"UseCategoryListTemplates"onpage200
CreateaURLList
URLlistsallowyoutoeasilycreateURLexceptionstoyourpolicy.TheURLlistcanbeeasilyincludedinyourexisting
policy.
"CreateURLList(URLPolicyExceptions)"onpage189
"URLListExample"onpage191
CreateWAFSecurityProfile
AWAFSecurityProfileisasharedobjectthatdefinestheWebApplicationFirewallsettingsfortheassociatedWAFapplic-
ationobject.TheWAFSecurityProfileisassignedtooneormoreWAFapplicationsthatcanbeinstalledonProxySGappli-
ancestosetWAFpolicy.
"ConfigureWAFSecurityRules"onpage130
CreatingaWAFSecurityProfileisstep3in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
187
Management Center Configuration &Management
CreateaCPLPolicyFragment
CreateaCPLPolicyFragmentinthesamewaythatyoucreateCPLPolicy.Policyfragmentsarereusablebuildingblocks
ofCPLpolicy.BecausefragmentsarenotcompleteCPLpolicy,youdonotdeploythemtodevicesbutincludethemwithin
policythatyoudeploytodevices.
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.Fillinrequiredfields.Ared
asterisk(*)denotesfieldsthataremandatory.
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseCPLFragment.
n ReferenceID(*)-EnteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthisfragment.
n Replacesubstitutionvariables-selectthisifyouwanttoreplacespecificvalueswithinthepolicy
fragment.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
IfReplacesubstitutionvariablesisNOTselectedwhencreatingaCPLPolicy,theCPLPolicy
FragmentswillnotbeincludedintheCPL.
188
Management Center Configuration &Management
3. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedapolicyattributeas
mandatory,youcanchoosetheattribute'svalueforthispolicyfragment.See"AddAttributes"onpage298.
4. ClickFinish.ThefragmentdisplaysinthePolicyObjectslist.
5. Toaddthefragmenttopolicy,seeIncludeaPolicyFragment.
CreateURLList(URLPolicyExceptions)
URLlistsallowyoutoeasilycreateURLlistsforuseinpolicy.Theselistscanthenbeincludedinyourexistingpolicy.An
exampleimplementationisdescribedhere.
Step1-CreatetheURLListObject
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Fillinrequiredfields.Aredasterisk(*)denotesfieldsthataremandatory.
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseURLList.
n ReferenceID(*)-EnteraReferenceIDthatyoucanfilterforwhenbuildingpolicy.
TheReferenceIdmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthisfragment.
4. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedapolicyattributeas
mandatory,youcanchoosetheattribute'svalueforthispolicyfragment.See"AddAttributes"onpage298.
5. ClickFinish.TheURLlistdisplaysintheeditor.
Step2-AddURLs
189
Management Center Configuration &Management
1. SelectConfiguration>SharedObjects.
2. SelectoreditthedesiredURLlist.ThesystemdisplaystheURLlisteditor.
3. EntertheURLintheURLfieldandclickAdd.
4. Alternatively,pasteinmultipleURLs:
a. CreateaURLlistandcopytheURLs.
b. ClickPasteURLs.ThesystemopensthePasteURLs:EnterURLsdialog.
c. CopytheURLsintothePasteURLs:EnterURLsdialog.PressCTRL+Vorright-clickandclickPaste.The
URLsareaddedtothelist.
d. ClickNext.ThesystemopensthePasteURLs:Validatedialog.
e. ClickFinish.
5. ClickSave.
EnablingandDisablingURLs
YoucandisableanindividualURLbyselectingitandclickingDisable.
YoucanenableaURLbyselectingitandclickingEnable.
190
Management Center Configuration &Management
Step3-IncludetheURLListinPolicy
Whenyouhavecompletedyourchanges,youcanincludetheURLlistinCPL,asdescribedin"IncludeaPolicyFragment"
onpage204.TheURLlistwillbeincludedintheCPLasanamedconditionthatcanthenbereferencedusing
condition=referenceId.Seetheexamplebelowfordetails.
Youcantheninstallyourpolicyasdescribedin"InstallPolicy"onpage227.
WhitelistScenarioExample
URLListExample
Inthisexample,theadministratorhascreatedasimpleacceptableusepolicyandwouldliketoallowsomeURLsthatwould
otherwisebeblocked.
ThisCPLisstoredinapolicyobjectcalledASUP.TheASUPpolicyobjecthasReplacesubstitutionvariablesenabled.
ThoughtheURLfilteringblocksallnewssites,shewouldliketoallowcnn.com,yahoo.com,andnytimes.com.Toallow
thesesites,theadministratordoesthefollowing.
StepOne-CreatetheURLListObject
1. SelectsConfiguration>SharedObjects.
2. ClicksAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Entersthefollowingdata:
a. Objectname:whitelist
b. Objecttype:URLList
c. ReferenceID:autofill
d. Description:ListofallowedURLs
4. ClicksNext.
5. ClicksFinish.
StepTwo-AddAllowedURLs
1. Inthewhitelistpolicyeditor,theadministratorenterscnn.comintheURLfieldandclicksAdd.
2. Addsyahoo.comandnytimes.com,asdescribedintheprecedingstep.
191
Management Center Configuration &Management
3. ClicksSaveandentersabriefdescriptionofthechange.Thewhitelistobjectnowlookslikethis.
StepThree-AddtheURLListtotheASUPPolicy
1. SelectsConfiguration>Policy>ASUP.TheASUPpolicyopensintheeditor.Rememberthattheadministrator
haspreviouslyenabledReplacesubstitutionvariables.
2. ClicksInsertInclude.
3. IntheInsertPolicyIncludewindow,selectswhitelistandclicksOK.
TheASUPCPLnowlookslikethis:
Whentheadministratorpreviewsthepolicy,itlookslikethis:
192
Management Center Configuration &Management
Thenameoftheconditioncorrespondstothesharedobject'sreferenceID,notitsname.Youcanpreviewthe
policybygoingtotheTargetstab,addingatarget,selectingthetarget,andclickingPreview.
ThoughtheURLshavebeendefined,theyhavenotbeenaddedasarule.
4. Tocreatetherule,theadministratoraddsthefollowingruletotheCPLtoimplementthewhitelist:
condition=whitelist ALLOW
Seeexamplebelow.
5. ClicksSave.
TheASUPCPLisnowreadytobepushedtotargetdevices.
CreateCategoryLists
AcategorylistisanamedsetofURLcategoriesthatcanbeeasilyreferencedinpolicy,allowingyoutoassignanallowor
193
Management Center Configuration &Management
denyconditiontoallthecategoriesinonesimplerule,orreusethelistinmultiplepolicyrules.Categorylistsareshared
objects,andaresimilartoURLlists.
Gotositereview.bluecoat.comandclickDescriptionstoseealistofcurrentcategoriesrecognizedbyBlueCoat
WebPulse.NotethatthelistofcategoriesinManagementCentermaynotexactlymatchthelistonthewebsite,
butwillbeupdatedinafutureManagementCenterreleaseasnecessary.Formoreinformationaboutcontentfil-
teringbycategory,refertotheSGOSAdministrationGuide.
Step1-CreatetheCategoryListSharedObject
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Fillinrequiredfields.Aredasterisk(*)denotesfieldsthataremandatory.
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryList.
n ReferenceID(*)-EnteraReferenceID(oracceptthedefaultname)willbeusedwhenbuildingpolicy.The
IDcanbespecifiedastheconditionnameinCPL.
TheReferenceIDmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
194
Management Center Configuration &Management
n TemplateIfyou(orsomeoneelse)haspreviouslycreatedacategorylisttemplate,click andselectthe
template.Thetemplatewillrestrictwhatcategoriescanbedefinedinthelist.See"UseCategoryList
Templates"onpage200formoreinformation.
n Description-Enterameaningfuldescriptiontohelpyouidentifythiscategorylistwhenincludinginpolicy.
4. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedanypolicy
attributes,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.AtreeofcategoriesdisplaysintheEditortab.Notethatthecategoriesaregroupedintofolders
(BusinessRelated,LegalLiability,Non-Productive,andsoforth)fororganizationalpurposesthesefoldernamesare
notpartofthepolicy.
Ifyouselectedatemplate,youmaynotseeallfoldersandcategories.
Step2-SelectCategories
Afteryouhavecreatedthecategorylistobject,youcanselectthecategoriesassociatedwiththelist.Thelistshouldinclude
allcategoriesthatyouwanttotreatthesamewayinpolicy.Forexample,thecategoriesinthelistshouldallbeonesthat
youwouldwanttodenyaccesstoorallowaccessto;theactualpolicyaction(deny/allow)willbedefinedinthepolicy.
195
Management Center Configuration &Management
1. ThetreeofcategoryfoldersshouldbedisplayedintheEditor.Ifthelistisn'tcurrentlydisplayed,select
Configuration>SharedObjectsandclickthedefinedlistnametobringitupintheEditor.
2. Selectthecategoriesyouwanttoincludeinyourlist.Followthesegeneralguidelines:
n Toseewhatcategoriesareinafolder,clickthe+toexpand.
n Selectingafolder'scheckboxselectsallcategoriesinthatfolder.
n Youcanunselectanycategorywithinaselectedfolderbyclickingitscheckbox.
n Whenafolderisexpandedtodisplayitscategories,ManagementCenterdisplaysthecategorydescriptions
andexamplesaswell.
3. Toviewthecategorynamesassignedtothislist,lookattheSelectedCategoriespanelatthebottomofthe
window.
4. ClickSaveandenterabriefdescriptionofthechange.
Step3-IncludetheCategoryListinPolicy
Whenyouhavedefinedthecategorylist,youcanincludetheobjectinCPL,asdescribedin"IncludeaPolicyFragment"
onpage204.Inaddition,youmustcreateanallow/denyconditionusingcondition=referenceId.Seethe"CategoryList
Example"belowfordetails.
Youcantheninstallyourpolicyasdescribedin"InstallPolicy"onpage227.
IfyouwanttocheckintowhichcategoryBlueCoatWebPulsecategorizesaURL,gotositereview.bluecoat.com
andentertheURL.
CategoryListExample
Inthisexample,theadministratorhascreatedasimpleacceptableusepolicyandwouldliketodenyaccesstoalistofcat-
egoriesthatshouldnotbeallowedonthecorporatenetwork.
196
Management Center Configuration &Management
ThisCPLisstoredinapolicyobjectcalledASUP.TheASUPpolicyobjecthasReplacesubstitutionvariablesenabled.
StepOne-CreatetheCategoryListObject
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Enterthefollowingdata:
a. Objectname:blacklisted_categories
b. Objecttype:CategoryList
c. ReferenceID:blacklisted_categories
d. Template:(leaveblank)
e. Description:alistofcategoriesthatshouldbedeniedinpolicy
4. ClickNext.
5. ClickFinish.
StepTwo-SelectCategoriesthatShouldbeDenied
Theadministratorwouldliketodenyaccesstoalllegalliabilitycategoriesandsecuritythreats,soshewillselectallthecat-
egoriesintheLegalLiabilityfolderandSecurityThreatssubfolder.
1. WithatreeofavailablecategoriesdisplayedintheEditor,clicktheLegalLiabilitycheckbox.TheAdultRelatedand
LiabilityConcernsfoldersarealsochecked.
2. Clickthe+nexttotheAdultRelatedandLiabilityConcernsfolderstodisplaythecategorynames,descriptions,and
examplesinthesefolders.
197
Management Center Configuration &Management
3. ExpandtheSecurityThreatsfoldertodisplaythecategorynames,descriptions,andexamplesinthisfolder.
4. ClicktheSecurityThreatscheckboxtoselectallofitscategories.
5. ClickSaveandenterabriefdescriptionofthechange.
StepThree-AddtheCategoryListtotheASUPPolicy
1. SelectConfiguration>Policy>ASUP.TheASUPpolicyopensintheeditor.Rememberthattheadministrator
haspreviouslyenabledReplacesubstitutionvariables.
198
Management Center Configuration &Management
2. PlacethetextcursorintothepolicysectionwhereyouwanttoincludethecategorylistandclickInsertInclude.
3. IntheInsertPolicyIncludewindow,selectblacklisted_categoriesandclickOK.
TheinsertedCPLnowlookslikethis:
Thoughthecategorylisthasbeendefined,theconditionstillneedstobedefinedtodenyaccess.
4. Tocreatetheconditiontodenyaccesstothecategorylistnamedblacklisted_categories,theadministratoraddsthe
followinglinetotheCPL:
condition=blacklisted_categories DENY
5. ClickSave.
6. Topreviewthecodethatisgeneratedforthispolicy,gototheTargetstab,selectadevice,andclickPreview.
199
Management Center Configuration &Management
Youcanseeinthepreviewthattwoconditionsarecreated.Thefirstcondition(blacklisted_categories/url_category)
justlooksuptheURLinWebPulsetofindthecategory.Thesecondcondition(blacklisted_categories/cert_cat-
egory)isusedforSSLconnectionsitcansometimesgleanextrainformationbylookingupthehostnameinthe
SSLcertificate.
TheASUPCPLcanbepushedtotargetdevicesattheappropriatetime.
UseCategoryListTemplates
Acategorylisttemplateprovidesastartingpointfordefiningwhichcategoriestoincludeinacategorylist.Thetemplate
containsasubsetofthecompletelistofWebPulsecategories,typicallyusedtorestrictthecategoriesaless-priviledged
usercanselectwhencreatingacategorylist.Forexample,ifyouhaveauserwithrestrictedpermissions,youmaynot
wanthimtocontrolpolicyforanycategoryjustparticularonesthatareappropriateforhisrole.
CreateaCategoryTemplate
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Fillinrequiredfields.Aredasterisk(*)denotesfieldsthataremandatory.
200
Management Center Configuration &Management
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryListTemplate.
n ReferenceID-EnteraReferenceID(oracceptthedefaultname).
TheReferenceIDmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
n Description-Enterameaningfuldescriptiontohelpyouwhenapplyingthiscategorylisttemplate.
4. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedapolicyattributeas
mandatory,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.Atreeofcategoriesisdisplayed.
6. Selectthecategoriesyouwanttoincludeinthetemplate.Followthesegeneralguidelines:
n Toseewhatcategoriesareinafolder,clickthe+toexpand.
n Selectingafolder'scheckboxselectsallcategoriesinthatfolder.
n Youcanunselectanycategorywithinaselectedfolderbyclickingitscheckbox.
n Whenafolderisexpandedtodisplayitscategories,ManagementCenterdisplaysthecategorydescriptions
andexamplesaswell.
201
Management Center Configuration &Management
Example
7. Toviewthecategorynamesassignedtothistemplate,lookattheSelectedCategoriespanelatthebottomofthe
screen.
8. ClickSaveandenterabriefdescriptionofthechange.
UseaCategoryListTemplate
Tousethecategorylisttemplate,selectitwhencreatingacategorylist.Theusercanonlyselectcategoriesfromthis
restrictedlist.
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Fillinrequiredfields.Aredasterisk(*)denotesfieldsthataremandatory.
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryList.
202
Management Center Configuration &Management
n ReferenceID(*)-EnteraReferenceID(oracceptthedefaultname)thatyoucanusewhenbuildingpolicy.
TheIDcanbespecifiedastheconditionnameinCPL.
TheReferenceIDmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
n TemplateClick andselectthetemplate.Thetemplatewillrestrictwhatcategoriescanbedefinedin
thelist.
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthiscategorylist.
4. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedapolicyattributeas
mandatory,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.TheEditordisplaysjustthecategoriesinthetemplate,andtheusercancreateacategorylistby
choosingfromthecategoriesinthetemplate.
203
Management Center Configuration &Management
6. Selectthecategoriesyouwanttoincludeinthelist.
7. Toviewthecategorynamesassignedtothislist,lookattheSelectedCategoriespanelatthebottomofthe
window.
8. ClickSaveandenterabriefdescriptionofthechange.
Thiscategorylistcannowbeusedinpolicy.See"IncludeaPolicyFragment"below.
Toapplyacategorylisttemplatetoanexistingcategorylist,editthecategorylist,gototheInfotab,selectthetem-
plate,andthensavethelist.
WhentheCPLforacategorylistisgeneratedandthelistcontainscategoriesnotpresentinthetemplate(most
likelybecausethetemplatehadbeenchangedsincelastsavingthelist),thosecategoriesarenotincludedinthe
conditiondefinitionCPL.Ifthisoccurs,awarningisincludedasacommentabovetheconditionCPL,indicating
whichcategorieswereremoved.
IncludeaPolicyFragment
IncludeaCPLfragment,URLlist,orcategorylistasabuildingblockofCPLPolicy.Becausefragmentsarenotcomplete
CPLpolicyconfigurations,youcannotassociateorinstallfragmentstoanydevice.TheymustbeincludedinCPLpolicy.
1. SelectConfiguration>Policy.
2. InthePolicyObjectslist,selecttheCPLpolicytowhichyouwanttoaddpolicyfragment.Thepolicyisdisplayed
intheEditor.
3. ClicktheInfotab.
4. EnsureReplacesubstitutionvariablesisselected.
204
Management Center Configuration &Management
IfyoudoNOTenablevariablesubstitutionintheCPL,theCPLFragmentswillnotbeincluded.
5. PlacethetextcursorintothepolicysectionwhereyouwanttoincludethepolicyfragmentandselectInsertInclude.
Youcanonlyaincludeafragmentintoanexistingpolicysection.ThewebconsoledisplaystheSelectPolicies
dialog.
Ifyouhavenotplacedyourcursorwhereyouwanttoinsertthepolicyfragment,ManagementCenterdisplaysthefol-
lowingerror:
6. Fromtheavailablepolicyfragments,selecttheCPLfragment,URLlist,orcategorylisttoinclude.
7. ClickOK.Theincludedpolicyfragmentisdisplayedinthesectionwhereyouplacedyourcursor.Youcancontinue
editingtheCPLpolicy.
205
Management Center Configuration &Management
8. Tocommityourchanges,clickSaveandenteracommentforthecommitoperation.Thecommentyouenteris
savedaspolicymetadata.
9. (Optional)Toexitwithoutsavingyouredits,clickCancel.
10. (Optional)ClickComparetoseethedifferencesbetweentheexistingpolicyversionandtheversionyouareabout
tocommit.
FormoreinformationaboutaddingoreditingCPLPolicysections,see"AddorEditCPLPolicySections"on
page169.
"FilterbyAttributesandKeywordSearch"onpage151
l "EditaPolicySection"onpage169
l "AddorEditCPLPolicySections"onpage169
l "ViewExistingPolicyInformation"onpage243
206
Management Center Configuration &Management
DeployTenantPolicy
Tenantpolicydescribesaframeworkthatprovideslargeorganizationswithhighserviceavailability,flexibilityformultiple
tiersofadministration,andensuresthatallappliancesinthenetworkareusedefficiently.
n TenantPolicy-Aninfrastructurethatsegregatesthepolicyelementsthateffectusersofeachusernetworkdefined
withindomains.EventhoughtheyusethesameProxySGappliance,twogroupsofuserscouldhavevastlydifferent
policysets.
n Role-BasedAdministration-AsetofManagementCentercontrolsthatallowsatiered-basedapproachto
managingProxySGappliancesandtheirassociatedpolicy.Thetop-tieradministratorscanviewandmanageall
levelsofpolicy,second-tier(orbranch)administratorscanmanageonlytheirownlevelofpolicyandthosebeneath
them,andbottom-tierortenant-leveladministratorscanonlyviewthepolicyfortheirownusers.
Alladministratorscontrolpolicyappropriatetotheirroles.Policycanbewrittenspecificallytoroutetrafficfromwhereusers
aretooneofseveralProxySGappliancesinyournetwork,dependingonloadandavailability.
Refertothefollowingdeploymentsteps:
Step1:PlanNetworkConfiguration
Whoperformsthisstep:ProxySGadministrator
Beforeproceeding,itisimportanttoplanhowyourorganizationisstructured.Forexample,determinethefollowing:
l Howusernetworksaregroupedorseparated(forexample,bygeographiclocation)
l Whatinterfacesreceivetrafficfromthoseusers
l Whytypesofpolicycanbedeployedtothetenantslot
Step2:ConfigureManagementCenter
Whoperformsthisstep:ManagementCenteradmin/SuperAdmin
Afterconfiguringtheappliance(s),addthemtoManagementCenteranddefinerolesandadministrators.Then,configure
default,group,andtenantpolicytotheappliances.Userroleswilldictatewhichuserscanseeandmanagepolicyforeach
applianceorgroupofappliances.
1. AddaconfiguredappliancetoManagementCenter.
FromtheManagementCenterwebconsole,accesstheonlinehelpandsearchforthetopicentitledAddaDevice
forthestepstoaddeachProxySGappliancetoManagementCenter.Repeatthisprocessforeachconfigured
ProxySGinyournetwork.Toimportmanydevicesatonetime,fromtheonlinehelpsearchforAddMultipleDevices
atOnce.
2. Tokeepyourdevicesorganized,seetheinstructionsforhowtocreatehierarchies,devicegroupsandsub-groups.A
devicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontains
devicesorsub-folders.Arrangedevicegroupsanddevicesinawaythatmakessense.
l ConfigureHierarchyforDevicesandDeviceGroups
l AddaDeviceGroup
l DragandDropDeviceGroups
3. Createdeviceattributestohelpmanageyourorganization'snetworkofappliancesandgroupsofappliances.Device
attributescanbeusedtoidentifythelocationofagivenappliance,theregionorbranchofficeit'sassociatedwithor
evenwhichtenantsareassociatedwitheachappliance.Formoreinformation,seethefollowingtopicsintheonline
help:
207
Management Center Configuration &Management
l ManageAttributes
l AddDeviceAttributes
l AddDeviceGroupAttributes
3. Assignattributestoyourconfiguredappliances.Forinstructions,see"EditaDevice"onpage72.
4. Createadministratorroleswithdifferentsetsofpermissions.Afteryou"DefineRoles"onpage288seethetypes
ofthepermissionsthataremostvaluableperrolethatyouhavecreated.Thisguidecontainsareferencetopic
"Reference:PermissionsInterdependencies"onpage250thatisinvaluablewhencreatingtherolesinyour
organization.
Thefollowingexampleshowshowtocreatearoleformanagingadevicegroupthatyoucreated("AddaDevice
Group"onpage68).
5. Createadministratorgroups.FromtheAdministrationtab,clickGroups>AddGroup.
6. Addadminusers.Forinstructionsonhowtocreateadministratoraccounts,see"GrantPermissions"onpage291.
7. Createpolicyattributes.Forinstructionsonhowpolicyattributescanbeusedtoorganizeandrefinepolicy,seethe
followingonlinehelptopics:
l ManageAttributes
l AddPolicyAttributes
l MandatoryAttributes
8. Definetenants.See"ManageTenants"onthenextpageforinstructions.
9. CreatetenantpolicyinVPM("CreateaVPMTenantPolicyObject"onpage212orCPL(seeCreatetheContent
PolicyLanguage).
10. Confirmthatthecorrectpoliciesaredeployedtoeachdeviceslot.See"ViewDeployedPolicyforeachDevice
Slot"onpage246.
208
Management Center Configuration &Management
ManageTenants
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachrequestisroutedthroughatenant,whosepolicy
isevaluatedforthattransaction.Whennospecifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Ten-
antdeterminationcriteriagovernswhichtenant'spolicyappliestoagivenrequest.AddthesetenantstoManagement
Centertocreateanddeploytenant-specificpolicy.
OntheProxySGappliance,therearetwooptionsforcontrollingtenancydetermination:
2. Usingthe<tenant>layerintheLandlordCPLslottospecifyconditionsandtenant()properties.
TheManagementCenterWAFinterfaceleveragesoption#2tocontroltenancydeterminationviatheTenant
Determinationobject.See"AboutWAFPolicy"onpage121formoreinformation.
WhenevaluatinganHTTPrequest,ifthetenantdeterminationrulesproduceamatchagainstaninstalledtenant,thenthat
tenant'spolicywillbeevaluated.Ifthatfailstosetthetenant()property,orthetenant()propertysettingdoesnotcor-
respondtoaninstalledtenantpolicy,thenthedefaulttenantpolicyisappliedtothistraffic.Defaulttenantpolicyappliesto
allrequestswheretenancycouldn'tbedeterminedduringtheinitialconnection.
Obtainthetenantidentifiersbeforeyouwritemulti-tenantpolicyinManagementCenter.Formoreinformationonmulti-ten-
antpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
WAFPolicyUse
Selectingatenantisstep2in"UseWAFPolicyToProtectServersFromAttacks"onpage119.Abase-levelofWAFpolicy
shouldbeinstalledtothedefaulttenantbeforeanyadditionaltenantsarecreated.Thisensuresthatallrequestsarepro-
cessedbytheWAF.
AddaTenant
Aredasterisk(*)denotesfieldsthataremandatory.
1. SelectConfiguration>Tenants.
2. ClickAddTenant.ThewebconsoledisplaystheAddTenantdialog.
209
Management Center Configuration &Management
3. EnteraDisplayName.
4. EntertheTenantID.Thiscontrolsthenameofthetenantslotwherepolicywillbeinstalled.ThisIDisalsousedin
thetenantdeterminationCPLusingthetenant()property.
5. (Optional)EnteraDescription(upto1024characters).
6. ClickSave.
Bydefault,theTenantslistissortedinalphabeticalorderbyDisplayName.YoucanalsosortbyTenantIDorDescription
byclickingthecolumnheadings.Ifthelistislong,usetheKeywordSearchfieldtosearchforanystringinthename,ID,or
description.Thesearchiscase-sensitive.
ModifyaTenant
1. SelectConfiguration>Tenants.
2. FromtheTenantslist,selectthetenanttomodifyandclickEdit.ThewebconsoledisplaystheEditTenantdialog.
3. EdittheDisplayNameorDescription.Aredasterisk(*)denotesfieldsthataremandatory.
4. ClickSave.
DeleteOneorMoreTenants
210
Management Center Configuration &Management
1. SelectConfiguration>Tenants.
2. FromtheTenantslist,selectoneormoretenantstoremove.
3. ClickDelete.
4. SelectYestodeletetheselectedtenants.
YoucannotdeletethedefaulttenantoranytenantthatiscurrentlyreferencedinManagementCenterpolicy.Attempt-
ingtodeletethedefaultorareferencedtenantresultsina"Deletefailed"errormessage.
211
Management Center Configuration &Management
CreateaVPMTenantPolicyObject
AVPMTenantpolicyobjectdefinesthepolicyforaVPMTenant.WhencreatingaVPMTenantpolicyobject,youselect
theattributevaluesthatapplytothepolicy(ifattributeshavebeendefined).Then,selectthedevicesorgroupstowhich
youdeploythepolicy;alternatively,youcandefinethesedevice/grouptargetslater.
TowritetenantpolicyinCPLinsteadofusingtheVPM,seeCreatetheContentPolicyLanguage.
TowritetenantpolicyinCPLinsteadofusingtheVPM,seeCreatetheContentPolicyLanguage.
1. SelectConfiguration>PolicyandclickAddPolicy.
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. Enteranameforthepolicyobject.
3. SelectVPMTenantforthePolicyType.
4. (Optional)IntheReferenceIdfield,enteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
5. SelecttheTenanttowhichthispolicyobjectwillbeapplied.
6. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,thedescriptionhelps
differentiateversionsofthesamepolicy.
7. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,thedescriptionhelps
differentiateversionsofthesamepolicy.
8. IndicatewhethertoReplaceSubstitutionVariables.See"UseSubstitutionVariablesinPoliciesandScripts"on
page176formoreinformation.
9. ClickNext.
10. Enterorselectvaluesforthedefinedattributes.
11. ClickFinish.
ThenewVPMTenantpolicyobjectdisplaysinthePolicyObjectseditor.
DetermineYourNextStep
Afteryoucreateatenantpolicyobject,youcaneitheraddpolicytoitimmediatelyorleaveitasanemptyobjectwhileyou
performothertasks(forexample,associatemoredeviceswithitoreditpolicydetails).Refertothefollowingtableto
determinethenextsteptotake.
Whatdoyouwanttoaccomplish? Referto
Add policy. "Launch Visual Policy Manager" on
page183
Import policy. "Launch Visual Policy Manager" on
page183
Learn about deploying multi-tenancy policy on ProxySG Multi-Tenant Policy Deployment
appliances. Guide
212
Management Center Configuration &Management
Whatdoyouwanttoaccomplish? Referto
Create and manage tenants from Management Center. "Manage Tenants" on page209
View policies deployed to each slot on a device. "View Deployed Policy for each
Device Slot" on page246
ImportVPMTenantPolicyfromSourceDevice
AVPMTenantpolicyobjectcanbeusedtodefinethepolicyusedinatenantslot.AftercreatingtheVPMTenant(as
describedin"CreateaVPMTenantPolicyObject"onthepreviouspage),youmustaddpolicytoit.Youcanaddpolicyby
launchingtheVPMorbyimportingexistingVPMpolicyfromasourcedevice.
CertainfeaturesavailableinnormalVPMpolicyarenotavailableinVPMTenantpolicy.TheseincludetheAdminAccess
andAdminAuthenticationlayers.AnyexistingAdminAccessorAuthenticationlayerswillnotbepresentintheimported
contents.
TowritetenantpolicyinCPL,seeCreatetheContentPolicyLanguage.
1. SelectConfiguration>Policy.
2. SelecttheVPMTenantobjectandclickEdit.
3. ClickImportPolicy.
ThesystemdisplaystheImportPolicy:SourceDevicedialog.
4. SelectthesourcedeviceandclickNext.
213
Management Center Configuration &Management
ThesystemdisplaystheImportPolicy:SelectPolicydialog.
5. ClickImport.
214
Management Center Configuration &Management
Thedialogclosesandthefollowingmessageisdisplayedintheeditor:
TheCPLforthisVPMpolicyisoutofdateandneedstoberegeneratedbeforeitcanbedeployed.Please
launchtheVPMeditorandsaveanewrevisiontoupdatetheCPL.
ThisisbecauseonlytheVPMcontentsareimported,notthegeneratedCPL.
6. ToregeneratetheCPL,clickLaunchVPMEditor.
7. ClickSavePolicy.
8. EnteracommentforyoursaveandclickOK.
9. ClickClose.
TheCPLnowdisplaysintheeditor.
DetermineYourNextStep
Refertothefollowingtabletodeterminethenextsteptotake.
215
Management Center Configuration &Management
Whatdoyouwanttoaccomplish? Referto
Learn about deploying multi-tenancy policy on ProxySG Multi-Tenant Policy Deployment
appliances. Guide
Create and manage tenants from Management Center. "Manage Tenants" on page209
View policies deployed to each slot on a device. "View Deployed Policy for each
Device Slot" on page246
216
Management Center Configuration &Management
DeployTenantPolicy
Tenantpolicydescribesaframeworkthatprovideslargeorganizationswithhighserviceavailability,flexibilityformultiple
tiersofadministration,andensuresthatallappliancesinthenetworkareusedefficiently.
n TenantPolicy-Aninfrastructurethatsegregatesthepolicyelementsthateffectusersofeachusernetworkdefined
withindomains.EventhoughtheyusethesameProxySGappliance,twogroupsofuserscouldhavevastlydifferent
policysets.
n Role-BasedAdministration-AsetofManagementCentercontrolsthatallowsatiered-basedapproachto
managingProxySGappliancesandtheirassociatedpolicy.Thetop-tieradministratorscanviewandmanageall
levelsofpolicy,second-tier(orbranch)administratorscanmanageonlytheirownlevelofpolicyandthosebeneath
them,andbottom-tierortenant-leveladministratorscanonlyviewthepolicyfortheirownusers.
Alladministratorscontrolpolicyappropriatetotheirroles.Policycanbewrittenspecificallytoroutetrafficfromwhereusers
aretooneofseveralProxySGappliancesinyournetwork,dependingonloadandavailability.
Refertothefollowingdeploymentsteps:
Step1:PlanNetworkConfiguration
Whoperformsthisstep:ProxySGadministrator
Beforeproceeding,itisimportanttoplanhowyourorganizationisstructured.Forexample,determinethefollowing:
l Howusernetworksaregroupedorseparated(forexample,bygeographiclocation)
l Whatinterfacesreceivetrafficfromthoseusers
l Whytypesofpolicycanbedeployedtothetenantslot
Step2:ConfigureManagementCenter
Whoperformsthisstep:ManagementCenteradmin/SuperAdmin
Afterconfiguringtheappliance(s),addthemtoManagementCenteranddefinerolesandadministrators.Then,configure
default,group,andtenantpolicytotheappliances.Userroleswilldictatewhichuserscanseeandmanagepolicyforeach
applianceorgroupofappliances.
1. AddaconfiguredappliancetoManagementCenter.
FromtheManagementCenterwebconsole,accesstheonlinehelpandsearchforthetopicentitledAddaDevice
forthestepstoaddeachProxySGappliancetoManagementCenter.Repeatthisprocessforeachconfigured
ProxySGinyournetwork.Toimportmanydevicesatonetime,fromtheonlinehelpsearchforAddMultipleDevices
atOnce.
2. Tokeepyourdevicesorganized,seetheinstructionsforhowtocreatehierarchies,devicegroupsandsub-groups.A
devicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontains
devicesorsub-folders.Arrangedevicegroupsanddevicesinawaythatmakessense.
l ConfigureHierarchyforDevicesandDeviceGroups
l AddaDeviceGroup
l DragandDropDeviceGroups
3. Createdeviceattributestohelpmanageyourorganization'snetworkofappliancesandgroupsofappliances.Device
attributescanbeusedtoidentifythelocationofagivenappliance,theregionorbranchofficeit'sassociatedwithor
evenwhichtenantsareassociatedwitheachappliance.Formoreinformation,seethefollowingtopicsintheonline
help:
217
Management Center Configuration &Management
l ManageAttributes
l AddDeviceAttributes
l AddDeviceGroupAttributes
3. Assignattributestoyourconfiguredappliances.Forinstructions,see"EditaDevice"onpage72.
4. Createadministratorroleswithdifferentsetsofpermissions.Afteryou"DefineRoles"onpage288seethetypes
ofthepermissionsthataremostvaluableperrolethatyouhavecreated.Thisguidecontainsareferencetopic
"Reference:PermissionsInterdependencies"onpage250thatisinvaluablewhencreatingtherolesinyour
organization.
Thefollowingexampleshowshowtocreatearoleformanagingadevicegroupthatyoucreated("AddaDevice
Group"onpage68).
5. Createadministratorgroups.FromtheAdministrationtab,clickGroups>AddGroup.
6. Addadminusers.Forinstructionsonhowtocreateadministratoraccounts,see"GrantPermissions"onpage291.
7. Createpolicyattributes.Forinstructionsonhowpolicyattributescanbeusedtoorganizeandrefinepolicy,seethe
followingonlinehelptopics:
l ManageAttributes
l AddPolicyAttributes
l MandatoryAttributes
8. Definetenants.See"ManageTenants"onpage209forinstructions.
9. CreatetenantpolicyinVPM("CreateaVPMTenantPolicyObject"onpage212orCPL(seeCreatetheContent
PolicyLanguage).
10. Confirmthatthecorrectpoliciesaredeployedtoeachdeviceslot.See"ViewDeployedPolicyforeachDevice
Slot"onpage246.
218
Management Center Configuration &Management
ConfigurePolicy
Configuringpolicyforspecificdevicesormultipledevicesatonceinvolvesseveralmethodsofcreating,testing,andupdat-
ingpolicy.
219
Management Center Configuration &Management
AddorRemoveDevicesAssociatedwithPolicy
Ifyournetworkisre-organizedandpoliciesmustbeaddedtoorremovedfromcertaindevicesordevicegroups,youcan
modifytheassociations.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyyouwanttoaddtodevices.If
needed,searchfortheobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Selectthepolicyname.ClickEdit.
3. ClicktheTargetstab.Toaddtargetstoassociatewiththeselectedpolicy,clickAddTargets.
4. (Optional)Toremovedevicesassociatedwithapolicy,selectthedevicenameandclickRemoveTargets.You
areaskedtoconfirmthatyouwanttoremovetheassociateddevice(s).ClickYesorNo.
5. FromtheAddTargetswizard,selecttheDevicestab.Selectthecheckboxbythedevice(s)name.Thisaction
immediatelypopulatestheSelectedlist.
Onlythosetargetsthatcansupportthepolicyselectedareshown.Thishelpstoknowwhichpoliciescanbe
installedonwhichtargets(devices).
220
Management Center Configuration &Management
6. (Optional)Toassociatedevicegroupswiththepolicy,clicktheGroupstabandselectDevices.Thisaction
immediatelypopulatestheSelectedlist.
7. Toremovetheselecteddevices,clickUnselectorUnselectAll.ClickNext.TheAddTargetswizarddisplaysthe
AddTargets:ConfigureDeploymentdialog.
8. FromtheDeploymentTypedrop-downlist,selectoneofthefollowing:
l PolicySlot-TheProxySGappliance'sLocal,Central,orForwardpolicyfile.
l LandlordSlot-Policyrulesfortenantdetermination.
l TenantSlot-Policyspecificallyfortenants.
IfyouselectTenantSlotandatenantisnotconfigured,a"Tenantnotconfigured"warningappearsinthe
DeploymentcolumnontheTargetstab.
9. (IfyouselectedPolicySlot)FromtheSlotdrop-downlist,selectLocal,CentralorForward.
10. ClickFinish.Awebconsolemessagedisplaysthefollowing:
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
View associated devices (targets) "View Devices Associated with Policy" on page247
Compare policy versions "Compare Different Versions of the Same Policy" on page224
Install a policy "Install Policy" on page227
Compare the policy version installed on "Compare the Device Policy Version with Current Policy Version" on
the device, with the most current version page225
saved in Management Center
Schedule a policy installation "Add a Job" on page324
Install multiple policies to multiple "Install Multiple Policies" on page231
devices
221
Management Center Configuration &Management
CheckConsistencybetweenPolicyandDevices
YoucancheckifthepolicysavedinManagementCenterisdifferentfromthepolicyinstalledondevices.
1. Tochecktheconsistencyoftheinstalledpolicywiththedevices,selectConfiguration>Policyandselecta
policyobject.
2. Selecttheoptionbythepolicyname.ClickEdit,andthenclicktheTargetstab.
3. SelectthedevicethatyouwanttocheckforconsistencyagainstthepolicystoredinManagementCenter.Click
CheckConsistency.SelectthebasepolicyversionbyselectingtheThelatestpolicyversionortheVersion
checkbox.
Ifyoudon'tselectanydevices,oryouselectafewandclickCheckConsistency,aconsistencycheckis
doneonthosedevices,notjustone.Noselectionofadeviceisrequired.
4. ClickCheckConsistency.
IfyoureceiveaMismatcherrorforadevice,thepolicyisinconsistent:eitherthepolicywaschangedin
ManagementCenterandnotinstalledtothedevicewiththeerror,orthepolicyonthedevicewaschanged
outsideofManagementCenter.
5. YoucanclickComparePolicytodeterminewhathaschanged.
222
Management Center Configuration &Management
6. (Optional)Foreachdevicelisted,verifythefollowing:
TheManagementCenterlicensecontainsallofthefeaturesforwhichyouhavepurchasedasubscription.
Thedocumentationcoversallfeatures,includingonesthatyoumaynothavepurchased.
n Policyisenabled(ifEnabledisselected).
n DeviceNameThenamethatwasenteredinManagementCenterduringdeviceregistration.
n DeviceCountThenumberofmanageddevicesisshowninthebanner.
n DeviceModelThedevicehardwaremodel.
n InstalledVersionTheversionofpolicyinstalledonthedevice.Ifnoversionislisted,thedeviceisstill
associatedwithpolicy,butpolicyhasnotbeeninstalled.
n OSTypeTheoperatingsystemonthedevice.
n StateThestatusofthedevice.See"AboutColor-CodedStatusIndicators"onpage28.
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Addorremoveassociateddevices. "AddorRemoveDevicesAssociatedwithPolicy"on
page220
Comparedifferentversionsofthesamepolicy. "CompareDifferentVersionsoftheSamePolicy"on
thefacingpage
Installapolicyorpolicies. "InstallPolicy"onpage227or"InstallMultiplePolicies"
onpage231
Viewpolicyinformation. "ViewExistingPolicyInformation"onpage243
223
Management Center Configuration &Management
CompareDifferentVersionsoftheSamePolicy
Asatroubleshootingsteporaspartofperformanceevaluation,youmightwanttoidentifythechangesbetweenanearlier
versionandalaterversionofpolicy.ManagementCentershowsthechangesmade.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyname.Ifneeded,searchforthe
policyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Withthepolicyselected,clickEdit.SelecttheVersionstab.
3. Selecttheversionsofpolicytocompare(pressandholdtheCtrlkeywhileselectingthepolicyversions).
4. ClickCompare.ThesystemdisplaystheComparePolicydialog.
n CPLExample.
n VPMexample.
StartinginManagementCenter1.6,youcandiffthesourcecodeofVPMpolicy.Toswitchbetweenthe
224
Management Center Configuration &Management
GeneratedCPLandXMLviews,selecttheappropriatewindow.
Thetwopoliciesaredisplayedside-by-side;thewebconsoledisplaystheversionyouselectedfirst(earlierversion)
ontheleftandyoursecondselection(laterversion)ontheright.
n Policyhighlightedinredexistsintheformerversionandwasremovedinthelaterversion.
n Policyhighlightedinyellowindicatesthatalineexistsinbothversionsofpolicy,buttherearedifferencesin
theline.
n Policymarkedingreendoesnotexistintheformerversionandwasaddedinthelaterversion.
n Policyhighlightedinwhitemeansthetwocopiesareidentical.
5. (Optional)Torestoreanearlierversionofthepolicy,See"RestoreaVersionofPolicy"onpage242.
6. ClickClose.
ComparetheDevicePolicyVersionwithCurrentPolicyVersion
YoucancomparethepolicyversioninstalledonthedevicewiththecurrentpolicyversionthatisstoredinManagement
Center.
225
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
View all of the details about an existing policy, including policy "View Existing Policy Information"
object information, the policy version, and the associated attributes. on page243
Compare different versions of the same policy. "Compare Different Versions of the
Same Policy" on page224
ExportPolicyorSharedObjectstoLocalDisk
YoucanexportpolicyobjectsfromthePolicyorSharedObjectsgrid.ThepolicyisexportedinJSONformat.Ifyou
exportmultiplepolicyobjects,theyarecollectedandexportedinasingleJSONfile.
1. SelectConfiguration>PolicyorConfiguration>SharedObjects.
2. Selectoneormorepolicyobjects.
3. ClickExport.
4. Dependingonyourbrowsersettings,youmaybepromptedtovieworsavethefile.ClickSaveifprompted.Inother
cases,thefileisautomaticallysavedtolocaldisk(typically,theDownloadsfolder).
226
Management Center Configuration &Management
InstallPolicy
Whenyoucreatepolicy,youdonothavetoinstallittodevicesimmediately;youcansaveit,continuetoeditandtestit,and
thendeployittodeviceswhenitiscompleteandworkingasexpected.
YoucannotinstallaCPLPolicyfragment.PolicyfragmentsareusedtoaugmentPolicy,nottoreplacepolicy.See
"CreateaCPLPolicyFragment"onpage188.
Youcanonlyinstallthelatestversionofpolicy;ifyouwanttoinstallanearlierversion,restorethatversionfirst.See
"RestoreaVersionofPolicy"onpage242.
PolicyInstallationMethods
Installpolicyusingoneofthemethodsdescribedinthefollowingtable.
Install...
1. SelectConfiguration>Policy.Selectthepolicyname.
2. Fromthetargetsshown,selectthedevice(s)toinstallthepolicy.
3. ClickInstall....TheNewJobwizarddisplaystheNewJob:BasicInfodialog.Thenameofthepolicyisfilledinthe
requiredfield.
227
Management Center Configuration &Management
4. (Optional)Addadescription.ClickNext.TheNewJobwizarddisplaystheNewJob:Operationdialog.Fields
markedwitharedasterisk(*)arerequired.
5. FromSelectPoliciestoInstall,selecttheObjectSelector .Tochoosethepoliciestoinstall,clickthecheck
boxassociatedwitheachpolicy.ThisactionimmediatelypopulatestheSelectedlist.ClickOK.ChoosetheForce
installationcheckbox.ClickNext.TheAddJobwizarddisplaystheAddJob:Targetsdialog.
228
Management Center Configuration &Management
6. ClickNext.TheNewJobwizarddisplaystheNewJob:Scheduledialog.Chooseascheduletoinstallthepolicy.
ClickFinish.Thewebconsoledisplaysthefollowingmessages:
Dependingonhowmanytargetsyouarepushingpolicy,policyinstallationcantakeupto60seconds.During
thistime,thewebconsoledisplaysaJobProgress:InstallDialog.
229
Management Center Configuration &Management
InstalltoAll...
1. SelectConfiguration>Policy.
2. SelectthepolicynameandclickEdit.
3. ClicktheTargetstabandclickInstalltoAll...
4. Followsteps4to6in"Install..."onpage227
InstalltoDevice
1. SelectConfiguration>Policy..
2. SelectthepolicynameandclickEdit.
3. ClicktheTargetstabandclickInstalltoDevice.
230
Management Center Configuration &Management
InstallMultiplePolicies
Whenyoucreatepolicy,youdonothavetoinstallittodevicesimmediately;youcansaveit,continuetoeditandtestit,and
thendeployittodeviceswhenitiscompleteandworkingasexpected.Youcancreatemultiplepolicieswithouthavingto
installthepoliciesrightaway.Thisisparticularlyusefulforlargedeploymentsofpoliciestomultipledevicesordevice
groups.
Youcanschedulemultiplepoliciestodeploytodevicegroups,aslongasthefollowingaretrue:
n Eachpolicydoesnothaveunsavedchanges.Toensurethatthelatestpolicychangesareinstalled,clickSave
ChangesintheEditor.
n AnydevicesyouwanttoassociatewiththepolicyhavebeenaddedandactivatedinManagementCenter.
Itisabestpracticetoonlyscheduleinstallationofpoliciesthatarethelatestversion.However,youcanForce
InstallationofPolicies,byselectingtheForceInstallationcheckbox.Duringinstallationofpolicies,Management
Centerignoresthefollowinginstallationwarnings:
n Mismatchedon-boxpolicyobject
n MismatchedOSversions
ByforcingtheInstallation,youareensuringthatlargedeploymentsofpoliciesDONOTfailwhen
encounteringdevicesthatmayhavetheaboveissues.
1. FromtheJobstabselecttheScheduledJobssection.ClickAddJob.TheAddJobWizarddisplaystheAddJob:
BasicInfodialog.Fieldsmarkedwitharedasterisk(*)arerequired.
2. EnterauniqueName(*)forthislargepolicydeployment.EnteraDescription.
Forexample,theuniqueNamecanbeInstallPoliciesonAllActiveProxySGAppliances,andtheDescription
canbeDeploypoliciestoallactivatedProxySGappliances.
3. ClickNext.TheAddJobwizarddisplaystheAddJob:Operationdialog.
4. FromtheOperationdrop-down,selectInstallPolicy.Thepolicymarkedwitharedasteriskisamandatorypolicy,
andisinstalledregardlessoftheotherpoliciesyouselect.
231
Management Center Configuration &Management
5. FromSelectPoliciestoInstall,selecttheObjectSelector .Tochoosethepoliciestoinstall,clickthecheck
boxassociatedwitheachpolicy.ThisactionimmediatelypopulatestheSelectedlist.ClickOK.ChoosetheForce
installationcheckbox.ClickNext.TheAddJobwizarddisplaystheAddJob:Targetsdialog.
Eachselectedpolicywillbeinstalledtotargeteddevices(excludingdevicesthatarenotactive).
Youcannotchoosetargetsatthispoint.Ifyouarenotsureofthedevicestargetedbytheselectedpolicies,
clickBack.ManagementCenterhasbuiltinintelligence,sothatonlyproperlyconfiguredpoliciescanonly
beappliedtoappropriatetargets.
6. ClickNexttochooseaSchedule.See"AddaJob"onpage324and"InstallPolicy"onpage227.
ImportPolicyorSharedObjects
YoucanimportpolicyintoManagementCenter.Forexample,ifexamplepolicywasincludedinaknowledgebasearticle,
youcouldimportitdirectlyintoManagementCenter.YoucouldalsosharepoliciesbetweenManagementCenters.
YoucanimportpolicyintoManagementCenternthefollowingways:
n "ImportPolicyfromaFile(PolicyorSharedObjectsGrid)"below
n "ImportPolicyfromaFile(ObjectEdit)"onpage235
n "ImportPolicyfromaDevice"onpage236
ImportedpolicieswithoutareferenceIDareassignedareferenceIDwiththeformatauto_generated_id_1.
YoucanchangetheIDafterimportingthefile.
ImportPolicyfromaFile(PolicyorSharedObjectsGrid)
Youcanimportpolicyfromthefollowingfiletypes:
232
Management Center Configuration &Management
n ManagementCenter(.json)
n ContentPolicyLanguage(.cpl,.bpf,.txt)
n VisualPolicyManager(.xml)
Procedure
1. SelectConfiguration>PolicyorConfiguration>SharedObjects.
2. ClickImport.
ThesystemdisplaystheImportPolicywizard.
3. DraganddropthefileintotheSelectFiledotted-linearea.Alternatively,browsetothefile.
4. ClickNext.
5. Iftheimportedfilecontainsmultiplepolicies,youmightwanttoexcludesomefromimport.Todothis,clearthe
ImportPolicycheckbox.
233
Management Center Configuration &Management
Intheprecedingexample,theTest1CPLpolicyhasbeenexcludedfromimport.
6. Choosewhethertocreateanewpolicyortoupdateanexistingpolicy.
Thewizarddisplaysonlythosepolicyobjectsthatarerelevanttothefiletype.Ifthepolicyuuidorreference
IDintheimportfilematchesapolicyalreadyonthesystem,Updateexistingpolicyisthedefault(withthe
matchingpolicyprepopulatedinthePolicyfieldunderUpdateExistingPolicy).Otherwise,Createnew
policyisthedefault.
l Tocreateanewpolicy,clickCreatenewpolicyandenterameaningfulname.
234
Management Center Configuration &Management
l Toupdateanexistingpolicy,ensurethatUpdateexistingpolicyisselected.CleartheImportPolicycheck
boxforanypoliciesyoudonotwanttochange.
l Toupdateadifferentpolicythantheoneshown,clickthepencilicon ,selectthepolicyorpoliciesto
replace,andclickOK.
7. ClickImport.Thesystemdisplaystheresultsoftheimport.
8. ClickClosetoexitthewizard.
ImportPolicyfromaFile(ObjectEdit)
1. SelectConfiguration>PolicyorConfiguration>SharedObjects.
2. SelectthepolicyobjectandclickEdit.
3. ClickImportPolicyandselectFromFile.
4. DraganddropthefileintotheSelectFiledotted-linearea.Alternatively,browsetothefile.
235
Management Center Configuration &Management
5. ClickImport.
ImportPolicyfromaDevice
Importingpolicyfromadeviceisusefulinthefollowingsituations:
n Youwanttouseadevice'scurrentlyinstalledpolicyasthestartingpointforamanagedpolicy.
n Adevicehasapolicyconfigurationthatyouwanttouseasapolicytemplatetodeployonotherlikedevice(s).
Procedure
1. SelectConfiguration>PolicyorConfiguration>SharedObjects.
2. SelectapolicyobjectorCPLfragmentandclickEdit.
3. ClickImportPolicyandselectFromDevice.ThewebconsoledisplaystheImportPolicywizard.
4. FromtheSourceDevicedrop-downlist,selectthedevicefromwhichtoimportthepolicyconfigurationandclick
Next.
5. Selectthepolicythatyouwanttoimport.DependingonwhetherthepolicyisaVPMorCPLpolicy,thedeployment
typeisshownnexttothepolicy:
n VPM-ThispolicycontainspolicycreatedbytheVisualPolicyManagerandisdeployedintheVslot.
236
Management Center Configuration &Management
n Central-ThispolicycontainspolicycommontoyourentireorganizationandisdeployedintheCslot.
n Local-Thispolicycontainspolicyspecifictoyourorganizationalstructures,suchasdepartmentalpoliciesor
local(geographic-specific)policiesandisdeployedintheLslot.
n Forward-Thispolicycontainsforwardingrulesforthepolicyandisdeployedinthe"F"slot.
n Landlord-Policyrulesfortenantdetermination.
n Defaulttenant-Policyrulesforallrequestswheretenancycannotbedeterminedduringtheinitial
connection.
n Tenant-Policyspecificallyfortenants.
Fordetailsontenantpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
6. SelectImportPolicy.
ThewebconsolepromptsyoutoconfirmtheoverwriteoftheexistingpolicyinManagementCenter.
7. ClickImportandOverwritetoaccepttheimport.
8. (Optional)ClickComparetoviewthedifferencesbetweenanearlierversionofapolicyandthecurrentversion.See
"CompareDifferentVersionsoftheSamePolicy"onpage224.
9. EnteracommentforthecommitoperationsandclickSave.Thecommentthatyouenterissavedasmetadata.
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
Export policy "Export Policy or Shared Objects to Local Disk" on page226
View existing policy information "View Existing Policy Information" on page243
Restore a version of the policy "Restore a Version of Policy " on page242
Deploy the policy, as is, to devices "Install Policy" on page227
237
Management Center Configuration &Management
ImportExternalPolicy
YoucancreateajobtoimportaCPLfragmentcreatedinanexternaltoolintoManagementCenter.Thejobcanbe
executedimmediately,manually,oronaschedule.Thisisusefulifyouwanttoregularlysyncthepolicywiththeversion
onanexternalserver.
Beforeyouimportanexternalpolicy,youneedtocreateapolicyobjectinManagementCenterintowhichtoimportthefile.
Prerequisites
BeforeyoucreatetheImportExternalPolicyjob,youneedtoperformthefollowingtasks:
1. CreatetheCPLinanexternaltool.
2. CreateapolicyobjectinManagementCenter.Youwillbeimportingtheexternalfileintothispolicy.See"Createa
CPLPolicyObject"onpage167.
3. EditthepolicyobjectandgototheInfotab.RecordtheUniqueID;youmustnametheexternalCPLfilewiththis
ID.
4. NametheexternalpolicyfilewiththeUniqueIDoftheManagementCenterpolicy.Example:7B6F26F9-94FB-
453C-B56F-8AE433ABDBBE.bpf
5. Storethefileonaweb,FTP,orSCPserver.
6. MakenoteoftheURLpathtothefile;youwillneedtospecifytheURLwhendefiningtheImportExternalPolicy
job.
Procedure
Tocreateajobforimportinganexternalpolicy:
1. ClicktheJobstab.
2. SelectNewJob.ThewebconsolerunstheNewJobwizard.Aredasterisk(*)denotesfieldsthataremandatory.
3. EnteraName(*)andDescription.
4. ClickNext.FromtheOperation(*)drop-downlist,selectImportExternalPolicy.
5. Specifythelocationoftheexternalpolicyfile:
n ImportfromURL:Thepathtothefileontheexternalweb,FTP,orSCPserver.Example:
ftp://company.com/policies/7B6F26F9-94FB-453C-B56F-8AE433ABDBBE.bpf
n Username:Ifauthenticationtotheserverisrequired,enterthenameofuserwithpermissiontoaccessthe
server.
n Password:Entertheuser'spassword.
6. ClickNext.TheNewJob:Targetsdialogdisplays.
7. FortheTarget,selectthenameofthepolicyobjectyoucreatedasacontainerfortheimportedexternalpolicy.
8. ClickNext.DefineascheduletoruntheImportExternalPolicyjob.See"JobSchedulingOptions"onpage328.
238
Management Center Configuration &Management
ManageCPLPolicies
WhenyouarefirstsettingupManagementCenter,youcancreatenewpoliciesorimportexistingpoliciesfrommanaged
devices;however,whenyouhavebeenmanagingdevicesfromManagementCenterforalongerperiodoftime,youmight
alsowanttoeditpoliciestochangecurrentdeviceconfigurations.
ManagementCentergivesyougreatflexibilityinbothcreatingandmodifyingyourpolicies.Youcan:
n CreateandmodifytheCPLdirectlyinthePolicyEditor
n Correctandmodifythebehaviorofexistingpolicybyre-orderingpolicysections
n Createversionsofpolicy,andrestorepreviousversionswhenneeded
n Createpolicywithoutdeployingittodevicesimmediately
Ensuringthatdevicesareconfiguredandbehaveasrequiredcouldinvolvecreating,modifying,andtestingpolicy.For
example,youmightcreatepolicyinyourevaluationenvironment,installittoasmallgroupofdevices,observethedevices
inatestphase,andtheneditthepolicyasneededbasedonyourobservations.
LearnaboutcreatingandmaintainingpolicyinManagementCenter:
1. Createpolicyanddeployittodevices.Youcoulddosomeorallofthefollowing:
n "UseContentPolicyLanguage(CPL)toCreatePolicy"onpage165inthePolicyEditor.
n "ImportPolicyorSharedObjects"onpage232.
n "AddAttributes"onpage298
n "InstallPolicy"onpage227todevicesordevicegroups.
n "InstallMultiplePolicies"onpage231todevicesordevicegroups.
n "ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225.
2. Toaddcustommetadatatopolicies,see"AddAttributes"onpage298.
3. "ViewExistingPolicyInformation"onpage243toseetherevisionsandpolicyinformation.
4. "CompareDifferentVersionsoftheSamePolicy"onpage224tofindtheeditedversionofapolicythatyouwantto
use.
ViewPolicyVersions
ManagementCenterenablesyoutoviewCPLorVPMpolicyversions.
1. SelectConfiguration>Policy.
2. FromthePolicyObjectslist,selectthepolicyname.
Ifneeded,searchforthepolicyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
3. Withthepolicyselected,clickEdit.Thesystemdisplaystheeditor.
4. SelecttheVersionstab.
239
Management Center Configuration &Management
5. Selectthepolicyversionyouwanttoview.
6. ClickView.ThePreviewdialogdisplays.
CPLexample:
VPMexample:
240
Management Center Configuration &Management
7. (Optional)Tocomparepolicyversions,see"CompareDifferentVersionsoftheSamePolicy"onpage224.
8. (Optional)Torestoreanearlierversionofthepolicy,See"RestoreaVersionofPolicy"onthefacingpage.
9. ClickClose.
241
Management Center Configuration &Management
RestoreaVersionofPolicy
Aftertime,youmightfindthatthepolicypushedtodevicesneedsimprovementormustchangebecauseofchangesin
businessrequirementsorpractices.Insuchsituations,youcanmodifypolicyasneeded,orreverttoanearlierversionof
policythatisappropriate.Whenyouhavedeterminedwhichversionofpolicytorestore,youcanrestoreitusingthever-
sionhistory.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyname.Ifneeded,searchforthe
object;see"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.ClicktheVersionstab.Versionsofthepolicyarelistedindescendingnumericalorder.
3. FromtheVersionControlpage,verifythattheversionyouwanttorestoreisthecorrectone.Performoneorboth
ofthefollowingasrequired.
l Checktheversionmetadata.See"ViewExistingPolicyInformation"onthenextpage.
l Compareversionsofpolicy.See"CompareDifferentVersionsoftheSamePolicy"onpage224
4. Afteryouidentifytheversiontorestore,selectitandclickRestore.ThewebconsoledisplaystheRestoredialog.
5. IntheCommentfield,specifythereasonfortherestore.
6. ClickRestore.
TherestoredversionofthepolicyisincrementedtothelatestversioninthePolicylist,andthecommentyou
enteredinstep6isdisplayedintheCommentscolumn.
7. Toinstalltherestoredpolicytoassociateddevices,selectthepolicyandclickInstallPolicy.See"InstallPolicy"
onpage227.
242
Management Center Configuration &Management
ViewExistingPolicyInformation
Wheneveryoucreateaversionofpolicy,ManagementCenterautomaticallysavesinformationaboutit.Thisinformationis
calledmetadata.
1. YoucanviewmetadatabyselectingConfiguration>Policy.
2. SelectapolicyandclickEdit.
ViewPolicyObjectInformation
1. ClicktheInfotab.TheVersionControlpagedisplaysallversionsoftheselectedpolicy.Aredasterisk(*)denotes
fieldsthataremandatory.
2. UnderGeneralInformation,theOverviewdisplaystheinformationyouenteredwhencreatingthepolicyobject:
n Policyname(*)ThenameofthePolicythatyougaveitwhenyoucreatedit
n Policytype(*)ThePolicytypecaneitherbeCPLorVPM.
n DescriptionThisistheDescriptionthatyouenteredwhenyoucreatedthepolicy.Ifyoueditthisfield,make
suretoclickSavebeforeleavingtheInfotab.
n Replacesubstitutionvariables
Variablesubstitutionispowerfulandcanbeappliedtopoliciesandscripts.See"UseSubstitution
VariablesinPoliciesandScripts"onpage176.
3. MetadatadisplaysunderLatestRevision:
243
Management Center Configuration &Management
ViewAvailablePolicyVersions
1. ClicktheVersionstab.TheVersionControlpagedisplaysallversionsoftheselectedpolicy.Whenapolicyobject
iscreateditisassignedtheVersionnumber1.0.Everytimethataddattributesoredititinanyway,theversion
increasesbyincrementsof0.1.
2. Selectanearlyversionofpolicytocompare.
3. PressandholdtheCtrlkeywhileselectingthelaterversionofpolicytocompare.
n VersionNumberWhenapolicyobjectisfirstcreated,itsversionis1.0.Eachsubsequenttimetheobject
ismodifiedforexample,iftheobjectpropertiesareeditedorwhenpolicyisaddedtoittheversionnumber
incrementsby0.1.Forexample,whenyouaddpolicytoanobjectandsaveit,theversionbecomes1.1.
n DateThetimeanddatestampindicateswhenthepolicywaslastupdated.
n AuthorTheauthoristheuserwhosavedthecurrentversionofthepolicy.
n CommentsIftheauthorenteredcommentsaboutthepolicy,theyaredisplayedhere.Metadatadisplays
automatically-generatedcommentsasfollows:
o PolicyObjectcreatedWhenthepolicycontainerisinitiallyiscreatedandpolicyhasnotbeen
addedyet.
o NamechangedWhenthepolicynameisedited.
o DescriptionchangedWhenthepolicydescriptionisedited.
o NameanddescriptionchangedWhenboththenameanddescriptionareedited.
Ofthesemetadata,thecommentsareusuallythemostimportantinhelpingyouandotherusers
understandthepurposeandintentofcreatingthespecificpolicyversion.BlueCoatrecommendsthat
youalwaysenterclear,helpfulcommentswhencreatingpolicy.
ViewAssociatedPolicyAttributes
1. SelecttheAttributestab.TheAttributespagedisplaysallattributescurrentlyassignedtothisPolicy.The
attributesarecustomattributesthatyoucreated.See"AddAttributes"onpage298or"EditAttributes"onpage301.
2. YoucanedittheAssociatedattributes.Ifyoudo,youneedtosaveyourchanges.ClickSave.Doingthisactually
increasestheversionnumberbyanincrementof0.1.
SettheMaximumNumberofPolicyVersionstoStoreinManagementCenter
Afteryoucreateapolicy,youcaneditittomakeitspecificforyourspecificdevicetypes.Eachtimeyoueditorimporta
244
Management Center Configuration &Management
policy,arevisionofthepolicyisstored.YoucanspecifythenumberofrevisionsofpolicytostorebeforeManagement
Centerbeginstoprune.Youcanspecifyupto999revisions.
1. SelecttheAdministration>Settings.ClickGeneral.Generalfieldsdisplayontheright.Aredasterisk(*)denotes
fieldsthataremandatory.
2. SelectMaximumnumberofpolicyrevisionstostore.
3. Enteranumber(limit)from0to999.
4. Dooneofthefollowing:
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
245
Management Center Configuration &Management
ViewDeployedPolicyforeachDeviceSlot
1. FromtheNetworktab,selectadevice.
2. ClickEdit.
3. FromtheEditDevicewizard,selectthePoliciestab.
Thedeploymentslotsarenoteditable.
Policiesareassignedtoslotsinthefollowingways:
l Directassignment-Thepolicywasinstalleddirectlytotheslotandnotinheritedfromthedevicegrouptowhichthe
devicebelongs.
l Inheritedfrom[DeviceGroupName]-Thepolicywasinheritedfromthedevicegrouptowhichthedevicebelongs.
Notes:
l Local,Central,andForwardareCPLpolicyslots.
l VPMTenantandLandlordcanbeeitherCPLandVPM.
l PolicydeployedtotheLandlordslotoverridesanypreviouspolicydeployedtotheLandlordslot.
246
Management Center Configuration &Management
ViewDevicesAssociatedwithPolicy
Youcanviewthedevicesthatareassociatedwithapolicy.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyyouwanttoview.Ifneeded,filteron
attributes.See"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.SelecttheTargetstab.
Onlythosedevicesthatcansupportthepolicyselectedaredisplayed.Thishelpstoknowwhichpoliciescan
beinstalledonwhichdevices.
3. Foreachdevicelisted,verifythefollowing:
n EnabledIfselected,thepolicythatisinstalledonthedeviceisenabled.
n NameThenamethatwasenteredinManagementCenterduringdeviceregistration.
n DeviceCountThenumberofdevicesavailable.
n DeviceModelThedevicehardwaremodel.
n InstalledVersionTheversionofpolicyinstalledonthedevice.Ifnoversionislisted,thedeviceisstill
associatedwithpolicy,butpolicyhasnotbeeninstalled.
n OSTypeTheoperatingsystemonthedevice.
n StateDisplayshistoricalassociationdatafordevices(whetherdeletedornot).
UseSpecificAttributeValuestoControlAccesstoPolicy
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Theseattributes
canbeusedtocontrolaccesstopolicy,asdescribedbelow.
Procedure
1. CreatethePolicyattribute.
2. Associatetheattributewithapolicyobject.
a. SelectConfiguration>Policy.
b. SelectthepolicynameandclickEdit.
Thesystemdisplaysthepolicyeditor.
c. SelecttheAttributestab.
d. SelecttheattributeandclickSave.
3. Addthepermissionruletoaneworexistingrole.
a. SelectAdministration>Roles.
b. SelectanexistingroleandclickEditorclickAddRole.
c. Ifthisisanewrole,provideanameanddescription,andclickNext.
d.
BlueCoatrecommendsthatyouenteralistofthepermissionsforthedefinedroleintheDescription
field.Thishelpsyouandotherusersunderstandthepermissionsofauser'sroleincludingtheintentof
theirjobfunction.
e. IntheAddRole:Permissionsdialog,clickAddPermission.
f. IntheObjectdrop-downlist,specifyPolicy.
247
Management Center Configuration &Management
g. IntheActiondrop-downlist,selectAlloperationsoraspecificoperation.
h. IntheFilterdrop-downlist,selectAttributehasspecificvalue.
i. Selecttheattributeandassignavaluetoitifnecessary.
j. ClickSave,thenFinish.
248
Management Center Configuration &Management
PermissionsReference
Whendefiningusers,groups,rolesandgrantpermissions,refertothefollowingforimportantinformation.
"Reference:PermissionsInterdependencies"onthefacingpage
"Reference:PermissionsFiltersObjectandAttributes"onpage259
"Reference:UnderstandingJobPermissions"onpage261
249
Management Center Configuration &Management
Reference:PermissionsInterdependencies
Whenaddingpermissionstoroles,rememberthatuserscanaccessanobjectaslongastheyhavearolewiththerequired
permission.Forexample,ifauserisaddedtoarolewhichallowsaccesstoonlyonedevicegroupandarolethathasView
permissionsforalldevices,theusercanseealldevicesinallgroups.
Refertothefollowingpermissionobjectstodeterminespecificdependencies.
TheViewpermissionisimpliedinallhigherpermissionlevelsexceptforAdd.Toreducethenumberofpermissions
inarole,youcanremovetheViewpermissionifahigher-levelpermissionforthesameobjectexistsintherole.For
example,ifarolealreadyhasthePolicy-Updatepermissionforimportingpolicy,youdonothavetoaddthe
Policy-Viewpermissionforaddingpolicyjobs.
Allobjects
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionsto
beuseful
250
Management Center Configuration &Management
Delete Deletebackups.
Export Exportbackups.
Import Importbackups.
Update Restore backups. Management Center - View
Management Center - Update
View Viewinformationaboutexistingbackups.
ViewContents View the backup contents.
Device
Whenusingfilterswithaspecifiedvalue,makesurethatthevalueexactlymatchesthevalueinthe
deviceproperties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302and
"Reference:PermissionsFiltersObjectandAttributes"onpage259.
Alloperations Alldevicefunctions. Hierarchy - View To see the effective policy for a device:
Policy - View
To change membership in device prop-
erties:
Device Group - Change Membership
To see groups to which the device
belongs (not needed if assigning Change
Membership):
Device Group - View
Add Add devices. Hierarchy - View To add devices by importing from a file:
Device Group - Change Device - Add
Membership
Device - Update
Device - View
Backup Backupdevices. Hierarchy - View
251
Management Center Configuration &Management
Whenusingfilterswithaspecifiedvalue,makesurethatthevalueexactlymatchesthevalueinthedevicegroup
properties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302and
"Reference:PermissionsFiltersObjectandAttributes"onpage259.
252
Management Center Configuration &Management
Device - View
Update Editdevicegroups'basicinformationand Hierarchy-View To add device groups
attributes. or hierarchies by
importing from a file:
Device Group - Add
Device Group - Update
View Read-onlyaccesstodevicegroups. Hierarchy-View
DeviceScript
Hierarchy
253
Management Center Configuration &Management
ManagementCenter
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionsto
beuseful
254
Management Center Configuration &Management
Policy - Update
Note:Because Management
Center imports policy as one sec-
tion, it might be useful to grant
some policy section permissions
in some cases (for example, to
allow users to break down the
imported policy into sections
and sub-sections).
255
Management Center Configuration &Management
Note:Edit>CheckCon-
sistency is available at
this level.
Report
Permission Allowsaccesstotheseareas/- Requiresthese Grantthesep ermissionsformore
action functions permissionsto functions
beuseful
Jobpermissionsaredistinctfromtheoperationalpermissions.Ifyouhaveunexpectedresultsor'accessdenied'
errorswhenrunningjobs,see"Reference:UnderstandingJobPermissions"onpage261.
256
Management Center Configuration &Management
Sessionpermissionsarespecificallytocontrolaccesstousersessions.
257
Management Center Configuration &Management
Role - View
Delete Deleteusers. None
Update Updateusers'basicinformationand None Toaddorremoverolesfrom
change/expireuserpasswords. auser:
Role - View
View Viewusers. None
UserGroup
Permission Allowsaccesstothese Requiresper- Grantthesep ermissionsformorefunc-
action areas/functions missionstobeuse- tions
ful
258
Management Center Configuration &Management
Reference:PermissionsFiltersObjectandAttributes
Althoughyouarenotrestrictedtotheuser-definedsystemattributesofLocationandRack,thefollowinghelpstodetermine
whichfilterstousefortheDeviceandDeviceGrouppermissions.
SetFiltersforDeviceObject
SpecifyRackandLocationattributes.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302forinform-
ation.
ClickSave.TheFilterfielddisplays"Rackis
'<value>'".
Attribute:SelectLocation. Devicesspecifiedwiththislocationindeviceprop-
ertiesunderAttributes>User-Defined.
Value:Specifythelocation.
ClickSave.TheFilterfielddisplays"Location
is'<value>'".
Attributehas Attribute:SelectRack. Devicesspecifiedwithanyrackspecifiedindevice
anyvalue propertiesunderAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Rackis
notempty".
Attribute:SelectLocation. Devicesspecifiedwithanylocationindeviceprop-
ertiesunderAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Location
isnotempty".
SpecificDevice Device:Selectadevicefromthedrop-downlist. Thisselecteddevice.
ClickSave.TheFilterfielddisplays"Specified
Device".
Membersofspe- Hierarchy:Selectahierarchy.Yourselection Alldevicesinthespecifiedgrouporitssub-groups.
cificgroup determinesthevaluesfordevicegroup.
DeviceGroup:Selectthedevicegroup.
ClickSave.TheFilterfielddisplays"Members
ofspecifiedgroup".
SetFiltersforDeviceGroupObject
SpecifyPrimaryContactandLocationattributes.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302
forinformation.
259
Management Center Configuration &Management
ClickSave.TheFilterfielddisplays"Primaryis
'<value>'".
Attribute:SelectLocation Groupsspecifiedwiththislocationingroupproperties
underAttributes>User-Defined.
Value:Specifythelocation.
ClickSave.TheFilterfielddisplays"Location
is'<value>'"
Attributehas Attribute:SelectPrimaryContact Groupsspecifiedwithanyprimarycontactingroup
anyvalue propertiesunderAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Primary
Contactisnotempty".
Attribute:SelectLocation Groupsspecifiedwithanylocationingroupproperties
underAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Location
isnotempty".
SpecificDevice Hierarchy:Selectahierarchy.Yourselection Thespecifieddevicegroup.
Group determinesthevaluesfordevicegroup.
DeviceGroup:Selectthedevicegroup.
ClickSave.TheFilterfielddisplays"Specified
DeviceGroup".
Membersof Hierarchy:Selectahierarchy.Yourselection Thesub-groupsofthespecifiedgroup(butnotthe
specificgroup determinesthevaluesfordevicegroup. groupitself).
DeviceGroup:Selectthedevicegroup.
ClickSave.TheFilterfielddisplays"Members
ofspecifiedgroup".
SetFiltersforPolicyObject
Filterpermissionsforspecificpolicies.See"EditAttributes"onpage301.
ClickSave.TheFilterfielddisplaysPolicyAttributes.
Attributehasspe- Selectanattribute.Youmustcreateanattributeandassociateitwith Thepolicymatchingthe
cificvalue policybeforeusingthisoption. attributedetails.
ClickSave.TheFilterfielddisplaysPolicyAttributes.
Formoreinformationaboutuser-definedattributes,see"ManageAttributes"onpage297.
260
Management Center Configuration &Management
Reference:UnderstandingJobPermissions
Ajobisdistinctfromtheoperation(suchasbackingupdevicesandinstallingpolicy)thatthejobexecutes.Whenausercre-
atesajob,he/shedefinesitsoperation,targets,andschedule.Ifauserhaspermissionstoaddorupdatejobs,heorshecan
configureandsaveanyjob.
UserscanrunjobsinManagementCenterinthefollowingways.
UserrunsajobimmediatelyafterconfiguringitormanuallyusingRunNow
n Thejobexecutesastheuser.
n TheAuditLogdisplaystheeventasaJobExecutionandliststheusernameastheOperatingUser.
n Thejobinformationshowsthatitwasstartedbytheuser.
Aslongastheuserhasthejobpermissions,runningajobimmediatelyormanuallyalwaysresultsinacompleted
job.Inthepreviousscenario,iftheuserhaspermissionstoperformtheoperation,thejobcompleteswithouterrors;if
theuserhasinsufficientpermissionstoperformtheoperation,thejobcompleteswitherrors.
Userconfiguresajobscheduledinthefuture
n Thejobexecutesasthesystem.
n TheAuditLogdisplaystheeventasaJobExecutionandlistsSYSTEMastheOperatingUser.
n Thejobinformationshowsthatitwasstartedbythesystem.
Becausethejobexecutesasthesystem,whichcanperformalloperations,userswithpermissionstoschedulejobscancre-
atejobsforanoperationthattheydonothavepermissionstoperform.Allowingmoreusersthannecessarytoschedulejobs
isthusapotentialsecurityrisk.
ConsidergrantingtheScheduledJob-RunNowpermissiontomostuserswhorequiretheabilitytorunjobs.
ReservetheScheduledJob-AddandScheduledJob-Updatepermissionsforthemostseniorusers.
261
ConfigureUsers,Roles,andAttributes
AstheManagementCenteradministrator,youcanspecifythefollowingglobalsettingsafteryousetupManagementCenter
forthefirsttimeorwhenneeded.
"ManageManagementCenterUsers"onthenextpage
"DefineRoles"onpage288
"FilterDevicesorDeviceGroupsinaPermission"onpage294
"ManageAttributes"onpage297
"PrevieworDownloadLogs"onpage305
"CustomizetheAuditLog"onpage423
ManageManagementCenterUsers
TheUserstaballowsyoutomanageaccessManagementCenter.Beforeaddingusers,makesureyouhavedefinedroles.
Seethefollowingtopicsfordetails:
n "AddLocalUsers"onthenextpage
n "EditaLocalorImportedUser"onpage277
n "ManuallyResetaUser'sWebConsolePassword"onpage282
Management Center Configuration &Management
AddLocalUsers
UsethesesettingtoprovideManagementCenteraccesstolocalusers.
SecurityConsiderations
Thefollowingitemsaresupportedtoday:
n ManagementCenterlogsallaccessattemptstotheauditlogandsyslog.
n Administratorscanmanuallyexpireauserspasswordandforcethemtoenteranewone.
n Startingwith1.7,ManagementCentertracksthelastaccessattemptintheuserrecordanddisplaystherecordwhen
viewingtheusersdetails(Administration>Users).
n Startingwith1.7,ManagementCentertracksthenumberofloginfailuresauserhashadinarow.
Thefollowingitemsarenotsupported:
n ManagementCenterdoesnotenforcepasswordstrengths.
n Passwordsdonotexpireautomatically.
n ManagementCenterdoesnotautomaticallydisableaccountsiftheuserdoesnotentertheirpasswordcorrectlyafter
nattempts.
n ManagementCenterdoesnottrackpasswordhistory.
Iftheunsupportedfeaturesareimportanttoyou,useanexternalauthenticationservicelikeLDAP,ActiveDirectoryLDAP,
orRADIUS)instead.
AddRolesFirst
YoucanaddlocaluserstoManagementCenteratanytime,butitisgoodpracticetosetuptherolestructurebeforeyou
startaddingusers.Afterroleshavebeenadded,youcanassignusersthespecificrolesthattheyrequiretoperformtheir
jobs.Itisbestpracticetoassignthemostrestrictivepermissionspossiblesothatusersdonothavemoreaccessthanthey
need.ToimportusersfromActiveDirectory,LDAPorRADIUS,seeAddUsersfromanExistingDirectoryService.
Whenyouselectanexistinguserrecord,userdetailsopenintherightpane.Inthetitlebar,undertheusername,the
localuseraccountindicatesauserthatyoumanuallyaddedandtheimporteduseraccountindicatesauserthatyou
importedusinganexistingdirectoryservice.
TounderstandmoreabouthowpermissionsandfiltersworkwithusersandrolesinManagementCenter,see
"Reference:PermissionsFiltersObjectandAttributes"onpage259and"Reference:PermissionsInterdependencies"on
page250.
AddUsers
Beforeyoustartaddingusers,devisethenamingconventionforusernames.Onceausernameissaved,itcannotbe
changed.ThisdoesnotapplytoimporteduserstheirusernamesaresetinLDAP,ActiveDirectory,orRADIUSand
arethusread-only.
1. SelectAdministration>Users.
2. ClickAddUser.TheAddUser:BasicInfodialogdisplays.Aredasterisk(*)denotesfieldsthataremandatory.
264
Management Center Configuration &Management
Field Description
Username * Usernames are case-sensitive and cannot be changed.
Note: Although the username/password combination successfully
authenticates if the username has a mixture of cases, Management Center
recognizes the users as different users. For example: A user signs in as joe
and access is setup using that specific case for username. Then later the user
signs in as Joe. The login using Joe will have no access because the
account created is for the user joe.
Password * Example: admin1234
Verify Password * Example: admin1234
Password expired on: Does not expire
First Name The actual first name that the person uses.
Last Name The actual last name that the person uses.
Email The Email associated with this user and organization. Example joe@heremail.com
Phone The Phone number associated with this user and organization (including extension, if
any)
Mobile The personal mobile or cell number associate with this person.
Description 1024 character description can include anything from what town she resides to
average commute time to security certifications in this user's possession.
3. IntheAddUser:BasicInfoscreen,entertheuser'sinformation.
4. ClickNext.FromtheAddUser:AssignRolesdialog,selectarolefromAvailableRolesandadditAssigned
Roles.ThedefaultrolesareAdministrator(withadministratorrights)andviewOnly(withonlyviewingrights).You
mustassignaroleortheuserwillbeunabletologintoManagementCenter.See"DefineRoles"onpage288or
"EditanExistingRole"onpage290
5. ClickFinish.ThenewuserdisplaysintheUserslistandhasaccesstoManagementCenterbasedontheirdefined
role.
265
AddUsersfromanExistingDirectoryorService
AstheManagementCenteradministrator,youcanaddfromanexistingdirectoryorservice.
"AuthenticateUsersAgainstLDAPorLDAPS"onthenextpage
"AuthenticateUsersAgainstActiveDirectoryLDAP"onpage270
"AuthenticateUsersAgainstRADIUS"onpage272
Management Center Configuration &Management
AuthenticateUsersAgainstLDAPorLDAPS
TheseoptionsconfigureLDAPorLDAPS(LDAPoverSSL)authenticationinManagementCenter.
AsecondaryfailoverLDAPservercanbeconfiguredincasetheprimaryLDAPservercannotauthenticate.Ifthesecondary
LDAPservercannotauthenticate,authenticationcanonlyoccurthroughActiveDirectoryLDAPorRADIUS(ifconfigured).
Prerequisites
IfyouareconfiguringLDAPSandtheLDAPserverSSLkeyusesaself-signedcertificateoracertificatesignedbyanon-
trustedrootcertificateauthority,youmustimportthatcertificateintoManagementCenter.Toimportthecertificate,usethe
security ssl import external-certificatecommand.
ConfigureGeneralSettings
1. SelectAdministration>Settings.
2. ClickLDAPontheleft.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
3. SpecifygeneralLDAPsettingsasdescribedinthefollowingtable.
ConfigurePrimaryServerSettings
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EnterthePrimaryServerSettingsdescribedinthefollowingtable.
267
Management Center Configuration &Management
ConfigureSecondaryServerSettings
YoucanalsoconfigureaSecondaryLDAPServertotakeoverincasethePrimaryServerfails.ThesettingsunderSec-
ondaryServerarespecifictotheSecondaryLDAPServeronly.ThesettingsunderSecondaryRADIUSServerarespe-
cifictothesecondaryserveronly.
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. EntertheSecondaryServerSettingsdescribedinthefollowingtable.
ConfigureSearchSettings
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. ConfiguretheLDAPSearchSettingsdescribedinthefollowingtable.
268
Management Center Configuration &Management
FinalizeYourChanges
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
Aftersettingyourconfigurationoptions,youmustdooneofthefollowing:
1. Resetorcommityourchanges.
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.Ifyouareunabletosaveyourchanges,makesurethatall
requiredsettingsarespecified.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
2. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.Afterauserlogsin,youcan
managetheiraccountinManagementCenter.
SupportedLDAPServers
ServerTypes ConfigurationInterface
Apache DS Apache Directory Studio user interface
Novell eDirectory Novell ConsoleOne user interface
AddLDAPUsers
AfterLDAPisconfigured,haveusersloginwiththeirLDAPcredentials.Thefirsttimetheuserlogsin,ManagementCenter
addsthemtothesystem.Youcannot-externalusersatthistime.
269
Management Center Configuration &Management
AuthenticateUsersAgainstActiveDirectoryLDAP
SetupActiveDirectoryLDAPauthenticationinManagementCenter.AsecondaryfailoverActiveDirectoryLDAPserver
canbeconfiguredincasetheprimaryActiveDirectoryLDAPservercannotauthenticate.IfthesecondaryActiveDir-
ectoryLDAPservercannotauthenticate,authenticationcanonlyoccurthroughLDAPorRADIUS(ifconfigured).
PrerequisitesforenablingSynctherolemembershipandSyncthegroupmembership:
n Tosyncrolemembership,youmustdefinetheroleinManagementCenterbeforeusersassignedtotherolein
ActiveDirectoryauthenticate.
n Tosyncgroupmembership,youmustdefinethegroupinbothManagementCenterandActiveDirectory.Thegroup
namesmustmatchinordertomapcorrectly.
Afteryoudefinetherolesandgroups,andwhenauserauthenticatesinManagementCenter,theappropriaterolesand/or
groupmembershipsaresetupinManagementCenter.
SpecifyGeneralActiveDirectoryLDAPsettings.
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. EntertheGeneralActiveDirectoryLDAPSettingsdescribedinthefollowingtable..
SpecifyPrimaryServerSettings
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. EnterthePrimaryServerSettingsdescribedinthefollowingtable.
270
Management Center Configuration &Management
SpecifySecondaryServerSettings
YoucanalsoconfigureaSecondaryActiveDirectoryServertotakeoverincasethePrimaryServerfails.Thesettings
underSecondaryServerarespecifictotheSecondaryServeronly.ThesettingsunderSecondaryRADIUSServerare
specifictothesecondaryserveronly.
1. SelectAdministration>Settings.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EntertheSecondaryServerSettingsdescribedinthefollowingtable.
FinalizeYourChanges
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
Aftersettingyourconfigurationoptions,youmustdooneofthefollowing:
1. Resetorcommityourchanges.
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.Ifyouareunabletosaveyourchanges,makesurethatall
requiredsettingsarespecified.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
2. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.Afterauserlogsin,youcan
managetheiraccountinManagementCenter.
271
Management Center Configuration &Management
AuthenticateUsersAgainstRADIUS
RemoteAuthenticationDialInUserService(RADIUS)isanetworkingprotocolthatprovidescentralizedAuthentication,
Authorization,andAccounting(AAA)managementforuserswhoconnectanduseanetworkservice.Authenticationusing
aRADIUSserveractsmuchlikeauthenticatingagainstLDAPandrunsintheapplicationlayer.
Prerequisites
PrerequisitesforenablingSynctherolemembershipandSyncthegroupmembership:
n Tosyncrolemembership,youmustdefinetheroleinManagementCenterbeforeusersassignedtotherole
authenticate.
n Tosyncgroupmembership,youmustdefinethegroupinbothManagementCenter.Thegroupnamesmustmatch
inordertomapcorrectly.
n InstallBlueCoat'slatestdictionaryofVSAsforBlueCoatontheRADIUSserver.Thelatestversionofthe
dictionaryfileisavailablewiththeManagementCenterimageonBTO.
n DefinetheBlueCoatattributes,asinthefollowingexample:
o Blue-Coat-Group="mc_group_1"
o Blue-Coat-Role="mc_role_1"
wheremc_group_1andmc_role_1arethenamesyouspecifyforthegroupandrole,respectively,in
ManagementCenter.
AfteryoudefinetheVSAs,andwhenauserauthenticatesinManagementCenter,theappropriaterolesand/orgroupmem-
bershipsareappliedtothepermissionsetinManagementCenter.
SetupRADIUSauthenticationinManagementCenter.
1. SelectAdministration>Settings.
2. SelectRADIUS.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. ConfiguregeneralRADIUSsettings.
ConfigureSecondaryRADIUSServer
SupportedRADIUSServers
272
Management Center Configuration &Management
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
Aftersettingyourconfigurationoptions,youmustdooneofthefollowing:
1. Resetorcommityourchanges.
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.Ifyouareunabletosaveyourchanges,makesurethatall
requiredsettingsarespecified.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
2. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.Afterauserlogsin,youcan
managetheiraccountinManagementCenter.
AuthenticateUserswithSSLMutualAuthentication
InmutualSSLauthentication,anSSLconnectionbetweenaclientandaserverisestablishedonlyiftheclientandserver
validateeachothersidentityduringtheSSLhandshake.TheserverandtheclientmusteachhavetheirownvalidX.509cer-
tificateandtheassociatedprivatekeyinordertoperformSSLmutualauthentication.
Certificatesandprivatekeyscanbestoredinmultiplelocations.Ontheclient,onesuchlocationisaCommonAccessCard
(CAC).However,aCACcardorreaderisnotrequiredforSSLmutualauthentication,youcaninstallthecertificatesonyour
browserandintoManagementCenter'struststore.
ThefollowingexampledescribesanSSLmutualauthenticationtransaction.
273
Management Center Configuration &Management
1. TheuserrequestsaccesstotheManagementConsole.
2. ManagementCenterpresentsitscertificatetothebrowser.
3. ThebrowservalidatesManagementCenter'scertificate.Thisincludesthefollowingchecks:
n Thecertificatesubjectmustmatchtheapplianceshostname.
n ThecertificatemustbeissuedbyaCAlistedinthebrowsersTrustedRootCertificatestore.
4. Thebrowserconfirmsthattheappliancehasthecertificate'sprivatekeybychallengingtheappliancetosign
randomdata.Thebrowservalidatesthesignatureusingtheappliance'scertificate.
5. Ifapplianceauthenticationsucceeds,thebrowseraccessestheclientcertificateandprivatekeyusingtheinstalled
certificateorCAC.Itthenpresentsthecertificatetotheappliance.
6. Theappliancevalidatesthecertificatethatthebrowserpresents.Thisincludesthefollowingchecks:
n ThecertificatemustbeissuedbyaCAincludedinManagementCenter'struststore.
n Theapplianceconfirmsthatthebrowserhasthecertificate'sprivatekeybychallengingthebrowsertosign
randomdata.Theappliancevalidatesthesignatureusingthebrowserscertificate.
n Thecertificatemusthaveavalidsignatureandnotbeexpired.
7. Ifauthenticationsucceeds,theappliancegrantsaccesstoManagementCenter.
8. (Ifapplicable)TheappliancepresentsaNoticeandConsentbanner.Theuserprovidesconsent.
Prerequisites
BeforeusingSSLmutualauthentication,youmustmeetthefollowingprerequisites:
n ThebrowsermusthaveanX.509certificateinstalledthatwillpassManagementCenter'strustvalidation.Thatis,if
theclientisusingitsownRootCertificateAuthority(CA)oradifferentCA,thatCAmustfirstbeinstalledinto
ManagementCenter'struststore.
n TheappliancecertificatemustbefromaCAlistedinthebrowsersTrustedRootCertificatestore.Installany
missingclientcertificatesorcustomrootCAcertificateintothebrowser.Forbrowserinstallinginstructions,referto
http://wiki.cacert.org/FAQ/BrowserClientsandselectyourbrowserofchoice.
SetupSSLMutualAuthentication
274
Management Center Configuration &Management
1. ImporttherootCAcertificate(s)andanyintermediatecertificate(s)requiredtovalidatetheclientcertificatesinto
ManagementCenter'struststore.
# security ssl import external-certificate <name> <URL>
2. Verifyinstallationwiththeappropriatecommand:
# security ssl list external-certificate all
See"#security"onpage459formoreinformationonthecertificateviewingcommands.
3. Determinetheclientauthenticationmethod,mandatoryoroptional;clientauthenticationisoffbydefault.
4. Issueoneofthefollowingcommands:
# security ssl client-authentication set-mandatory
See"#security"onpage459formoreinformationontheclient-authenticationcommands.
Theflowchartbelowdepictstheprerequisites,setup,andauthenticationprocessformandatoryandoptionalSSLmutual
authentication.
275
Management Center Configuration &Management
Note
l WhenSSLmutualauthenticationisenabled,alldevicesusingManagementCenterasthehostrequireX.509
certificates.Forexample,toaccessfileservicesandAPI'sinamandatorysetting,acertificateisrequired.
l Browsersretainthecertificateused.IfyouhavemorethanoneX.509certificateinstalledandyouwanttousea
differentcertificate,youmustcloseandreopenyourbrowsertochangecertificates.
276
Management Center Configuration &Management
EditaLocalorImportedUser
Tomodifytheuserdetails(firstname,lastname,emailaddress,phonenumbers,description)orchangetheuser'srole,you
canusetheEditUserwizard.Youcaneditbothlocalandimportedusers.
1. SelectAdministration>Users.
2. Inthelistofusersontheleft,selecttheusernametoedit.
3. ClickEdit.ThewebconsoledisplaystheEditUserwizard.
4. ChangedesiredinformationontheBasicInfotab.Notethatyoucannotchangetheusername.
5. ClicktheAssignRolestabtomodifytheuser'srole.
6. ClickSave.
DeleteaUser
Organizationstypicallyimplementprocessestodeactivateandremoveaccesstointernalaccountssuchasmailboxes,
intranet,andapplicationswhenusersleavetheorganization.Asabestpractice,includedeletingtheuseraccountinMan-
agementCentertotheexitproceduresthatyourorganizationusestoreducetheriskofasecuritybreach.
DeletinganimporteduserdoesnotremovethatuserfromActiveDirectory,LDAPorRADIUS.
1. SelectAdministration>Users.
2. Inthelistofusersontheleft,selecttheuseryouwanttodelete.
3. ClickDelete.ADeleteUserdialogdisplays,promptingyoutoconfirmthedeletion.
4. Verifythatitisthecorrectuser,andthenclickDeleteUser.TheusernolongerdisplaysintheUserslistandisnota
registereduserofManagementCenter.
277
ChangeandResetPasswords
Selectthetopicfortheapplicablesituation.
Situation Topic
User knows his/her password and wants to change it "Change Your Password" on the
next page
User forgot his/her password "Reset Password" on page280
Admin wants to automate the password resetting process "Automate Password Reset Pro-
cess" on page429
Admin needs to manually change a user's password because user forgot "Manually Reset a User's
answer to security question or password reset process isn't automated WebConsole Password" on
page282
Admin forgot admin account password "Reset or Restore Admin
Account Passwords" on
page283
Management Center Configuration &Management
ChangeYourPassword
Youcanchangethepasswordthatyouusetologintothewebconsole.
IfyoulogintothewebconsoleusingyourLDAPorActiveDirectorycredentials,youcannotchangeyourpassword.
1. Inthewebconsolebanner,click andselectyourusername.
TheusernameforthestandardAdminloginis"ManagementCenter."
ThewebconsoledisplaystheProfiledialog.Fieldsmarkedwitharedasterisk(*)arerequiredsettings.
2. ClickChangePassword.
3. IntheCurrentPasswordfield,enteryourcurrentpassword.
4. InthefirstNewPasswordfield,enteranewpassword.
Asyoutypeyourpassword,thePasswordStrengthmeterindicatesthestrengthofthepassword.Becausethe
systemassessesthestrengthofthepasswordwitheachcharacter,themetermightfluctuatewhileyouaretyping.
BlueCoatrecommendsthatyouuseapasswordwithatleastSecurestrength.Youcantryanumberof
differentpasswordsuntilthePasswordStrengthmeterindicatesSecureorhigher.
5. IntheRetypeNewPasswordfield,enteryournewpasswordagain.
6. ClickSave.
Thenexttimeyoulogintothewebconsole,useyournewpassword.
279
Management Center Configuration &Management
ResetPassword
IfyouhaveforgottenyourpasswordtologintotheManagementCenterwebconsole,youcanrequestapasswordreset.
ThiscapabilityrequiresthattheadministratorhasenabledtheManagementCenterpasswordresetfeature;see"Automate
PasswordResetProcess"onpage429.ThepasswordresetisonlygoodforthewebconsoleandnotfortheCLIconsole.
Thepasswordresettingprocessrequiresthatyouanswerasecurityquestion,usingtheexactupper/lowercaseyou
enteredwhenyouinitiallydefineditinyouruserprofile.Youalsomusthavethecorrectemailaddressinyourpro-
file.Ifyouforgettheanswertoyoursecurityquestion,orfailedtodefineanemailaddress,youwillnotbeableto
usetheautomatedpasswordresetprocess.
1. Ifyouhaveforgottenyourpasswordwhenloggingin,clickResetPassword.
TheResetPassword:ValidateUserdialogdisplays.
2. EnteryourUsernameandclickNext.TheResetPassword:SecurityQuestiondialogdisplays.
3. IntheAnswerfield,entertheanswertotheSecurityQuestion,usingtheexactspellingandupper/lowercaseyou
enteredwhendefiningit.ClickNext.TheResetPassword:EmailConfirmationdialogdisplays.
4. Checkyouremail'sInboxtoretrieveyourtemporarypassword.
5. ThenexttimeyoulogintotheManagementCenterwebconsole,usethetemporarypassword.
280
Management Center Configuration &Management
Changeyourpasswordbecausethetemporarypasswordwillexpire.
AutomatePasswordResetProcess
AsanadministratoronManagementCenter,youneedtoconfiguresettingssothatuserscanrequestapasswordresetif
theyforgettheirpassword.
1. SelectAdministration>Settings>General.
2. SettheIsResetPasswordenabled?fieldtotrue.
3. ForResetPasswordEmailSubject,modifytheemailsubjectline,ifdesired.
4. ForResetPasswordEmailMessage,modifythebodyoftheemailthatisautomaticallysenttouserswhenthey
clicktheResetPasswordlink.Forexample,youcanaddaperson'snametothesignatureinsteadofthegeneric
BlueCoatManagementCenter.
Themessagecontainstwosubstitutionvariables:{fullname}and{password}.ManagementCenter
automaticallyreplaces{fullname}withtheuser'sfirstandlastnameandreplaces{password}witha
temporarypassword.
5. ClickSavetostorethesettingsontheserver.
6. Makesureanemailserverisconfigured.See"ConfigureMailSettings"onpage402.
Whentheemailissentwiththetemporarypassword,theuser'saccountismarkedsotheadministratorsknowthat
thepasswordisonlytemporary.Thetemporarypasswordwillexpire.
281
Management Center Configuration &Management
ManuallyResetaUser'sWebConsolePassword
Ifusersforgettheirwebconsolepassword,youcanmanuallyresetthepasswordforthem.(Alternatively,ifyouhaveauto-
matedtheprocess,theusercanrequestapasswordresetwhenloggingin.See"AutomatePasswordResetProcess"on
page429.)Evenifyouhaveautomatedtheprocess,youmaystillneedtomanuallychangesomeone'spasswordifthe
userhasforgottentheanswertohis/hersecurityquestion.
1. SelectAdministration>Users.
2. Inthelistofusersontheleft,selecttheusernamewhosepasswordyouwanttochange.
3. ClickEdit.ThewebconsoledisplaystheEditUserwizard.
YoucannotchangethepasswordforusersauthenticatedagainstLDAP,ActiveDirectory,orRADIUS
(authenticatedusershavethefollowingicon: ).
4. FromtheBasicInfotab,clicktheChangepasswordlink.
Twonewfieldsdisplay:NewPasswordandVerifyNewPassword.
5. Enteranewpasswordinthefields.Ifyoudonotenteridenticaltextinbothfields,youreceiveanerrormessage.
6. ClickSave.Thedialogclosesandthewebconsolebannerdisplaysanalertindicatingthattheuser'spassword
wassaved.
7. Communicatethenewpasswordtotheuserandrecommendapasswordchangeassoonaspossible.
282
Management Center Configuration &Management
ResetorRestoreAdminAccountPasswords
YoucanresetthepasswordfortheCLI(serialconsole).YoucanalsorestorethedefaultpasswordfortheadminUI(web
console).TheadminaccounttoaccesstheCLIversustheadminaccounttoaccessthewebconsolearedifferentaccounts
(andthusthepasswordsarenotthesame).
ToresettheCLIadminaccountpassworduse#security reset-password.Thiscommandisonlyavailable
throughtheserialconsole.
1. "AccesstheManagementCenterCLI"onpage439.
2. Enterprivilegedmodebytypingenableatthecommandprompt.See"PrivilegedModeCommands"onpage446.
3. EnteryourenablepasswordandpressEnter.
4. Atthe#prompt,typerestore-defaults reset-adminandpressEnter.
TheCLIpromptdisplaysthefollowing:
This operation will restore admin password on UI to default. Management Center ser-
vice will be unavailable during this operation.
ResetstheUIadminpasswordtoadmin/admin.
283
Management Center Configuration &Management
ManageUserGroups
Toreducethetimeandeffortinvolvedinassigningrolestousers,youcancreateausergroup,adduserstoit,andthen
assignrolestothegroup.Creatingusergroupsalsohelpsensureconsistencyamonguserswhorequirethesameaccess.
Beforeaddingusergroups,makesureyouhavedefinedroles.
UsetheGroupstabtoadd,edit,anddeleteusergroups.Seethefollowingtopicsfordetails:
n "AddUserGroups"below
n "EditaUserGroup"onpage286
AddUserGroups
Althoughyoucanaddusersandassignrolestothemindividually,doingsocanbelabor-intensiveiftherearemanyusers
inthesystemwhorequirethesamepermissions.Toreducethetimeandeffortinvolvedinassigningrolestousers,you
cancreateagroup,adduserstoit,andthenassignrolestothegroup.Creatingusergroupsalsohelpsensureconsistency
amonguserswhorequirethesameaccess.
Usersinherittherolesandpermissionsassignedtothemindividuallyandtothegroupsinwhichtheyaremembers.If
usersinheritpermissionsthatseemtoconflict,keepinmindthattheycanaccessanobjectaslongastheyhavearole
withtherequiredpermission.Forexample,ifoneofauser'sgroupshasarolewiththeViewpermissionforpolicyobjects
butanothergrouphasnopolicypermissions,theusercanviewpolicyobjects.
Groupscannotbemembersofothergroups.
1. SelectAdministration>Groups.
2. FromtheGroupssection,clickAddGroup.ThewebconsoledisplaystheAddGroupwizard.
3. IntheAddGroup:BasicInfopage,enterthegroup'sinformation.Aredasterisk(*)denotesfieldsthatare
mandatory.EnteraNameforyourgroup.Thisgroupnamedisplaysonthedashboardandotherareasintheweb
console.
Beforeyoustartnamingusergroups,deviseanamingconvention.Forexample,ausergroupnamecanbe
basedonanorganization,jobfunctionorgeographicallocation.
4. IntheAddGroups:BasicInfopage,addadescription(eventhoughitisnotrequired).
Althoughenteringadescriptionisoptional,thedescriptionhelpsyouandotherusersunderstandthepurpose
orfunctionofthegroup.Thishelpstounderstandthecorrectrolesandpermissionstoapplywithinthegroup.
BlueCoatrecommendsthatyoualwaysenteraclear,helpfuldescription.
5. ClickNext.
6. IntheAddGroup:Membersdialog,selectusersfromtheAvailableUsersandaddthemtotheMemberslist
usingthearrowbuttons.ClickNext.
7. IntheAddGroup:AssignRolesdialog,selectagrouprolefromtheAvailableRolesittotheAssignedRoleslist.
See"DefineRoles"onpage288.
284
Management Center Configuration &Management
8. ClickFinish.Thenameofthegroupthatyoujustcreatedwillbedisplayedintheleftpane.
285
Management Center Configuration &Management
EditaUserGroup
Tomodifytheusergroupdetails(nameordescription),add/removegroupmembers,orchangetherole(s)assignedtothe
group,youcanusetheEditGroupwizard.
1. SelectAdministration>Groups.
2. Inthelistofgroupsontheleft,selectthegrouptoedit.
3. ClickEdit.ThewebconsoledisplaystheEditGroupwizard.
4. ChangedesiredinformationontheBasicInfotab.
5. Toaddausertothegroup:
a. ClicktheMemberstab.
b. SelecttheusernameintheAvailableUserslist.
c. ClicktherightarrowbuttontoaddtheusertotheMemberslist.
d. Repeatforotherusersyouwanttoaddtothegroup.
6. Toremoveauserfromthegroup:
a. ClicktheMemberstab.
b. SelecttheusernameintheMemberslistontheright.
c. Clicktheleftarrowbuttontoremovetheuser.TheusermovesovertotheAvailableUserslist.
d. Repeatforotherusersyouwanttoremove.
7. ClicktheAssignRolestabtomodifytherole(s)associatedwiththegroup.
8. ClickSave.
DeleteaUserGroup
Deletingagroupdoesnotremovethemembersinthegroup.
1. SelectAdministration>Groups.
2. Inthelistofgroupsontheleft,selectthegroupyouwanttodelete.
3. ClickDelete.ADeleteGroupdialogdisplays,promptingyoutoconfirmthedeletion.
4. Verifythatitisthecorrectgroup,andthenclickDeleteGroup.ThegroupnolongerdisplaysintheGroupslist.
286
Management Center Configuration &Management
ManageUserSessions
ManagementCentertracksandlogseachusersession.Administratorscanviewandmanagecurrentusersessionsfrom
Administration>UserSessions.Asasuperadmin,theabilitytologinwillnotbeaffectedbywhatyoudointhisdialog.
Youcandelete(kill)anyusersessionwhichwillimmediatelylogtheuseroutoftheManagementCenterwebconsole.
Asabestpractice,BlueCoatrecommendsthatalluserslogoutofthewebconsoleaftercompletingtheirtasks.AsaMan-
agementCenteradministrator,youmayneedtoenforcethispractice.Ifauserhaschangedrolesorhasacceptedanewjob
thatmaychangetheiraccessrights,youcanmanageallactiveorstoredusersessions.
1. Fromthewebconsolebanner,selectAdministration>UserSessions.
2. Topreventusersfromloggingintothewebconsole,selecttheDisableuserlogintoManagementCentercheck
box.
3. (Optional)Todeleteausersession:
a. Selectausersession.Greendenotesyoursession(you),notanactivesession.
b. ClickKillSession.
c. Confirmthatyouwanttokillthesession.
287
Management Center Configuration &Management
DefineRoles
Rolesarenotnecessarilyassociatedwithjobsorjobtitles;rather,eachroleshouldcontainthepermissionsrequiredtoper-
formaspecifictaskorsetoftasks.Managingrolesbasedontasksiseasierthanmanagingpermissionsattachedtofea-
turesorfunctions.Becausemultipleusersinorganizationsoftenperformthesametask(forexample,twoteamsof20
supportengineersrequireaDeviceAdminrole),andtasksaresharedevenacrossdifferentteams(fiveproductengineers
alsorequire'DeviceAdmin'),thenumberofrolesyouneedtodefineisinprinciplemuchlowerthanthenumberofusersin
thesystem.See"EditanExistingRole"onpage290and"DuplicateanExistingRole"onpage290.
AboutRoles
TherolestructureinManagementCenterhastwopredefinedlevels:
n administrator,whichhasallpermissionsforallobjects.Thedefaultadminaccounthastheadministratorrole.
n viewOnly,whichhastheviewpermissionforallobjects.
Youcancreateotherrolesthatallowviewaccesstosomeobjects,addorupdateaccesstosomeobjects,oramixofdif-
ferentpermissionsasshownintheexamplebelow.
BlueCoatrecommendsthatyoucreateroleswithallnecessarypermissionsandfiltersbeforeaddingusers.
Procedure
1. SelectAdministration>RolesandclickAddRole.
2. IntheAddRole:BasicInfodialog,enteranamefortherole.
IfyouauthenticateusersagainstLDAP,ActiveDirectoryorRADIUS,createaroleinsyncwiththedirectory
service.
288
Management Center Configuration &Management
3. (Optional)Enteradescription.
BlueCoatrecommendsthatyouenteralistofthepermissionsforthedefinedroleintheDescriptionfield.
Thishelpsyouandotherusersunderstandthepermissionsofauser'sroleincludingtheintentoftheirjob
function.
4. ClickNext.
5. IntheAddRole:Permissionsdialog,clickAddPermission.
6. FromtheObjectdrop-downlist,selectAllobjectsoraspecificobject.
7. FromtheActiondrop-downlist,selectAlloperationsoroneormoreindividualactions.
8. (Optional)IntheFilterdrop-downlist,selectafiltertoapplytoboththeactionandtheobject.
See"GrantPermissions"onpage291forinformationonobjects,actions,andfilters.
9. Toaddmorepermissions,repeatsteps6through8.
10. Optional:AddReporterpermissions.
11. ClickFinish.
289
Management Center Configuration &Management
DuplicateanExistingRole
Toavoidspendinganexcessiveamountoftimeondefiningroleswithsimilarpermissions,youcandefinearolebasedon
arolethatalreadyexistsinthesystem.Forexample,ifyouhavealreadycreatedarolethatallowsaccesstodevice
groups,youcanbaseotherrolesonitwithdifferentattributes.
1. ClicktheAdministrationtabandselectRoles.
2. Selecttheroleonwhichyouwanttobasethenewrole.
3. ClickDuplicateRole.TheRolestabdisplaysthenewrole,withthenameoftheoriginalrolefollowedby(1).For
example,ifyouduplicatedtheviewOnlyrole,thenewrole'snameisviewOnly(1).
4. SelecttheroleyoujustcreatedandclickEdit.ThewebconsoledisplaystheEditRoledialogcontainingtwotabs:
n BasicInfo
n Permissions
5. Updatethenameanddescriptiontoreflectthepurposeofthenewrole.
6. ClickPermissions.
7. Editthepermissionsforthenewrole;see"GrantPermissions"onthenextpageforinstructions.
8. ClickSave.TheroleissavedandtheRolestabdisplaysitwiththenewnameanddescription.
EditanExistingRole
Youcannotdirectlyassignpermissionstousers;thus,youmustalwayseditaroletochangeapermission.Youcanedita
role'sbasicinformationorthepermissionsthattherolecomprises.
Updatebasicinformation
1. SelectAdministration>Roles.FromtheRolespageyoucanperformthefollowingactions:
n AddRole
n Edit
n Duplicate
n Delete
n Refresh
2. SelecttherolewhoseinformationyouwanttoupdateandclickEdit.ThewebconsoledisplaystheEditRoledialog.
3. OntheBasicInfotab,editthenameoftheroleorthedescriptionasrequired.ClickSave.
Updatepermissions
1. SelectAdministration>Roles.ThewebconsoledisplaystheRolespagewhereyoucanperformthefollowing
actions:
n AddRole
n Edit
n Duplicate
n Delete
n Refresh
2. SelecttherolewhosepermissionsyouwanttoupdateandclickEdit.ThewebconsoledisplaystheEditRole
dialogcontainingtwotabs:
290
Management Center Configuration &Management
n BasicInfo
n Permissions
3. ClickthePermissionstab.Thewebconsoledisplaysthelistofpermissions.
4. Tochangeonlypartofapermission,selectObjectorAction.See"Reference:PermissionsInterdependencies"on
page250.Dooneormoreofthefollowingasneeded:
n IntheObjectdrop-downlist,double-clickandspecifyAllobjectsoraspecificobject.
n IntheActiondrop-downlist,double-clickandselectAlloperationsoraspecificoperation.
n (Ifapplicable)IntheFilterdrop-downlist,clicktheplussign(+)andselectafilter.See"FilterDevicesor
DeviceGroupsinaPermission"onpage294.
5. Addorremoveanexistingpermission:
n Toaddapermission,clickAddPermission.Seesteps7through10in"DefineRoles"onpage288for
instructions.
n Toremoveapermission,selectitandclickRemovePermission.Thepermissionisremovedfromthelist.
6. ClickSave.
ControlRolesandPermissionsthroughusersessions.Ifyoueditarole'spermissionswhileusersareloggedinto
thewebconsole,usersmustlogoutandloginagaintoseetheeffectsofthechange.See"ManageUserSessions"
onpage306.
GrantPermissions
Youcanadd,remove,andeditpermissionsforanyrole.Arolemusthaveatleastonepermissionfortheroletotakeeffect.
1. SelectAdministration>Roles.
2. SelectaroleandclickView.ThewebconsoledisplaystheViewRoledialog.
3. ClickPermissions.Youcanadd,remove,andeditpermissionsonthistab.
Apermissionconsistsof:
n Theobject,whichdescribesthearea,feature,orfunctionthattheusercanaccess,suchasdevicesandglobal
settings.
n Theaction,whichisthescopeofaccesstoanobject.Itdetailswhatactionsausercandowiththeobject,suchas
theabilitytoaddandeditdevices,orviewglobalsettings.Theactionsthatareavailabledependontheselected
object.StartinginManagementCenter,1.6.x,youcanaddmultipleactionsperobject.
n Afilter,whichdictatespermissionstoasub-setorspecificareaoftheobject,suchascertainattributesabouta
deviceorpolicy.Filtersareavailablefordevicesanddevicegroups;forinstructionsonspecifyingfilters,see"Filter
DevicesorDeviceGroupsinaPermission"onpage294.
Theavailablefilterscorrespondtothespecifiedactions.Thatis,ifmultipleactionsaredefined,thefilterslistincludes
allpossiblefiltersforthoseactions.Ifanactionissubsequentlydeleted,thecorrespondingfilterwillalsobedeletedif
itdoesnotapplytoanyremainingactions.
IftheViewpermissionforanobjectisnotincludedinarole,userswiththeroleareunabletoseetheobjectwhen
theylogintothewebconsole.Forexample,ifaroledoesnotincludeapermissionfortheDeviceobject,users
addedtotheroledonotseetheNetworktab.
See"DefineRoles"onpage288formoreinformationaboutsettingrolesandpermissions.
291
Management Center Configuration &Management
292
Management Center Configuration &Management
UpdateAccessWhenaUser'sJobChanges
Whenauser'sjobchanges,youcanadjusttheirinformationtoreflecttheirnewjoborresponsibilities.
1. SelectAdministration>Roles.
2. (Ifapplicable)Updateauser'srolestoreflectchangesinpositionorresponsibilities.
3. (Ifapplicable)Updatetheuser'sbasicdetails.
4. (Ifapplicable)Updatearoletoapplychangestoalluserswhohavetherole.See"EditanExistingRole"onpage290.
UpdateaUser'sRoles
Whenauserhasanewjoborresponsibilitieswithintheorganization,youmighthavetoupdatetheirrolestoensurethat
theycanperformtheirnewtasks.
1. SelectAdministration>Users.
2. IntheUsersleftpane,selecttheuserwhoserolesyouwanttochange.Theuser'sdetailsdisplay.
Importedusershavethefollowingicon:
3. ClickEdit.ThewebconsoledisplaystheEditUserdialog.
4. ClickAssignRoles.Thedialogdisplaysalistofalltherolesinthesystem.Rolestowhichtheuserisnotassigned
arelistedunderAvailableRoles.RolestowhichtheuseriscurrentlyassignedarelistedunderAssignedRoles.
5. Updateroles:
l Toaddarole,selectitfromAvailableRolesandusingthearrow,addittotheAssignedRoleslist.
l Toremovearole,selectitfromAssignedRolesandusingthearrow,addittoAvailableRoleslist.
6. ClickSave.Thewebconsolebannerdisplaysanalertindicatingthattheuserwassaved.
293
Management Center Configuration &Management
Rolesarelinkedtousersessions.Ifyoueditusers'roleswhiletheyareloggedintothewebconsole,instructthem
tologoutandloginagaintoseetheeffectsofthechange.
FilterDevicesorDeviceGroupsinaPermission
Youcancontrolaccesstodevicesanddevicegroups(folders)onamoregranularlevelthanwithotherobjectsinMan-
agementCenterusingpermissionfilters.Thesefiltersarebasedontheattributesthatyouspecifyindeviceanddevice
groupproperties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302forinformation.
1. Performoneofthefollowing:
n Addapermission.See"GrantPermissions"onpage291.
n Editapermission.See"EditanExistingRole"onpage290.
2. IntheAdd/EditRoledialog,selectthepermissionandclicktheplussign(+)intheFilterfield.TheAdd/EditFilter
dialogdisplays.
3. SelectafilterfromtheFilterTypedrop-downlistandspecifyfiltervalues.See"Reference:PermissionsFilters
ObjectandAttributes"onpage259.
4. ClickSave.ThefilterdisplaysintheFilterfield.
RestrictAccesstoReporterReports
Whencreatingoreditingroles,youcansetpermissionstolimittheReporterreportfieldstherolehasaccessto.The
choicesyoumakelimitthereportsthatusersinthatroleareabletoviewandalsoprecludethemfromaddingcor-
respondingwidgetstoadashboard.
Procedure
1. SelectAdministration>Roles.
2. SelectaroleandclickEdit.ThesystemdisplaystheEditRoledialog.
3. ClicktheReporterPermissionstab.
4. ClickAddPermission.
ThesystemdisplaystheAddReportPermission:AssignReporterDatabasedialog.
5. SelecttheReporterdatabasetoapplypermissionsto.
294
Management Center Configuration &Management
IfyouselectadatabasethatincludesAllDatabasesinthetitle,thepermissionsyousetwillapplytoalldatabases
(presentandfuture)onthatdevice.IfyouselectAllReporters-AllDatabases,thepermissionsyousetwill
globallyapplytoalldatabasesonalldevices.
Ifyou'vealreadyappliedpermissionstoadatabase,itwillnotdisplayintheReporter-Databasedrop-down
list.
6. ClickNext.ThesystemdisplaystheAddReportPermissions-RestrictedFields,Reportsdialog.
7. Restrictreportfields.
8. Toviewthereportsaffectedbyyourchoices,selectShowRestrictedReports.ThesystemdisplaystheRestricted
ReportsbyFielddialog.
295
Management Center Configuration &Management
9. Whenyouaresatisfiedwithyourchoices,closetheRestrictedReportsbyFielddialogbyclickingClose.
10. ClickFinish,thenSave.
Usersinthespecifiedrolearenowprecludedfromviewingreportsintheselectedfields.
UsersAssociatedWithMultipleRoles
Ifauserisassociatedwithmorethanonerole(orbygroupassociation),allapplicablerolesaredisplayed.Forexample,
whenviewingreports,theusercanchoosearoleandacorrespondingdatabasefromthemenuontheReports
>Reporterpage.Ifarolehasnoaccesstoadatabase,thatroledoesnotdisplayintheRoledrop-downmenu.
296
Management Center Configuration &Management
ManageAttributes
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Becauseyouhavedifferentdevicesandappliancestomanage,thosedevicesrequireandareoftenrestrictedtocer-
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Attributes
canbeusedtofilteronspecificdevices,devicegroupsorobjects.
1. SelectAdministration>Attributes.
2. FromtheManageAttributeslist,selectonethefollowing:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onthefacingpage.
4. Toeditanattribute,selecttheattributenameandclickEdit.See"EditAttributes"onpage301.
ViewandSorttheFollowingAttributesLists
n Name
n DisplayNameTheattributename(withnospaces).
n TypeTheformatthatusersmustenterorselectvalues.
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedbyother
variables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
n MandatoryThevalueofattributesthataremarkedasmandatoryisrequiredwhenyoucreateaneworadda
device,devicegroup,createapolicy,andcreateascript.
n InheritableAppliesspecificallytodevicesanddevicegroups.Whenthisisselected,thedeviceordevicegroup
inheritsattributesfromitsparentdevicegroup.
n DescriptionDescribestheattributeandmustbespecifictothedevice,devicegroup,policy,orscripttowhichyou
areapplyingtheattribute.
Youareabletosearchforspecificobjectsbasedontheattributesyoudefine.See"FilterbyAttributesand
KeywordSearch"onpage151.
297
Management Center Configuration &Management
AddAttributes
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Attributesarecustommetadatausedtorefineandeditdevices,devicegroups,policy,andscripts.Becauseyou
havedifferentdevicesandappliancestomanage,thosedevicesrequire,andareoftenrestrictedto,certainattributes.Use
theseattributestofilteronspecificdevices,devicegroupsorobjects.
1. SelectAdministration>Attributes.
2. SelectoneofthefollowingfromtheManageAttributeslist:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. ClickAddAttribute.Definethepropertiesoftheattributethatyouarecreating.Aredasterisk(*)denotesfieldsthat
aremandatory.
Property DescriptionorPurpose
Display Name (*) Name that displays throughout Management Center.
298
Management Center Configuration &Management
Property DescriptionorPurpose
Name (*) This is the name with no spaces.
Type (*) The format in which users must enter or select attribute values.
Available Values(*) The Available Values depend on the Type you selected.
Default Value If this attribute has a default value, it is displayed here.
Mandatory All attributes that you check as mandatory will appear as options when you
create a new policy, device, device group, or device script. All mandatory
attributes can be filtered on when you "Filter by Attributes and Keyword Search"
on page151.
Inheritable This attribute applies to devices and devices groups. Attributes that are checked
as inheritable can "inherit" their attributes from a parent device group.
Displayed as a default When enabled, the attribute displays as a column in the Policy Object grid,
column Script Object grid, or Network dashboard. Even if this option is not enabled, you
can still display the attribute by right-clicking the column header, selecting
Columns and selecting the attribute to display. See Customize the Network
View.
Description Give a useful description of this attribute to distinguish it from the others when
viewing all of the attributes in a list.
4. ClickSave.
299
Management Center Configuration &Management
MandatoryAttributes
Attributesaremetadatathatyoucanapplytoobjects.Nothingchangestotheexistingdevices,devicegroups,
policy,orscriptswhenanattributeismarkedmandatory.However,markingaattributeasmandatorymeans
thatwheneveryoucreateaneworaddadevice,devicegroup,policyordevicescriptobject,youwillbeforced
toenteravalueforthatmandatoryattribute.
Whenyoumarkanattributeasmandatory,thentheattribute'svalueisrequired.Youcanenablevariablesub-
stitutiononlyifyousavetheattributewithadefaultvalue.See"UseSubstitutionVariablesinPoliciesandScripts"
onpage176
300
Management Center Configuration &Management
EditAttributes
Afteryouhavedefinedanattribute,youcanrefineandeditthatattributetoapplytoanyofthedevices,devicegroups,policy
anddevicescriptswithinyournetwork.Editinganattributechangesthewaydevices,devicegroups,policyorscriptobjects
canbefilteredandsearched.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
1. SelecttheAdministration>Attributessection.
2. FromtheManageAttributeslist,selectanattributetoeditfromthefollowingattributetypes:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. SelectanattributefromthelistandclickEdit.
4. Changethepropertiesfortheattribute.Aredasterisk(*)denotesfieldsthataremandatory.
Property DescriptionorPurpose
Display Name (*) Name that displays throughout Management Center.
Name (*) This is the name with no spaces.
Type (*) The format in which users must enter or select attribute values.
Available Values(*) The Available Values depend on the Type you selected.
Default Value If this attribute has a default value, it is displayed here.
Mandatory All attributes that you check as mandatory will appear as options when you create
a new policy, device, device group, or device script. All mandatory attributes
can be filtered on when you "Filter by Attributes and Keyword Search" on
page151.
Inheritable This attribute applies to devices and devices groups. Attributes that are checked
as inheritable can "inherit" their attributes from a parent device group.
Displayed as a default When enabled, the attribute displays as a column in the Policy Object grid, Script
column Object grid, or Network dashboard. Even if this option is not enabled, you can
still display the attribute by right-clicking the column header, selecting Columns
and selecting the attribute to display. See Customize the Network View.
Description Give a useful description of this attribute to distinguish it from the others when
viewing all of the attributes in a list.
5. ClickSave.
301
Management Center Configuration &Management
SetUser-DefinedDeviceAttributesforAccessControl
User-DefinedattributescaneitherbecustomattributesthatyoucreatefromtheAdministrationtab(orifyouedittheattrib-
utessystemattributesofLocationandRack).SystemattributescontainvaluesthatManagementCentercollectsfor
reportingpurposes.
n ConnectionParameters-IPorhostname,Username,Password,EnablePasswordandSSHPortnumber.
n Name-DeviceName
n Membership-Thehierarchyanddevicegroupthatthedevicebelongs.See"ConfigureHierarchyforDevicesand
DeviceGroups"onpage100.
n Attributes-CustomizedLocationandRackattributesornewcustomattributes(ormetadata)thatadministrators
cancreate.See"AddAttributes"onpage298.
1. Collectstatisticsforthedevicebyclickingthecheckbox.See"ViewStatisticsMonitoringReports"onpage376.
2. Usetheup/downarrowstospecifyaBandwidthCost."SetBandwidthCostforReports"onpage399.
Thebandwidthcostisamultiplierandisthusnotexpressedinaspecificcurrencyunit.Forexample,you
canspecifyavaluetorepresentonaveragehowyoupaypergigabitfordatausageonyournetwork.
3. IftheUser-Definedattributehasaredasterisk*itisrequired.Youmustspecifyavaluebeforecontinuing.
Administratorscancreateattributesinadditiontotheuser-definedattributesofLocationandRack.Todefine
yourowndeviceanddevicegroupattributes,see"AddAttributes"onpage298and"EditAttributes"onthe
previouspage.
Formorefine-grainedcontrolofadeviceordevicegroup,youcanaddpermissionsforthespecifiedattributes.
See"Reference:PermissionsFiltersObjectandAttributes"onpage259.Showscreen.
302
Management Center Configuration &Management
FilterandKeywordSearch
ApplyfilterstoanyobjectwithinManagementCenter.Objectscaninclude:
n Attributes
n AuditedObjects
n Authentication
n Devices
n PolicyObjects
n PolicyDeviceAssignment
n Roles
n ScriptObjects
Filteronattributesandthenusethekeywordsearch.Whenyouaremanaginghundredsorthousandsofpoliciesacrossmul-
tipledevices,itisimportanttobeabletofindaparticularpolicyorconfigurationquickly.
YouarenotlimitedtotheFilterfieldsdisplayed.Youcancustomizeyourfilters.
Procedure
Defaultfieldsaredependentuponthetypeofobjectthatyouarefiltering.Forexample:
n Name-Filtersbytheobjectname
n Type-Filtersbytheobjecttype
n Description-FiltersbytheobjectDescription
n Author-Filtersbywhocreatedtheobject
1. Tofilterbyaparticulartypeofpolicy,clicktheTypedrop-downlist.SelectaPolicyType:
n CPL
n CPLFragment
n VPM
2. ClickApplyFilters.
3. TheObjectlistdisplaysalloftheObjectsbyType.Afteryouhaveappliedfilters,searchforspecificobjectsusingthe
KeywordSearch.
4. FromthePolicyObjectslistedbyType,searchforaspecificPolicyusingtheKeywordSearch.
ThelogicisFilter*and*KeywordSearch.
SearchbyKeyword
Whensearching,ManagementCenterbreakstextintokeywordsandthensearchesforkeywordsentered.Management
Center'sindexsystemhasaspecialcasefordot.AlthoughManagementCenterseesdotsasseparatingletterswithina
word(i.e.ManagementCenterconsidersdotsasapartofaword).
Youcannotsearchonspecialcharacterssuchas^%|~.
Colonsaretreatedlikeothernon-lettersbysplittingkeywordsapart.IPv4andIPv6addressesworkdifferentlybecauseof
colons.
Thewildcardsymbolis*.ManagementCenterautomaticallyappendsan*attheendofyoursearchtermbutifyou
wanttostartwithawildcardsearch,youhavetoenterityourself.
303
Management Center Configuration &Management
Canquotesbeusedinasearch?
Usequoteswhennonlettersarepartofthesearchterm.Forexample,yoursearchtermincludesacolon.Theexceptionto
thissearchruleistheuseofadotbecauseadotthatisNOTfollowedbywhitespaceisconsideredpartofthekeyword.
Howdoyousearchforwholewords?
Enterthewholeword.Ifthereismorethanoneword,separateeachwordwithaspace.Ifusingspecialcharacters,
encloseeachwordindoublequotes.
Howdoyousearchforpartialwords?
Enterthepartialterm,andManagementCenterattemptstocompletethesearch.Forexample,enterhiandManagement
Centermatchesthattobothhighlightandhigh.
ExampleSearches
IPv4127.0.0.1
l 127.0.0matchesanyIPv4startingwith127.0.0
l *.0.0.1-matchesanyIPv4endingin0.0.1
IPv60:0:0:0:0:1
UsequotesforIPv6addressesbecauseIPv6usescolonsinsteadofdotsastheseparator.
l 0:0:0matchesanyIPv6startwith0:0:0
l *0:0:1matchesanyIPv6endingwith0:0:1
Hostnames
l abc.com-matchesahostnamedabc.com
l *.commatchesahostnameendingin.com
l *:8080matchesahostnamewith:8080astheport
Search
1. FromtheKeywordSearchfield,enteryoursearchterm.
2. PressEnterorclickthemagnifyingglassicon.
Whatifthesearchfindsnomatch?
Ifthesearchfindsnomatch,therightpanedisplaysamessageindicatingthatobjectsmatchthekeywordfilter.Youcan
searchagainusingadifferentkeyword.
Whatifthesearchsucceedsinfindingmatches?
Ifthesearchfindsmatches,theresultsdisplayinalphabeticalorderintheObjectslist.
Howdoyouclearthesearchresults?
Toclearsearchresultsanddisplayallobjectsinthesystem,clicktheXinthesearchfield.
304
Management Center Configuration &Management
PrevieworDownloadLogs
Youcansortandpreviewalogbyfilenameorlogtype.Youcanpreviewonelogordownloadmultiplelogs.
1. SelectAdministration>Logs.
2. Selectalogtoview.ClickPreview.Forexample,toviewthelocalhost_access.loginatextviewer,clickPreview.
3. Todownloadmultiplelogs,selectthecheckboxesoflogsthatyouwanttodownloadandthenclickDownload.
ManagementCenterdownloadsa.ziparchivefiletothedefaultdownloadlocation.
AvailableLogs
Thefollowingtablelisttheavailablelogs.
Rolloverlogformatsaresimilartothefollowing:
n name.zip
n name.log-data
LogTypes
Thefollowingtabledescribesthelogtypes.
Type Description
WEB Logs related to Management Center and its operation.
WEB- Logs that track user requests to Management Center web UI.
ACCESS
DEBUG As the name implies, these are debugging logs.
SYSTEM Internal core OS logs.
PDM Performance Data processing logs. These correspond to anything related to the appstat pro-
cessing of PDM logs from the ProxySG or other systems.
305
Management Center Configuration &Management
ManageUserSessions
ManagementCentertracksandlogseachusersession.Administratorscanviewandmanagecurrentusersessionsfrom
Administration>UserSessions.Asasuperadmin,theabilitytologinwillnotbeaffectedbywhatyoudointhisdialog.
Youcandelete(kill)anyusersessionwhichwillimmediatelylogtheuseroutoftheManagementCenterwebconsole.
Asabestpractice,BlueCoatrecommendsthatalluserslogoutofthewebconsoleaftercompletingtheirtasks.AsaMan-
agementCenteradministrator,youmayneedtoenforcethispractice.Ifauserhaschangedrolesorhasacceptedanew
jobthatmaychangetheiraccessrights,youcanmanageallactiveorstoredusersessions.
1. Fromthewebconsolebanner,selectAdministration>UserSessions.
2. Topreventusersfromloggingintothewebconsole,selecttheDisableuserlogintoManagementCentercheck
box.
3. (Optional)Todeleteausersession:
a. Selectausersession.Greendenotesyoursession(you),notanactivesession.
b. ClickKillSession.
c. Confirmthatyouwanttokillthesession.
306
ReceiveErrorNotifications
Configurehowyouwillbenotifiedwhenerrorsoccur.
"ConfigureSMTPAlerts"onpage318
"ConfigureSNMPAlerts"onpage319
ManageAlerts
ManagementCenterprovidesanareaforadministratorstostoreandmanagevariousalerts.Whetheryouneedtosetthe
stateofanalert,changetheowner,providefeedback,orfindaspecificalert,youcandoitallinoneplace.Thisisdifferent
fromthemessageviewer.YouarestillabletoviewmessagesintheRecentMessagespane.See"ReadAlerts"on
page436.
TogettotheAlertsmanagementpage:
n SelectAdministration>Settings.
n ClicktheAlertNotification button.Thisshowsthenumberofopen(orunresolved)alerts.
Overview
Thelandingpageshowsthecurrentalertsandtheoptionsavailableformanagement.
n Sortingoptionsallowyoutoviewthealertsbasedonvariouscriteria.
n DetailsandFiltersTabsgivequickinformationaboutthealert(s).
n Navigationoptionsatthebottomallowyoutogotospecificpages.
n Managementoptionsallowyoutotakeactiononspecificalert(s).
SortingAlerts
Theprimaryelementonthelandingpageisthelistofavailablealerts.Thesecansortedbydifferentcolumns.
*IndicatescolumnsthatareNOTshownbydefault
Management Center Configuration &Management
SortBy... Description
Severity Impact level of an alert on the affected category.
Priority Importance level of resolving an alert.
Message Current status of an alert. Alerts are either considered open or closed.
Count * Number of times an issue is reported.
Source* System reporting an alert.
Note:This field is populated only if an external network is reporting
an issue.
Category Element affected by an alert.
State Current status of an alert.
Received Date and time an issue is reported as an alert
Acknowledged Received status of an alert.
Owner Person currently responsible for an alert.
Sortandviewthealertswiththeseoptions:
n Adjustthelengthofcolumnsbyhoveringbetweentwocolumnstogettheadjustmentcursor
n Tosortthelist,youhavetwooptions:
o Clickonacolumnheader.Thefirstclicksortsthelistbythatcolumninascendingorder.Asecondclicksorts
itindescendingorder.
o Hoveroveracolumnheader,thenselectMenuArrow>SortAscendingorSortDescending.
n Tocustomizewhichcolumnsshow,hoveroveranycolumnheader,thenselectMenuArrow>Columns.
n Toresetthecolumnsbacktothedefaultcolumnsandwidth,hoveroveranycolumnheader,thenselectMenu
Arrow>ResetColumns.
DetailsandFiltersTabs
Getanoverviewofaspecificalertorusefilteroptionsinordertofindspecificalerts.
Ifyouneedmorespacetoviewthealertslist,collapsethispanebyclickingthearrowtab ontheleftofit.
SeeFiltersPanelforanexampleimage.
308
Management Center Configuration &Management
PreviewDetailsPanel
Givesabriefsummaryoftheselectedalert.Ifyouneedtoviewmoredetails,suchasthehistoryofthealert,seeEditing
Alerts.
Selectonlyonealerttopreviewthedetails.
FiltersPanel
Findspecificalertswithvariousfilters.Onceapplied,theFilterstabshowshowmanyactivefiltersthereare.Example:
(Active3).
Apply/Clear
Saveordeleteanyfilterchangesselected.
Customize
309
Management Center Configuration &Management
SelectthefiltersthatshowintheFilterPanel .
TimeRange
Selectthetimerangeyouwanttosearchin.
HourOptions DayOptions
Last 1 Hr Last 24 Hrs
Last 12 Hrs Last 3 Days
Last 24 Hrs Last 7 Days
State
Selectthealertcurrentstatus(es).
Option Description
New New or unworked issues.
Pending Already known issue, but resolution hasn't started.
Assigned Assigned to a specific user.
In Progress A resolution has been started.
Resolved The issue has been resolved.
The issue has been closed. This can be used whether or
Closed
not the issue has been resolved.
Acknowledge
Selectthereceiptstatus(es).
Option Description
Alert received by
Acknowledge
owner.
310
Management Center Configuration &Management
Option Description
Alert not
Unacknowledge received by
owner.
Category
Selecttheelement(s)affected.
Option Element(s)
Policy Policy specific.
Configuration Scripts, Shared Objects, Tenants, and Files.
Alerts related to the function of a device or Man-
Operational
agement Center.
Networks linked to Management Center, including
System
files, software, hardware, and firmware.
Security Security related alerts.
Other For an issue not listed in any other category.
Priority
Selecttheimportancelevelofresolution.
PriorityLevel
Low
Medium
High
Urgent
Owner
Selectthecurrentowner.
Alertsthatarenotassigned(intheOwnersortingcolumn)willnotshowupifanownerisselected.
KeywordSearch
NexttothePreview/Filterpaneisthekeywordsearchingoption.Ifyouknowkeywordsinthealertsyouarelook-
ingfor,enterthemintothesearchboxandclickthemagnifyingglassorpressEnter.Toclearthesearchterms,
clickthe( )withinthesearchbox.
Navigation
Navigatebetweenpagesandsetnavigationoptions.
311
Management Center Configuration &Management
AlertManagement
Create,edit,delete,oracknowledgereceiptofalert(s).
CreatingNewAlerts
UseRaiseAlerttocreateanewalert.
312
Management Center Configuration &Management
Message*
Enterinthemessageforthealert.*Thisfieldisrequired.
Severity
Theimpactlevelontheaffectedcategory.*Indicatesdefault
Priority
Theimportancelevelofresolvingthealert.*Indicatesdefault
313
Management Center Configuration &Management
PriorityLevel
Low*
Medium
High
Urgent
State
Thecurrentstatusofthealert.Alertsareeitherconsideredopenorclosed.*Indicatesdefault
Owner
Theadministratorcurrentlyloggedinissetasthedefaultowner.Youmayassignittoadifferentowneraslongastheper-
sonhaspreviouslybeenaddedasauser.See"AddLocalUsers"onpage264.
AlertscreatedbythesystemwillshowasnotassignedintheOwnersortingcolumn.
Category
Theelementaffectedbythealert.*Indicatesdefault
Option Element(s)
Policy Policy specific.
Configuration Scripts, Shared Objects, Tenants, and Files.
Operational Alerts related to the operation of a device or Man-
agement Center.
System Networks linked to Management Center, including
files, software, hardware, and firmware.
Security Security related alerts.
Other* For an issue not listed in any other category.
Description
314
Management Center Configuration &Management
(Optional)Enteramoredetaileddescriptionofthealertand/orthereasonsforit.
Ifyouforgetanyinformationforthedetaileddescription,youcanalwaysEdititoraddnotetotheJournaltabata
latertime.
Save/Cancel
SaveorCancelthenewalert.
EditingAlerts
Youcaneditthealertsusingoneoftwomethods:
n Toeditalltheinformationforanalert,selectamessageandthenclickEdit.Alternately,right-clickamessageto
gettheEditoption.
Onlyonemessagecanbeselectedforeditingatatime.
EditDetailsTab
Thebasicinformation,normallysetinRaiseAlert,canbeeditedintheDetailstab.Asummaryofthecurrentsaved
statusofthealertshowsinaboxbelowtheeditabledetails.Theactionbuttonsinclude:
n
SaveAlertforanychangesyoumake.
n
AcknowledgeorUnacknowledgethereceiptofthemessage.
n
Discardanychanges.
n
TakeOwnershiptoinstantlyassignittoyourself.
JournalTab
AhistoryofthechangesmadetothealertareloggedintheJournaltabbeneaththeNotesfield.Actionsyoucan
takeinclude:
n AddmoreinformationintheNotesfield.
n AddNotetothealert.
n Clearanyinformationtyped.
315
Management Center Configuration &Management
Back
Returntothelistofalerts.Alternately,youcanclickontheAlertslinkabovetheBackbuttontoreturntothelist.
n Selectmessage(s)toaccesstheavailablequickOperations.Theseallowyoutoeditinformationonanalertwithout
havingtoopentheEditscreen.
AssignUsers
Selectausertohaveownership.Youmayassignittoadifferentowneraslongasthepersonhaspreviouslybeen
addedasauser.See"AddLocalUsers"onpage264.
AlertscreatedbythesystemwillshowasnotassignedintheOwnersortingcolumn.
TakeOwnership
Instantlyassignsthealerttoyourself.
ChangeState
Thecurrentstatus.Alertsareeitherconsideredopenorclosed.
*Indicatesdefault
Option Description Status
New New or unworked issues. Open
Pending Already known issue, but resolution hasn't Open
started.
Assigned* Assigned to a specific user. Open
In Progress A resolution has been started. Open
Resolved The issue has been resolved. Closed
Closed The issue has been closed. This can be Closed
used whether or not the issue has been
resolved.
ChangePriority
Theimportancelevelofresolution.*Indicatesdefault
316
Management Center Configuration &Management
PriorityLevel
Low*
Medium
High
Urgent
OtherAlertManagementOptions
n Selectmessage(s)toDeletethem.Alternately,right-clickthemessage(s)togettheDeleteoption.
n Messagesareautomaticallyremovedbythesystemafterasettime.Thedefaultis120days.See"Configure
HousekeepingSettings"onpage425formoreinformation.
Tochangetheamountofdaysalertsareretained:
1. SelectAdministration>Settings>Housekeeping.
2. ChangethevalueinNumberofdaysofclosedalertrecordstokeep.
3. ClickSave.
4. (Optional)ClickActivatetopushyourchangestotheserverimmediately.
n Selectmessage(s)toAcknowledgeorUnacknowledgethereceiptofthem.Alternately,right-clickthemessage
(s)togettheacknowledgmentoptions.
Onlymessagesofthesamereceiptstatuscanbeselectedatthesametimeforthebuttontowork.
Example:UndertheAcknowledgedcolumn,allmessagesmarkednotyet.
n Refreshthelistofavailablealerts.
317
Management Center Configuration &Management
ConfigureSMTPAlerts
ConfigurethemailserverforsendinghealthmonitoringnotificationsfromManagementCenterandspecifywhichadmin-
istratorsreceivethealerts.
1. SelectAdministration>Settings.
2. ClickSMTPAlertsontheleft.SMTPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifySMTPsettings.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
318
Management Center Configuration &Management
ConfigureSNMPAlerts
TheSimpleNetworkManagementProtocol(SNMP)itselfdoesnotdefinewhichvariablesamanagedsystemshouldoffer.
Rather,SNMPusesanextensibledesign,wheretheavailableinformationisdefinedbyManagementInformationBases
(MIBs).
ConfigureSNMPsettingsforManagementCenter.IfyouwanttoenterapasswordfortheSNMPtraps,see"Configure
theSNMPAgentPassword"onpage403.
TheMIBsareavailableontheBTODownloadspage.RefertotheBlueCoatManagementCenterReleaseNotes
forinformationonMIBs.
1. SelectAdministration>Settings.
2. SelectSNMPAlerts.SNMPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifySNMPsettings.
319
Management Center Configuration &Management
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
320
Management Center Configuration &Management
CustomizetheAuditLog
BecausetheAuditLogrecordsalltransactionsonmultiplelevels,thelogcangrowveryquicklyespeciallyifyoumany
devicesaremanagedinManagementCenterandthereisahighlevelofuseractivity.AlthoughtheAuditLogisdesigned
tomakeiteasyforyoutolocatetherecordsyouwant,youcancustomizethedisplayfurthertohelpyoulocatespecific
records,isolaterecordsfromacertaindateortime,filterrecordspertainingtospecificusersorobjects,andmore.
UsethefollowingmethodsinconjunctiontocustomizetheAuditLogdisplaytosuityourpurposes.
WhenyoumakethefollowingchangesintheAuditLogViewer,thechangesdonotpersistbeyondthecurrent
browsersession;thenexttimeyoulogintothewebconsole,youmustgothroughthesamestepstochangethe
vieweragain.
Showorhidecolumns
Youcanshowcolumnsthatyouhid,orcolumnsthatarenotvisiblebydefault,suchasRecordTypeandInfo3through
Info5.Youcanhidesomecolumnsifyouwantamoregenerallookatthelogorifyourscreensizeislimited.
ToseeallinformationavailableintheAuditLogandensurethatyoucanseeanappropriatelevelofdetail,youcanshowall
columnsfirstandthenchoosewhichones,ifany,youwanttohide.
1. Onanycolumnheader,clickthearrow.Thewebconsoledisplaysalistofoptions.
2. Selectanoptiontoshowthecolumn.
Clearanoptiontohidethecolumn.
3. Clickanywhereoutsideofthelisttocloseit.
TheAuditLogshows/hidesthecolumnsyouspecified.
Sortcolumns
BecausetheAuditLogdisplaysrecordsindescendingchronologicalorderbydefault,youcanre-arrangethemtoanalyze
thedatamoreeffectively.Bydefault,therecordsaresortedindescendingorderofOperationTime(latesttoearliest).
1. Clicktheheaderofthecolumnyouwanttosort.
n Iftheheaderdisplaysanuparrow,thedataisarrangedinascendingorder(A-Z,earliesttolatest).
n Iftheheaderdisplaysadownarrow,thedataisarrangedindescendingorder(Z-A,latesttoearliest).
2. Clicktheheaderagaintoreversethesortorder.
InthefollowingexamplethecolumnsaresortedbyOperationType,soallAuthenticationsaredisplayedfirst.
Filterrecords
Tolimittheamountthedatathatthelogdisplaysandfocusonlyonspecificrecords,applyfiltersusingthedrop-downlists
ontheright.Dependingonthetransactionlevel,youmayneedtofilterpagesofrecords.Thefilterslimittherecordtype.To
narrowthesearch,applyoneormorefilters.
321
Management Center Configuration &Management
Ifapplyingafilterresultsintoofewrecordsornottherightrecords,removeorchangesomefilters.Toresetthefiltersto
default,clickClear.
322
CreateandManageJobs
ManagementCenterallowsyoutocreatejobsforrunningavarietyofoperationsonadefinedschedule.Forexample,you
cancreatejobsforbackingupManagementCentereachday,installingpolicyonagroupofProxySGappliancesimme-
diately,orexecutingaProxySGscriptonamonthlybasis.Jobsdon'tnecessarilyneedapreciseschedule,though;ifyou
don'tdefineascheduleforajob,youcanrunthejobmanually.Inaddition,youmayoverridethedefinedscheduleforajob
andrunitimmediately.
Schedulingajobandrunninganoperationrequiredifferentpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.
1. Planthejob:
n Determinewhichoperationyouwanttocreateajobfor.See"JobOperations"onpage325.
n Whichdevicesdoyouwanttoperformtheoperationon?Thesewillbethetargetsofthejob.
n Decidehowoftenthejobshouldrun.Thiswillbethejobschedule.See"JobSchedulingOptions"onpage328.
2. Createthejob.See"AddaJob"onthenextpage.
3. Monitorscheduledjobs,andrununscheduledjobsasneeded.See"MonitorJobs"onpage330.
4. Monitorjobsastheyarerunning.See"ViewCurrentJobs"onpage332.
5. Viewjobhistory.SeeJobHistory.
Management Center Configuration &Management
AddaJob
TheManagementCenterNewJobwizardpromptsyouforinformationrequiredtocreateajob:name,operation,targets(indi-
vidualdevicesorgroups),andschedule.Thefieldsvaryforeachtypeofoperation.
Thebasicstepsforaddingajobaredescribedbelow.
1. ClickJobs>ScheduledJobs>NewJob.TheNewJobWizardpresentsitsfirstscreen,theBasicInfodialog.
2. IntheBasicInfodialog,enteranameforyourjob.
3. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.
4. Optional:Emailthejobresults.ClickEmailresultsandselectthecondition.Then,entertheemail(s)oftherecipient
(s)andclickNext.Youcanchoosetoemailtheresultswhenthejobsucceeds,fails,orforallconditions.
5. IntheOperationdialog,selectanoperationfromthedrop-downlist.Additionalfieldsmaydisplay,dependingon
whichoperationyouselect.See"JobOperations"onthefacingpage.
6. Afterfillinginthefieldsrequiredfortheoperationyouselected,clickNext.
7. IntheTargetsdialog,selecttheDevicesorGrouptab.Addmultipledevicesordevicegroupsbyselectingthe
checkboxnexttothenamesofdevicesordevicegroups.AllselectedtargetsappearinSelectedTargets.When
youhaveaddedallofthetargetsforthejob,clickNext.
8. IntheScheduledialog,defineascheduleforthejob.See"JobSchedulingOptions"onpage328formore
information.
n Immediateautomaticallyrunsthejobafteritiscreated
n NoSchedulenospecifictimeordayisspecified;whenyouarereadytorunthejob,usetheRunNow
buttontomanuallyexecutethejob
n RunOnceOnlyspecifythedateandtimetorunthejob
n Periodicrunsthejobeveryxnumberofminutes,hours,ordays,startingatthespecifiedtimeanddate
n Dailyrunsthejobeverydayatthespecifiedtime
n Monthlyrunsthejobonceamonthonthespecifieddayofthemonthandspecifiedtimeofday
9. ClickFinish.
ThenewjobisavailableintheScheduledJobssection,orifyourunthejobimmediately,theJobProgresswindowdis-
playsuntilyoucloseitorselectContinueinBackground.
Schedulejobstorunwhennetworkperformanceisnotimpactedorjobsthatrecuroften.Schedulingajobandexecut-
ingajob(runnow)applydifferentpermissions.See"Reference:UnderstandingJobPermissions"onpage261
TheJobstabisonewaytoaddajobinManagementCenter.Someoperationshavealternativemethodsforcreatingjobs.
Seethetopicsinthetablebelow.
Operation Refertothistopic
Execute Script "Execute a Script" on page150
Export Backups "Export Device Backups" on page85
Install Policy "Install Policy" on page227
324
Management Center Configuration &Management
JobOperations
Whendefiningajob,additionalfieldsmaydisplay,dependingonwhichoperationyouselect.Thelistbelowdescribeseach
operationanditsassociatedfields.
*designatesarequiredfield
EncryptionPhrase * - 1 or more
characters, alphanumeric.
Username
Password
ChangeMon- Activate or deactivate devices. Management ChangeHealthMonitoringstate -
itoringState Center actively monitors the health status of Select the radio button and Activ-
activated devices. ateDevices or Deactivate
Deactivated devices are not monitored. Whether Devices .
you choose to activate or deactivate a device ChangeStatisticsMonitoringstate
depends on your business requirements. -Select the radio button and Enable
You can also disable statistics monitoring without StatisticsMonitoringcollection or
deactivating a device. DisableStatisticsMonitoringcol-
lection.
See also "Monitor Device Health and Statistics"
on page90.
325
Management Center Configuration &Management
326
Management Center Configuration &Management
327
Management Center Configuration &Management
JobSchedulingOptions
DefineascheduleforeachjobthatyoucreateoreditfromtheScheduledialogintheJobwizard.
Verifythatthetimezoneisconfiguredfortheregioninwhichthejobwilloccur.See"SynchronizetheSystemClockusing
NTP"onpage400.
Considerthefollowingschedulingoptions.
Immediate
IfyouselectImmediate,thejobrunsimmediatelyafteryoufinishcreatingoreditingthejob.Tohavethejoblistedonthe
Scheduledjobspage,selectSavethisjobinScheduledJobs.
ThejobdisplaysinJobHistoryandScheduledJobs(ifyouselectedthecheckbox).
NoSchedule
Torunaon-demandjobortodefinetheschedulelater,selectNoSchedule.
Althoughthejobdoesnothaveaschedule,itstilldisplaysintheScheduledJobssection.Whenyouarereadytorunthe
job,initiatethejobmanuallybyselectingRunNow.ManagementCenterdisplaystheAreyousureyouwanttorunthe
selectedjobnow?message.ClickYes.TheJobHistorypagedisplaysthecompletedjob.
RunOnceOnly
Certainjobsonlyneedtoberunonce(forexample,whenyouinstallpolicytoadevice).
SelectRunOnceOnlyandthenspecifythedateandtimetorunthejob:
n IntheRunatfieldenterthetime(usinga24-hourclock)youwanttorunthejob,orusethearrowstoadjustthetime.
n Click andselecttheday.
ThejobislistedintheScheduledJobssectionuntilitrunsatthescheduledtime.
Periodic
Youcanscheduleajobtorunperiodically,suchaseverytwoweeksoreverythreedays.Tospecifyaperiodicschedule,
328
Management Center Configuration &Management
youindicatethefrequencythejobshouldrunandwhenyouwantthefirstjobtorun:
n Runevery(number)of(minutes,hours,ordays)
n Startingat(time)on(aspecificdate).Enterthetimeusinga24-hourclock.
ThejobwillbelistedintheScheduledJobssection.
Daily
Youcanscheduleajobtoruneverydayatacertaintime.Specifythetimeusinga24-hourclock:
n Runat(hh):(mm)
ThejobwillbelistedintheScheduledJobssection.
Monthly
Youcanscheduleajobtorunmonthly.Tospecifyamonthlyschedule,youindicatewhichdayofthemonthtorunthejob
aswellasthetimeofday:
n Runonthe(first,second,third,fourth,fifth)(Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday)
ofthemonth.
n Runonday(1-31)ofthemonth.
n Runonthelastdayofthemonth.
n Runat(hh):(mm)Enterthetimeusinga24-hourclock.
ThescheduledjobwilldisplayintheScheduledJobssection.
Itisimportanttorememberthatifthejobthatyouareschedulingisbig(meaningitwilltakealotoftimeand
resources),itisrecommendedyouschedulethejobtorunduringoff-hoursoronweekends.
329
Management Center Configuration &Management
MonitorJobs
ScheduledJobslistallthejobsthathavebeencreatedandareeitherscheduledtorunorhavenoscheduleandmustbe
runmanually.Usethisscreentoseewhenscheduledjobswillrunnext,whenjobshavelastrun,howmanytimeseachjob
hasrun,andwhocreatedthejob.
1. SelectJobs>ScheduledJobs.
2. Fromthislistofscheduledjobs,youcanselectajobandperformanyofthefollowingtasksonthejob:
n EditChangeanyofthejobparameters(basicinformation,operationparameters,targets,schedule).See
"EditaJob"onthefacingpage.
n DeletePermanentlyremovethejobfromthelistofscheduledjobs
n EnableRe-enableajobthathasbeendisabled
n DisableDisablethejobsothatitwillnotrunasscheduled
n RunNowInitiatetheoperationofthejob;anyjobcanbemanuallyrununscheduledaswellasscheduled
Youcanalsoright-clickajobandselectthetaskfromthemenu.
Bydefault,jobsaresortedalphabeticallybyname.Tosortbyadifferentcolumn:
1. Hoverthemouseonthecolumnheadingyouwanttosortby,ontherightedgeofthecolumn.
2. ClickthetriangleandselectSortAscendingorSortDescending.
330
Management Center Configuration &Management
EditaJob
YoucaneditanyjoblistedontheScheduledJobspage.
1. SelectJobs>ScheduleJobs.
2. Selectthenameofthejobthatyouwanttoedit.ClickEdit.ThewebconsoledisplaystheEditJobWizard.
3. Edittheinformationoneachtabasneededtocompletethejob:
n BasicInfoChangethejobname,description,andwhethertoemailjobresults.Aredasterisk(*)denotes
fieldsthataremandatory.
n OperationChangeanyofthefieldsspecifictotheoperation.(See"JobOperations"onpage325for
details.)However,youcannotmodifytheoperationitself;ifyouwanttochangetheoperation,youwillneed
tocreateanewjob.
n TargetsBasedontheoperation,youcaneitheraddorremovetargets,oramessagedisplaysstatingthat
thejobwillrunonthetargetsalreadyspecified.
n ScheduleFromSchedule,youcanchoosefromthefollowingscheduletypes.(See"JobScheduling
Options"onpage328).
o Immediate
o NoSchedule
o RunOnceOnly
o Periodic
o Daily
o Weekly
o Monthly
4. ClickSave.
331
Management Center Configuration &Management
ViewCurrentJobs
TheCurrentJobssectiondisplaysallcurrentlyrunningjobs.Toviewjobsthathavealreadyoccurred,"ViewJobHistory"on
page334.Toviewallscheduledjobs,see"MonitorJobs"onpage330.Tocancelacurrentlyrunningjob,see"CancelaCur-
rentlyRunningJob"onthefacingpage.
1. SelectJobs>CurrentJobs.Thetoppanedisplaysthefollowingdetails:
Column Description
Name This is the name you gave the job when you created it. See "Add a Job" on page324.
Status This is the current status of the job. The status of a job changes from Running to
Complete.
Progress This progress bar is constantly updating. You can view in real-time the progress of the
current job. The color of the progress bar correlates with the top of the web console
banner.
StartTime This shows the start time (in a 24-hour clock format) of the current job.
EndTime The shows the end time (in a 24-hour clock format) of the current job.
Description This is the description you gave the job when you created it. Although entering a
description is optional, the description (and name) help differentiate versions of the
similar jobs. For example, a common job is "Backup", but without a good description it is
difficult to see which devices are currently being backed up.
EachtimeyoustartajobmanuallyaJobProgresswindowdisplays.Ifyouwanttorunthescriptinthe
background(andgetridofthewindow)whileyoudoothertasksinManagementCenter,clickContinuein
Background.
2. Ifyouselectanameofacurrentlyrunningjobinthetoppane,thedetailsofthatjobappearinthetwobottompanes.
3. TheJobProgressSummarypaneincludesfiltersforthedeviceonwhichthejobiscurrentlyrunning.Tocancela
currentlyrunningjob,clickCancel.
Ifyouhavetoomanyjobsgoingtokeeptrackof,youcanfiltertheresultsby:
n Complete=Green
n Error=Red(Hoveryourmouseoveralljobswitherrorstoviewthedetailsoftheerror)
n Warning=(Hoveryourmouseoveralljobswithwarningstoviewthedetailsofthewarning)
n Running=Grey(Greysignifiesinactivity)
Formoreinformationoncolorsandstatusindicators,see"AboutColor-CodedStatusIndicators"onpage28.
332
Management Center Configuration &Management
CancelaCurrentlyRunningJob
Tocancelacurrentlyrunningjob,selectJobs>CurrentJobs.
1. Selectthejobyouwanttocancel.
2. ClickCancel.
Somestepsofajobthatarecurrentlyinprogresswillruntocompletioninsteadofbeingcanceled.
3. EnsurethatthejobrunningiscanceledbycheckingtheStatuscolumnandtheJobResultspane.Checkfor
errors!ErrorsappearredwithanexclamationmarkintheStatuscolumn:
4. Alljobsthatyousuccessfullycancelareobviousinthewebconsole.Canceledjobsappearas:
Somejobshavemultiplecommandsrunningonmultipledevices.Themorecomplexajobis,themoreerrors
mayoccurwhenyouchoosetocancelarunningjob.
333
Management Center Configuration &Management
ViewJobHistory
Viewallpastjobsandtheirstatus.TheJobHistorysectionissimilartotheCurrentJobslist,buttheJobHistorydisplays
thousandsofresultsofjobsthathavealreadyoccurred.TheCurrentJobssectiondisplayscurrentlyrunningjobs.Toview
currentlyrunningjobs,see"ViewCurrentJobs"onpage332.Toviewallscheduledjobs,see"MonitorJobs"onpage330.
YoucanviewmoredetailsofacompletedjobfromJobHistory.
1. SelectJobs>JobHistory.
2. TheJobHistorytoppanedisplaysthefollowingdetailsabouteachcompletedjob:
Column Description
Name This is the name you gave the job when you created it. See "Add a Job" on page324.
Status This is the status of the job. More details are available about the job.
Progress This progress bar is displays completed jobs, with the latest job that was run always on
top.
StartTime This shows the start time (in a 24-hour clock format) of the selected job.
EndTime The shows the end time (in a 24-hour clock format) of the selected job.
Description This is the description you gave the job when you created it. Although entering a
description is optional, the description (and name) help differentiate versions of the
similar jobs. For example, a common job is "Backup", but without a good description it is
difficult to the different backups that occurred.
3. Ifyouselectanameofajobinthetoppane,thedetailsofthatjobappearinthetwobottompanes.TheJobName
andtheJobResultsaredetailedinthebottompanes.Youcancopyandpastethetextinthesepanes.Thetextin
theStatusfieldisespeciallyusefulfordebugging.
ManagementCentercanbedownwhileajobisrunning.ThejobsthatrunwhileManagementCenterisdown
neverappearinCurrentJobsbuttheywillappearinJobHistorywhenManagementCenterisbackupand
running.
ViewJobProgress
TheJobProgressSummarypaneincludesfiltersforthedeviceonwhichthejobshaverunorarecurrentlyrunning.Ifyou
needtofiltertheJobHistoryresults,youcanfiltertheresultsby:
n Complete=Green(Greenindicatesthatthejobisrunningorhasalreadyrunsuccessfully)
n Error=Red(Redsignifiesthatthejobdidnotrunbecauseofanerror.Selectthejobnametodrilldownforthe
details)
n Warning=Yellow(Yellowsignifiesthejobran,butissuesoccurred.Selectthejobnametodrilldownforthedetails)
n Running=GreenorGrey(Greysignifiesinactivity)
WhentheJobProgresswindowdisplaysacurrentlyrunningjobthatistakingalongtime,youhavetheoptionto
ContinueinBackground.
Formoredetailsontheuseofcolorandstatusindicators,see"AboutColor-CodedStatusIndicators"onpage28.
334
Management Center Configuration &Management
YoucannotdeleteajobfromJobHistory,youcanonly"CancelaCurrentlyRunningJob"onpage333.
335
ManagementCenterReports
ManagementCenterallowsyoutoconsolidatedatafromall,oragroupof,ProxySGappliancesyouhaveaddedasmanaged
networkdevices.ManagementCenteroffersStatisticsMonitoringandReporterreports.
StatisticsMonitoringReports
StatisticsMonitoringreportsconsolidatestatisticsfromyourmanagedProxySGdevices.TherearetwocategoriesofStat-
isticsMonitoringreports:
l Devices:avarietyofreportsaboutthenetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesina
devicegroup,orallProxySGdevices
l WANOptimization:reportsforProxySGapplianceswithaProxyorMACH5Editionlicense.
"ViewStatisticsMonitoringReports"onpage376
Fordescriptionsofeachreport,referto"Reference:StatisticsMonitoringReportsinManagementCenter"onpage377.
ReporterReports
IfyouhaveintegratedBlueCoatReporterintoManagementCenter,additionalsetsofreportsareavailabletoyou.Reporter
reportsaregroupedintothefollowingcategories:
l Security:reportsthatrevealactivityonthenetworkthatmayposesecurityorliabilityconcerns.
l WebApplications:reportsthatprovideinsightintothewebapplicationsbeingaccessedonyournetwork,aswellas
theriskinessoftheseapplications.
l UserBehavior:reportsthatgiveyouinsightintothewebsitesandcategoriesofwebtrafficusersareviewingorare
blockedfromviewing,andtheamountofwebtrafficfordifferenttimeperiods.
l BandwidthUsage:reportsthatanalyzehourly,daily,andmonthlybandwidthusageonthenetwork,andestimate
thetimeanddatacostofthatusage.
"IntegrateReporterintoManagementCenter"onthenextpage
Fordescriptionsofeachofthesereports,see"Reference:ReportDescriptions"onpage351.
Management Center Configuration &Management
IntegrateReporterintoManagementCenter
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
Prerequisites
n ObtainorverifyadministratoraccesstoReporterEnterpriseServer10.1.xorlater.
n VerifythatReporterEnterpriseServerisdeployedinlinewithProxySGapplianceswithinyournetwork.
n EnsurethatyouhaveaccesstoaReporterEnterpriseServer(usernameandpassword).
n TobeabletoviewReporterreportsonmanageddevices,youwillneedtoaddaReporterEnterpriseServerfromthe
Networktab.
Procedure
TointegrateReportersothatyoucanviewReporterreportsintheManagementCenterwebconsole:
1. Verifyprerequisitesabove.
2. AddReporterasamanageddeviceinManagementCenter.
3. "ViewaReporterReport"onpage339.
337
Management Center Configuration &Management
AddReporterasaManagedDevice
BeforeyoucanviewReporterreportsinManagementCenter,youneedtoaddaReporterdevice.
1. SelecttheNetworktab.
2. (Optional)Browsetothehierarchyandfolders/subfolderswhereyouwanttoaddReporter.
3. ClickAddDevice.TheAddDevicewizardbegins.Aredasterisk(*)denotesfieldsthataremandatory.
4. SpecifythefollowingConnectionParameters:
n IntheDeploymentStatusdrop-downlist,selectExistingdevice.
n IntheDeviceTypedrop-downlist,selectReporter.
n EnterReporter'sIPaddressorhostname.
n Entertheusernameandpasswordyouusetoauthenticatetothedevice.
n SpecifytheroleassignedtothisuserinReporter.
5. ClickTestConnection.ManagementCenterattemptstoconnecttoReporterusingtheinformationyouentered.
Iftheconnectiontestfails,youwillreceiveanerror.Makesurethattheinformationyouenterediscorrect
andtryagain.Iftheconnectiontestsucceeds,youreceiveasuccessmessageandthewizardpromptsyou
tocontinue.
6. ClickNext.EnteranameanddescriptionfortheReporterEnterpriseServer.
7. ClickNext.EntertheMembershipsuchastheLocation,Organization,orthenameofthedevicegrouptowhichthe
ReporterEnterpriseServerwillbelong.
8. ClickNext.EntertheSystemorUser-DefinedAttributes.See"ManageAttributes"onpage297.
9. ClickFinish.TheNetworktabdisplaysReporterinthedevicelistandthewebconsoledisplaysanalertindicating
thatthedevicewasaddedandactivated.YoucannowgenerateReporterreports.
338
Management Center Configuration &Management
ViewaReporterReport
ReporterreportscanonlybeviewedifyouhavealreadyaddedtheReporterEnterpriseServerasamanageddevice.
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
TheprocedurebelowdocumentsanexampleofhowtoviewaReporterreport.ThisexampleusestheSecurityreport
TrendofBlockedRequests.
1. SelectReports>Reporter.
2. SelectaroleandtheReporterdatabasefromtheDatabasedrop-downlistatthetopofReportsHome.The
databaseyouselectdeterminesthelistofavailablereports.
Ifthedatabaseyouwantisnotavailable,see"DetermineWhyAReporterDatabaseDoesNotDisplay"on
page368.
Reporterhasthefollowingreportcategories:
l Security
l UserBehavior
l LogDetail
l BandwidthUsage
l WebApplications
3. Inthisexample,selectTrendofBlockedRequestsintheSecuritylist.Adefaultlinegraphisdisplayedwith
AverageRequestsandaNormalRequestRange.Linegraphsshowhowdataforthetrendchangesovertime.
AverageRequestsrepresenttheaveragenumberofblockedrequestsspecifictoyourorganization.TheNormal
RequestRangeisacalculationthatproducesa"normal"rangeofblockedrequestsspecifictoyourorganization.
4. (Optional)Changethedatefiltertodisplayadifferenttimerangeonthereport.Thedefaulttimerangeis7d(7days).
339
Management Center Configuration &Management
5. (Optional)FromtheQuickPickdrop-down,selectatypeofrelativedatefilter,forexample,BeforeorSince.
6. (Optional)Changethereportview:
n Todisplaythebottomcolumnsonly,select .
n Todisplaythegraphonly,select .
n Todisplayboththebottomcolumnsandthegraph,select .
7. (Optional)Tochangethegraphtype,select .Graphtypesinclude:
n Area-Anareagraphdisplaysgraphicallyquantitativedata.Itisbasedonthelinechart.Theareabetween
axisandlinearecommonlyemphasizedwithcolorsandtextures.Commonlyusedareagraphscompareone
areawithtwoormoreareas.
n Bar-Abargraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthat
theyrepresent.Thebarsareplottedhorizontallyandshowcomparisonsamongcategories.Oneaxisofthe
graphshowsthespecificcategoriesbeingcompared,andtheotheraxisrepresentsadiscretevalue.
Groupedbargraphsdisplaybarsclusteredingroupsofmorethanonebargraph.
n Column-Acolumngraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothe
valuesthattheyrepresent.Thebarsareplottedverticallyandshowcomparisonsamongcategories.One
axisofthegraphshowsthespecificcategoriesbeingcompared,andtheotheraxisrepresentsadiscrete
value.Groupedcolumngraphsdisplaybarsclusteredingroupsofmorethanonecolumngraph.
n Line-Linegraphsshowhowdataforonedatatypechangesovertime.
n Pie-Apiegraphisacircularstatisticalgraphic,dividedintoslicestoillustratenumericalproportion.Inapie
graph,thearclengthofeachslice(andthusthecentralangleandarea),isproportionaltothequantityit
represents.Thepiechartdisplaysthevaluenameandmetricwhenauserhoversthemouseoverasection.
8. ThedefaultoverlayfortheTrendofBlockedRequestsreportisRequests.(Optional)Toaddorchangeoverlays,
selectanoverlayfromthelegendontherightofthereport:
n Requests
n PageViews
n BrowseTime
n Cost(Time)
n Cost(Bytes)
n TotalBytes
n BytesSent
n BytesReceived
340
Management Center Configuration &Management
Eachoverlayisrepresentedbyadifferentcolorandpattern.
9. (Optional)Viewthereportwithalloverlaysapplied:
10. (Optional)ToviewdatafromadifferentReporterdatabase,selectadatabasefromtheDatabasedrop-downlistat
thetopofReportsHome.Thedatasetisdifferent,thusthereportsandwidgetswillchangebasedonthedatabase
selected.Reportsalreadyopenfromotherdatabasesstillappearintheleftpane.
341
Management Center Configuration &Management
11. (Optional)Inadditiontoagraph,eachreporthasadatagriddisplayingthestatisticsusedinthegraph.Youcandrill
downintothisdatatodisplayadditionalreports.Forexample,ifaCategoryreportisdisplayed,youcanselectone
ofthecategoriesinthedatagridanddrilldowntofindoutwhatsitesarebeingviewedandwhoisviewingthem.To
drilldowninareport:
a. Selecttherowinthedatagridthatyouwanttodrilldowninto.
b. Click todisplayalistoffieldsyoucanviewdetailson.
c. Selectthedesiredfieldyouwantmoreinformationabout,orselectMoreFieldsorTrendFieldstosee
additionaloptions.Thedrilldownreportdisplaysinanewreporttab.
d. Continuedrillingdown,asnecessary.
AnotherwaytodisplaytheDrilldownmenuistoright-clicktherowinthedatagrid.
342
Management Center Configuration &Management
12. (Optional)GenerateananOverviewreportofitemsinthedatagrid.Toseemoreinformationaboutaniteminthe
report,clickthehyperlinktolaunchanOverviewreportforthatitem.Forexample,ifyouclickthehyperlinkfor
Facebook,theOverviewreportwillshowadailytrendoftraffictoFacebook,thetopusersandClientIPsaccessing
Facebook,andabreakdownoftheprotocolsusedtoaccessFacebook.
13. (Optional)Filterorchangethereportcriteria.
CustomizeReporterReportOptions
StartingwithManagementCenter1.6,youcannowcustomizeeveryReporterreport.Insomecases,thesereportscan
takesignificantlytakelongertorunthanthestandardreportsavailableonManagementCenter.Thesereportscannotbe
savedforlateruse.
Youcanalterwhatisreportedinthefollowingways:
l "AddReportFilters"below
l "ChangetheReportSummary"onpage346
AddReportFilters
1. SelectaReporterdatabase.
2. Selectthedesiredreport.
3. Optionaladjustthereportsettings(daterange,format,andsoon).
4. Tocustomizethereport,selectthegeariconintheupperrightcorner.
343
Management Center Configuration &Management
5. Addafilter.
a. GotoFiltersandclickAddFilter.
b. Selectafield.
c. Selecttheappropriateoperator.Theavailableoperatorschangedependingontheselectedaction.
344
Management Center Configuration &Management
d. Selectorenteravalue.
6. OptionalAddanotherfilterbyrepeatingstep5.Youcanaddanynumberoffilters.s
345
Management Center Configuration &Management
7. ClickRunReport.
Examples
Example1:IftheadministratorselectsthefilterSite,theoperatorcontains,andentersfacebookforthevalue,thereport
returnsonlysitesthatcontainthestring"facebook."
Example2:IftheadministratorselectsthefilterClientIP,theoperatormatches,andenterstheIPaddressrange
10.1.1.0/22,thereportincludesalladdressesinthatnetworkmask.
Example3:IftheadministratorselectsthefilterHoursofDay,theoperatorinbetween,andselectsthehours9a.m.and
5p.m,thereportincludesdataonlyforthetimebetween9and5.
ChangetheReportSummary
Thissectiondescribeshowtochangethereportsummary.
Changethenumberofdisplayeditemsperpage.
1. IntheSummarizeByfield,changetheDisplay:value.
2. Changeotheroptionsasdesired.
3. ClickRunReport.
Changethereportsummary.Thatis,changethefocusofthereport.
346
Management Center Configuration &Management
1. IntheSummarizeByfield,changetheSummarizeBy:value.
2. Changeotheroptionsasdesired.
3. ClickRunReport.
WhenyouchangetheSummarizeBy:field,anewreportisgeneratedandthenameofthereportischangedtomatchyour
selection.Thepreviousreportisstillavailableintheleftpane.
Createatwo-levelreport.
1. IntheSummarizeByfield,clickSummaryType:TwoLevel.
2. Selectthetwovaluestoreport.Inthefollowingexample,thereportissummarizedbyDayandthenbyVerdict.
347
Management Center Configuration &Management
3. Changeotheroptionsasdesired.
4. ClickRunReport.
SetTimeZoneforReporterReports
Associateacustomtimezonewithyouruserprofile.ThattimezoneisthenusedforallReporterreports.Eachusercan
setadifferenttimezonewithoutaffectingotheruser'sviews.
1. Inthewebconsolebanner,click andselectyourusername.
TheusernameforthestandardAdminloginis"ManagementCenter."
2. SelecttheReporterTimeZonetab.
348
Management Center Configuration &Management
3. Selectthenewtimezone.
349
Management Center Configuration &Management
4. ClickSave.
5. WhenyouopenaReporterreport,notethenewtimezoneicon.
6. VerifyyoursettingsbyopeningaReporterreportandhoveringoverthetimezoneicon.
Onceset,youcanchangethetimezonebyclickingthetimezoneicon.
350
Management Center Configuration &Management
Reference:ReportDescriptions
ThefollowingreportgroupsareavailableifyouhaveintegratedReporter10.1.xorlaterwithManagementCenter:
SomereportsrequireReporter10.1.3.xorlater.Theserequirementsarenotedinthereportdescription.
n Security
n UserBehavior
n BandwidthUsage
n WebApplications
n LogDetail
FromtheDatabasedrop-downlist,selecttheReporterdatabasetouseinyourreports.Theinformationdisplayedinthe
reportgroupwilldifferaccordingtothedatabaseselected.Forexample,WAFdatabasereportscontainanActionsreportin
theSecuritygroup.Thatreportisnotdisplayedforotherdatabases.
ThefollowingtablesbrieflydescribethedefaultgraphineachoftheReporterreports.Inadditiontoagraph,eachreporthas
adatagriddisplayingthestatisticsusedinthegraph,youcandrill-downintothisdataformoredetails.Notethatyouhave
manyoptionsforcustomizingreports:displayingjustthegraph,displayingjustthedatagrid,changingthegraphtype,spe-
cifyingadatefilter,andselecting/unselectingoverlays.See"ViewaReporterReport"onpage339fordetails.
ReporterreportsinManagementCenterarederivedfromReporterdatabaselogfiles,andthesereportsmaybedif-
ferentorenhancedfromsimilarreportsinReporterEnterpriseServer.
Security
TheSecurityreportsrevealactivityonthenetworkthatmayposesecurityorliabilityconcerns.Theavailablereportsmay
differdependingontheselecteddatabasetype.
Report DescriptionofDefaultGraph
Potentially To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Infected unified database.
Clients -
Reporter 10.1.4 introduces the ability to create a database that includes malware scanning and
Unified
sandboxing results from the Blue Coat Content Analysis (CA) appliances and Malware Analysis
(MA) appliances that are deployed as part of your SGOS proxy security solution. These reports
are called Unified reports.
Displays an area, bar, column, or pie chart of the client IP addresses that might be infected by
malicious content, as found by sandboxing, file reputation, predictive analysis score, anti-virus,
and WebPulse. By default, the report lists each IP address, sorted by the number of risky
requests.
Potential To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Malware
Displays a bar chart of the client IP addresses that might be infected by malicious content, as
Infected
found by sandboxing, file Reputation, anti-virus, WebPulse. By default, the report lists each IP
Clients
address, sorted by the number of risky requests.
351
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Malware Displays a bar chart of the names of the malware detected by CAS / Proxy AV. To view this
Detected report, you must add a Reporter appliance running 10.1.3.x or later.
Names
Note: This report will be blank if user name data isnt available in the Reporter log file.
Blocked For each user, this report shows a bar chart of the number of requests that were blocked due
Users to the URL being from one or more of the following categories: Spyware, Suspicious, Phishing,
or Malicious.
Note: This report will be blank if user name data isnt available in the Reporter log file.
Blocked For each user agent (browser + version), the report shows a bar chart of the number of blocked
Request by web requests to URLs from one of the following categories: Spyware, Suspicious, Phishing, or
User Agent Malicious.
Threat Displays a a bar chart of the websites that had blocked web requests to URLs from any of the
Sites following categories: Spyware, Suspicious, Phishing, or Malicious. The sites with the most
Blocked blocked web requests appear at the top of the report.
Trend of Displays a line graph that shows the number of risky web requests (for example, requests to
Risky URLs of malware categories) over the specified time period. The graph contains a shaded area
Requests that represents the normal requests range, which is a range based on the organization's web
traffic history over the last month. In addition, a dotted horizontal trend line indicates the
average number of risky web requests during the last month.
Trend of Displays a line graph that shows the number of users making requests to URLs of risky cat-
Risky Users egories (Spyware, Suspicious , Phishing, or Malicious ) over the specified time period. The
graph contains a shaded area that represents the normal count range, which is a range based
on the organization's web traffic history over the last month. In addition, a dotted horizontal
trend line indicates the average number of users making risky web requests during the last
month.
Note: User drill-downs are blank if user name data isnt available in the Reporter log file.
Trend of Displays a line graph that shows the number of web requests that were blocked over the spe-
Blocked cified time period. The requests could be blocked for a variety of reasons, such as due to deny
Requests policies on the ProxySG. The graph contains a shaded area that represents the normal requests
range, which is a range based on the organization's web traffic history over the last month. In
addition, a dotted horizontal trend line indicates the average number of risky web requests
blocked during the last month.
Trend of Displays a line graph that shows the number of users who were blocked over the specified time
Blocked period. The users could be blocked for a variety of reasons, such as due to deny policies on the
Users ProxySG. The graph contains a shaded area that represents the "normal count range," a range
based on the organization's web traffic history over the last month. In addition, a dotted hori-
zontal trend line indicates the average number of users blocked during the last month.
Note: User drill-downs are blank if user name data isnt available in the Reporter log file.
Trend of Displays a line graph that shows the number of client IP addresses that accessed URLs in the fol-
Risky Cli- lowing categories: Spyware, Suspicious, Phishing, or Malicious. The graph contains a shaded
ents area that represents the "normal count range," a range based on the organization's web traffic
history over the last month. In addition, a dotted horizontal trend line indicates the average
number of client IPs that were potentially infected during the last month.
352
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Threats To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays a bar chart that provides details for the number of threats discovered by each detec-
tion method (Sandboxing, File Reputation, Anti-virus, WebPulse).
Threats - To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Unified unified database.
Reporter 10.1.4 introduces the ability to create a database that includes malware scanning and
sandboxing results from the Blue Coat Content Analysis (CA) appliances and Malware Analysis
(MA) appliances that are deployed as part of your SGOS proxy security solution. These reports
are called Unified reports.
Displays an area, bar, column, or pie chart that provides details for the number of threats dis-
covered by each detection method (sandboxing, file reputation, predictive analysis score, anti-
virus, WebPulse).
If Malware Analysis processing results in a detonation, the Malware Analysis sends that res-
ult to the Content Analysis, which notifies the SGOS proxy device. The SGOS proxy device
caches the result and blocks subsequent requests that match. However, the log entries
for these cache block actions do not contain the sandboxing vendor or score. Because of
this, you might not see the Malware Analysis benefits reflected in the reports. For
example, the SGOS proxy device might block 20 requests that match a cached result; the
Malware Analysis is credited with only one result (the one that resulted in the cache
entry). However, when the SGOS proxy device receives a clear cache action (for example,
when new AV patterns are loaded), the Malware Analysis action re-occurs on the next
request.
Trend of To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Threats
Displays a column chart that shows the trend over time for each detection method (Sand-
boxing, File Reputation, Anti-virus, Web Pulse).
Trend of To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Threats - unified database.
Unified
Reporter 10.1.4 introduces the ability to create a database that includes malware scanning and
sandboxing results from the Blue Coat Content Analysis (CA) appliances and Malware Analysis
(MA) appliances that are deployed as part of your SGOS proxy security solution. These reports
are called Unified reports.
Displays an area, bar, column, or pie chart that shows the trend over time for each detection
method (sandboxing, file reputation, predictive analysis score, anti-virus, WebPulse).
Threats - To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
WAF later.
Displays an area, bar, column, or pie chart that shows the number of threats by category
(attack family or anti-virus). Each colored section represents a threat type and corresponding
number of incidents.
353
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Trend of To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
Threats - later.
WAF
Displays an area, bar, column, or pie chart that shows the trend over time for anti-virus and
attack family threats.
Actions To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows action-related data. This data includes
requests, page views, browse time, cost (time), cost (bytes), total bytes, bytes sent, bytes
received, cache bytes, server bytes, bytes saved.
Methods To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows data per HTTP method. These actions
include requests, page views, browse time, cost (time), cost (bytes), total bytes, bytes sent,
bytes received, cache bytes, server bytes, bytes saved.
Attack Fam- To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
ilies later.
Displays an area, bar, column, or pie chart that shows the number of requests per attack type
(for example, SQLinjection). The data corresponds to that recorded for the x-bluecoat-
waf-attack-family log field. Each slice represents an attack type. The chart displays only
the top ten attack types.
Attack Fam- To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
ilies Per later.
Country
Displays an area, bar, column, or pie chart that shows the total number of attacks per country.
The bar is segmented; each color represents a different attack type. The chart displays only
the top ten countries. The data is based on geolocation data and is only shown when either x-
bluecoat-waf-attack-family or x-virus-id does not include -.
Sandboxing To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Risk Score
Displays a pie chart that shows the number of requests in each risk score. Each slice represents
a risk score.
Trend of To view this report, you must add a Reporter appliance running 10.1.4.x or later.
Sandboxing
Displays an area, bar, column, or pie chart that shows the trend over time for each risk score.
Trend of To view this report, you must add a Reporter appliance running 10.1.4.x or later.
Predictive
Displays an area, bar, column, or pie chart that shows the trend over time for each predictive
Analysis
analysis score.
Trend of To view this report, you must add a Reporter appliance running 10.1.4.x or later.
File Repu-
Displays an area, bar, column, or pie chart that shows the trend over time for each file repu-
tation
tation score.
354
Management Center Configuration &Management
Report DescriptionofDefaultGraph
File Risk To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Score
Displays a pie chart that shows the number of requests in each risk score. Each slice represents
a risk score.
UserBehavior
TheUserBehaviorreportsgiveyouinsightintothewebsitesandcategoriesofwebtrafficusersareviewingorareblocked
fromviewing,andtheamountofwebtrafficfordifferenttimeperiods.
Report DescriptionofDefaultGraph
Blocked Displays a bar graph that shows the number of web requests that were blocked on each web-
Requests site. The sites with the most blocked requests appear at the top of the report.
by Site
Blocked Displays a bar graph that shows the number of web requests that were blocked in each
Requests URLcategory. The categories with the most blocked requests appear at the top of the report.
by Cat-
egory
Blocked Displays a bar graph that shows the number of web requests that were blocked for each user.
Requests The users with the most blocked requests appear at the top of the report.
by User
Note: This report will be blank if user name data isnt available in the Reporter log file.
Filtering Displays a stacked column graph that shows the number of web requests that triggered specific
Verdict policy verdicts. By default, all verdicts are selected; you will want to select just the policy ver-
Trend by dicts you are interested in (such as connect_method_denied and policy_denied).
Day
Sites Displays a bar graph that lists the websites with the most page views. For each website, the
graph illustrates the number of page views during the specified time period. The site with the
most page views appears at the top of the report.
Categories Displays a pie chart that shows the categories with the most page views; all other categories
are combined into an Other slice.
Categories Displays a bar graph that lists the names of the most active users and indicates the most
per User accessed URL categories for the pages they viewed. The graph shows the number of pages
viewed in each category for each user.
Note: This report will be blank if user name data isnt available in the Reporter log file.
Users A bar graph that shows the users with the most page views during the specified time period.
The user with the most page views appears at the top of the report.
Note: This report will be blank if user name data isnt available in the Reporter log file.
Client IPs Displays a bar graph that shows the client IP addresses with the most page views during the spe-
cified time period. The client IP with the most page views appears at the top of the report.
355
Management Center Configuration &Management
Report DescriptionofDefaultGraph
User Agent To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
Families later.
Displays an area, bar, column, or pie chart that shows the top 10 client user agent families (not
user agent strings). For example, Firefox.
Countries To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows the top ten countries per number of
requests (based on geolocation data).
Protocols To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays an area, bar, column, or pie chart that shows the number of number or requests per
protocol. The chart shows only the top 10 protocols.
Days Displays an area graph that shows the number of web requests for each day in the selected time
period.
Days of Displays a column graph that shows the number of web requests for each day of the week in the
Week selected time period. For example, the Monday column reflects the total of all requests that
were made on Mondays during the time period. This report allows you to see how the trends in
web browsing differ by day of the week.
Hours of This column graph totals web requests for each hour of the day. For example, every Web page
Day request that occurred at 9am, 10am, and so on. This allows you to analyze which hours are con-
sistently the heaviest with Web requests. Network administrators might use this data to adjust
bandwidth policy.
Months This report totals web requests for each month. For example, every web page request that
occurred in January, February, and so on. This allows you to drill down each month and analyze
trends.
Trend of Displays the number of unique users per day over the selected time period. To view this report,
Discovered you must add a Reporter appliance running 10.1.2.x or later.
Users
Trend of Displays the number of unique IP addresses per day over the selected time period. To view this
Discovered report, you must add a Reporter appliance running 10.1.2.x or later.
Client IP
Addresses
BandwidthUsage
UsetheBandwidthUsagereportstoanalyzehourly,daily,andmonthlybandwidthusageonthenetwork,andtoestimate
thetimeanddatacostofthatusage.
Thecost-relatedreportscalculatebandwidthcostbasedontheCostperMBandCostperHoursettingsinReporter.For
example,ifCostperHourissetto$10,theCost(Time)valueiscalculatedbymultiplyingthetimespentwebbrowsingby
$10.OrifCostperMBissetto$4,theCost(Bytes)valueiscalculatedbymultiplyingthenumberofmegabytesoftraffic
by$4.
356
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Cost per The data in this bar graph approximates the cost accrued per user based on total bytes of
User throughput and time spent web browsing. Reporter lists each user, sorted by the total cost of
bandwidth.
Note: This report are blank if user name data isnt available in the Reporter log file.
Cost per Displays a bar graph that shows the total bandwidth cost for the websites each user visited dur-
User and ing the selected time period. The users with the highest bandwidth cost appear at the top of
Site the graph.
Note: This report are blank if user name data isnt available in the Reporter log file.
Cost per Displays a column chart that shows the total cost of time and bandwidth for each hour of the
Hour of day. For example, total cost at 9am, 10am, and so on. This allows you to analyze which hours
Day have the most traffic and are therefore most expensive. Network administrators might use this
data to adjust bandwidth policy.
Cost per Displays an area chart that shows the cost of time and bandwidth each day in the specified time
Day period.
Cost per Displays a column graph that shows the total cost of time and bandwidth each day of the week
Day of in the selected time period. For example, the Monday column reflects the total cost on
Week Mondays during the time period. This report allows you to see how the cost of web usage differs
by day of the week.
Cost per This area graph totals time and bandwidth costs for each month. For example, total costs in
Month January, February, and so on. This allows you to drill down each month and analyze trends.
Bandwidth This column chart shows the total bytes sent and received for each hour of the day. For
per Hour example, total bandwidth usage at 9am, 10am, and so on. This allows you to analyze which
of Day hours have the most traffic. Network administrators might use this data to adjust bandwidth
policy.
Bandwidth This area chart shows the total bytes sent and received each day in the specified time period,
per Day allowing you to see a trend of bandwidth usage over time.
Bandwidth This column graph shows the total bytes sent and received each day of the week in the selected
per Day of time period. For example, the Monday column reflects the amount of bandwidth used on
Week Mondays during the time period. This report allows you to see how the trends in web usage dif-
fer by day of the week.
Bandwidth This area chart shows total bandwidth used each month. For example, total bytes in January,
per Month February, and so on. This allows you to drill down each month and analyze trends.
Server IPs To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows the number of requests per server IP
address. You can also select other data, including requests, page views, browse time, cost
(time), cost (bytes), total bytes, bytes sent, bytes received, cache bytes, server bytes, and
bytes saved.
LogDetail
TheLogDetailreportsprovideinformationaboutthebcreporterwarp_v1accesslogfields.
357
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Full Log Details To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays a grid report of the access log fields associated with the selected database. For
example, if a WAF database is selected, this report shows data for the bcreporterwarp_
v1 access log.
Blocked Log To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Details
Displays a grid report of the access log fields for blocked requests associated with the
selected database. For example, if a WAF database is selected, this report shows data
for the bcreporterwarp_v1 access log.
WebApplications
TheWebApplicationreportsprovideinsightintothewebapplicationsbeingaccessedonyournetwork,aswellastherisk-
inessoftheseapplications.
Report DescriptionofDefaultGraph
Web Applic- A bar graph that shows the number of requests for each web application during the specified
ations time period. The web applications having the most web requests appear at the top of the
report. Use this report to see what types of web application traffic are running on your net-
work.
Web Applic- Displays a pie chart of the top web applications as calculated by the number of users access-
ations by ing the content over the selected time period. To view this report, you must add a Reporter
Users appliance running 10.1.2.x or later.
Web Applic- Displays a pie chart of the top web applications as calculated by the number of unique IP
ations by Cli- addresses accessing the content over the selected time period. To view this report, you
ent IPs must add a Reporter appliance running 10.1.2.x or later.
Blocked Displays a bar graph that shows the number of web requests denied by a policy verdict (that
Web Applic- is, blocked) for each web application during the specified time period. The web applications
ations with the most blocked requests appear at the top of the report. Use this report to confirm
that policies are being enforced properly.
Trend of Displays the number of unique web applications per day over the selected time period. To
Active Web view this report, you must add a Reporter appliance running 10.1.2.x or later.
Applications
Trend of Displays total bytes sent, bytes received, and the number of requests per day over the selec-
Web Applic- ted time period. To view this report, you must add a Reporter appliance running 10.1.2.x or
ation Traffic later.
Web Applic- Displays a bar graph that shows the number of requests for different web application oper-
ation Oper- ations (such as Play Video, Download Files, Upload Media) during the specified time period.
ations
Users of Risky applications are those with risk scores greater than 7. Ranked by total bytes received,
Risky Applic- this report lists users who have accessed web applications that are widely deemed as risky for
ations business network use (a risk score greater than 7).
Note: This report will be blank if user name data isnt available in the Reporter log file.
358
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Web Applic- Displays a pie chart that shows the number of requests for web applications at each risk
ations per score. For example, the report shows a bar for each risk score (1, 2, and so on) with different
Risk color segments representing different web applications. The length of each segment cor-
responds to the number of requests for that application.
Tips:
l Sort the values in the Web Application column to alter the pie chart to show the corresponding
data.
l You may want to turn off the Other overlay, if this segment has a significant number of
requests.
Users Per Shows the number of users per risk score (1 to 10) over the selected time period. To view
Risk Score this report, you must add a Reporter appliance running 10.1.2.x or later.
Risk Dis- Displays a pie chart that shows the percentage of requests at each risk level. Each slice rep-
tribution resents a risk level.
Risk Dis- Displays a color-coded bar chart that shows the amount of traffic (hits and bytes) for each
tribution risk score (1 to 10) per user over the selected time period. To view this report, you must add
Per User a Reporter appliance running 10.1.2.x or later.
Trend of Displays a color-coded bar chart representing the amount of traffic (hits and bytes) for each
Risk Dis- risk score (1 to 10) per day over the selected time period. To view this report, you must add
tribution a Reporter appliance running 10.1.2.x or later.
Social Media Displays a bar graph that shows the number of requests for each operation (such as Post Mes-
Activity sages and Upload Media) used in social networking web applications. The operations that
have the most activity appear at the top of the report.
Social Media Displays a bar graph that shows the number of requests for each social networking application
Applications (Facebook, Twitter, Pinterest, and so on). The social networking applications with the most
requests appear at the top of the report. With this report, you can see how much social
media traffic your network has and which applications are most popular. Depending on com-
pany policy, you may decide to put controls on social networking after viewing this report.
Facebook Displays a bar graph that shows the number of Facebook requests by each user. The names of
Users the users with the most Facebook requests appear at the top of the report. This report
allows you to see who the most active Facebook users are.
Note: This report will be blank if user name data isnt available in the Reporter log file.
Facebook Displays a bar chart that shows the amount of traffic attributed to different categories of
Categories Facebook traffic (other than social networking). For example, you can see the number of
Facebook requests that are for games or messaging.
Mail Activity Displays a bar graph that shows the number of requests for various email operations. For
example, you can see the number of requests for Send Email, Download Attachment, and
Upload Attachment operations for email web applications.
Mail Applic- Displays a bar graph that shows the number of requests for web mail applications (Gmail,
ations Yahoo Mail, Hotmail, and so on). The email applications with the most requests appear at the
top of the report. This report allows you to determine the most popular web mail applic-
ations on your network.
359
Management Center Configuration &Management
Report DescriptionofDefaultGraph
Top Mail Displays a bar graph that shows, for each user, the number of requests for Send Email or Send
Senders Attachment operations. This report allows you to see which users are the biggest web mail
consumers. The IP addresses of the users with the most web mail traffic appear at the top of
the report.
Search Displays a bar graph that displays top search terms that users enter in browser search engines
Terms (Google, Yahoo, Bing, and so forth). You can drill down to find the user(s) who searched for
the term and which search engine was used.
Search Displays a bar graph that displays the number of requests for each search engine (Search
Applications Engines/Portals category).
SearchforSpecificReportData(SearchandForensicReport)
ManagementCenterenablesyoutosearchforspecificreportdatausingasimplesearchorbyexecutingaforensicreport.
UseSimpleSearch
TheReports>Reporterpageincludesasimplesearchfieldinthetopright-handcorner,asshownbelow.
1. SelecttheCategorydrop-downandpickasearchtype.Theavailablecriteriadiffers,dependingontheselected
database.
360
Management Center Configuration &Management
2. Enterasearchtermandclickthemagnifyingglass(orpressEnter).
3. Thesearchresultsdisplayinanewtab.
4. Clickthesearchresulttoviewdetaileddataaboutthatitem.
RunForensicReport
UsetheForensicReportfeaturetodrilldownintothedatabasetofindspecificinformationbasedonthesource,destination,
andverdictpropertiesofoneormorerequests.TheForensicReportbuttonislocateddirectlybeneaththeManagement
Centerbanner.
361
Management Center Configuration &Management
1. ClickForensicReport.ThesystemopenstheRunForensicReportwindow.
2. Select(orenter)thesearchcriteriafromtheavailabledataorenteratransactionID.
3. Selectatimeduration.
362
Management Center Configuration &Management
4. ClickRunReport.ThesystemdisplaysthesearchresultsintheFullLogDetailsreport.
5. Clicklinksinthesearchresulttoviewdetaileddataaboutthatitem.
363
Management Center Configuration &Management
ReporterGraphTypesandViews
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
Reportergraphtypesdependonthetypeofdatarepresentedinthereport.Theavailablegraphtypesare:
n Area-Anareagraphdisplaysgraphicallyquantitativedata.Itisbasedonthelinechart.Theareabetweenaxisand
linearecommonlyemphasizedwithcolors,andtextures.Commonlyusedareagraphscompareoneareawithtwo
ormoreareas.
n Bar-Abargraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthatthey
represent.Thebarsareplottedhorizontally.Regardlessofwhetherabargraphisverticalorhorizontal,thebars
showcomparisonsamongcategories.Oneaxisofthegraphshowsthespecificcategoriesbeingcompared,and
theotheraxisrepresentsadiscretevalue.Groupedbargraphsdisplaybarsclusteredingroupsofmorethanonebar
graph.
n Column-Acolumngraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthat
theyrepresent.Thebarsareplottedvertically.Regardlessofwhetherabargraphisverticalorhorizontal,thebars
showcomparisonsamongcategories.Oneaxisofthegraphshowsthespecificcategoriesbeingcompared,and
theotheraxisrepresentsadiscretevalue.Groupedcolumngraphsdisplaybarsclusteredingroupsofmorethan
onecolumngraph.
n Line-Linegraphsshowhowdataforonedatatypechangesovertime.
n Pie-Apiegraphisacircularstatisticalgraphic,dividedintoslicestoillustratenumericalproportion.Inapiegraph,
thearclengthofeachslice(andthusthecentralangleandarea),isproportionaltothequantityitrepresents.
CombinationsofReporterviewsincludedatarepresentedinthefollowingways:
n GraphandColumn
n Graphonly
n Columnonly
DrilldownonspecificdatawithinareportbyselectingalinethecolumnportioninthereportandselectDrilldown.Drilling
downismosthelpfulwhenyouknowwhatyouarelookingfor.Forexample,ifyouareviewingaTrendofRiskyUsers
report,youcandrilldownontheusernameorriskcategoriestofindthesitesthattheuserisvisitingthemost.Youareable
toright-clickthelinetodrilldownaswell.Thefollowingisanexampleofdatathatcanisavailablewhenyouaredrilling
downinareport:
364
Management Center Configuration &Management
SetTimeZoneforReporterReports
Associateacustomtimezonewithyouruserprofile.ThattimezoneisthenusedforallReporterreports.Eachusercanset
adifferenttimezonewithoutaffectingotheruser'sviews.
1. Inthewebconsolebanner,click andselectyourusername.
TheusernameforthestandardAdminloginis"ManagementCenter."
2. SelecttheReporterTimeZonetab.
365
Management Center Configuration &Management
3. Selectthenewtimezone.
366
Management Center Configuration &Management
4. ClickSave.
5. WhenyouopenaReporterreport,notethenewtimezoneicon.
6. VerifyyoursettingsbyopeningaReporterreportandhoveringoverthetimezoneicon.
Onceset,youcanchangethetimezonebyclickingthetimezoneicon.
367
Management Center Configuration &Management
DetermineWhyAReporterDatabaseDoesNotDisplay
IfyoutrytorunreportsandthedatabaseyouwantisnotavailableintheDatabase:drop-downmenu(Reports>
Reporter),clickStatustodisplaythatdatabase'scurrentstatus.
1. ClickReports>Reporter.
2. ClicktheDatabase:drop-down.Thesystemdisplaystheavailabledatabases.
3. IfthedatabaseyouwantisnotinthemenuoryouwanttoseethecurrentstatusoftheReporterserversandall
associateddatabases,clickStatus.
4. IfaReporterserverisavailable(andyouhavepermissionstoviewit),youcanclicktheplussymbol
todisplaytheassociateddatabase(s).
Usethestatusinformationtohelpyoudeterminewhythedatabaseisnotavailable.
ViewStatisticsMonitoringReports
Anorganizationwithoutaneffectivemonitoringsystemissusceptibletoissuessuchasunplanneddowntimeandper-
formancedegradation;thus,theabilitytomonitornetworkactivityiscrucialforcapacityplanningandquickresponsesto
potentialproblems.Byanalyzingreportdata,organizationscanplanforscalabilityandanticipatefuturerequirements.
ManagementCenterkeepsupto12monthsofperhourdataand7daysofperminutedataforalldevicesthathave
statisticsmonitoringenabled.TopurgethisdatafromManagementCenter,seePurgeStatistics.
368
Management Center Configuration &Management
Asanadministrator,itiscriticalthatyoubeawareofissues,changes,andtrendsthatcouldariseinyournetwork.InMan-
agementCenter,youcanreportonkeymetricssuchasCPUusage,connectioncounts,bandwidthgainsandlosses,and
otherstatisticsofmanagedappliances.StatisticsMonitoringreportsprovideyouwithvisibilityintonetworkperformance.
Withreports,youcanidentifytrendssuchas:
n Usagepatterns
n Bandwidthsavings
n Peaknumbersofconcurrentusers
n Statisticsaveragedoverweeksandmonths
Toensurethatyourdataanalysisisaccurateandtimely,identifythemetricsthataremostimportanttoyouandrunreports
regularly.
Youcanmonitorthehealthofyourdeviceswithoutgeneratingareport.See"MonitorDeviceHealth"onpage106.
Prerequisites
YoucanreportonProxySGappliancesthat:
n RunSGOS6.3.xandlater
n HaveaProxyorMACH5Editionlicense(Note:thisisarequirementforWANOptimizationreports,notDevice
reports)
n Havethelatesttrustpackageinstalled
n DonothaveFederalInformationProcessingStandards(FIPS)modeenabled
n Havestatisticscollectionenabledindeviceproperties(see"AddaDevice"onpage65)
YoucanstillmanageProxySGappliancesthatdonotmeettheserequirements,buttheirstatisticswillbeunavailablefrom
StatisticsMonitoring.
Procedure
ToviewStatisticsMonitoringreports:
1. SelectReports>StatisticsMonitoring.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsinManagement
Center"onpage377fordescriptions.
3. Fromadashboardwidget,youcanalso"DisplayaFullReport"onpage383.
4. Refinereportstomakethemmoreuseful:
n Displaydataforaspecifictimeperiod.See"ChangetheScopeofaStatisticsMonitoringReport"on
page382.
n Addmetricstofocusonspecificdata.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
Reference:StatisticsMonitoringReportsinManagementCenter
ThefollowingStatisticsMonitoringreportsareavailableinManagementCenter.
DevicesReports
DevicereportsshowstatisticsonnetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesinadevicegroup,
orallProxySGdevices.
369
Management Center Configuration &Management
370
Management Center Configuration &Management
WANOptimizationReports
TheWANOptimizationreportsdisplaystatisticsforProxySGapplianceswithaProxyorMACH5Editionlicense.
371
Management Center Configuration &Management
ModifyOptionsforStatisticsMonitoringReports
Bydefault,aStatisticsMonitoringreportdisplaysdataforthelastsevendaysforallProxySGdevicesbutyoucancus-
tomizethereportbychangingthestartdateandinterval,choosingwhichdevicesordevicegrouptoreporton,andadding
overlaysofadditionalstatistics.
1. SelectReports>StatisticsMonitoring.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsin
ManagementCenter"onpage377fordescriptions.
3. Afteryouselectthereport,thereportopensinanewtab.
4. Besidethereporttitle,clickOptions.TheFiltersdialogdisplays.
372
Management Center Configuration &Management
5. Filterthereportdatausingtheoptionsdescribedinthefollowingtable.
Option Description
Start Date The date and time from which report data begins.
The interval you select is based on the start date. For example, if you specify
the 13th of the month for the start date and an interval of 7 days, the report
shows data from the 13th through the 19th.
373
Management Center Configuration &Management
Option Description
Overlays Metrics that you can add to the report to help you interpret the data. You can
add overlay(s) to the report.
(This option is not
When you add overlays, the additional data displays in a legend at the bottom
available for all
of the report.Use the legend to identify the appearance and color of each
reports)
data type.
6. ClickSave.
ThewebconsoledisplaystheStatisticsMonitoringreportwiththeoptionsyouselected.Thenameandnumberofdevices
willdisplaynexttoDeviceFilteratthetopofthereport.Ifafilterisn'tdefined,theDeviceFilterwillsayAllDevices.
ChangetheScopeofaStatisticsMonitoringReport
Bydefault,StatisticsMonitoringreportsandreportwidgetsdisplaydataforthelastsevendays.Forexample,ifyouselect
areportonApril14th,thereportopenswithL ast7Daysselectedforthedaterangeatthebottomleftcorner.Thestart
dateortimeoftheselectedraterangeisdisplayedbetween<>.Thebottomrightofthereportsindicatesthespecificdate
rangeofthedatashowninthereport,suchasDisplayingdaysfor04/14/15-4/21/15.
Toviewdatafromabroaderornarrowertimeframe,selectanintervalfromtheDateRangedrop-downlist.Thereport
dataupdatesimmediatelytoreflectyourselection.
Refertothefollowingtabletounderstandhowthedaterangeaffectsthereportdata;assumethatthecurrentdateandtime
isTuesday,October15that09:05.
374
Management Center Configuration &Management
Toviewdatafromdifferentpointsintime,usethedaterangeand<>inconjunction.Using<>causesthereporttogoback
andforward,respectively,attheintervalspecifiedinDateRange.Forexample,ifthedaterangeisLast7Daysandthe
reportshowsdatafromOctober8thtoOctober15th,clicking<causesthereporttodisplaydatafromOctober1sttoOcto-
ber8th.IfyouchangethedaterangetoTodayandclick<,thereportdisplaysdatafromthepreviousday.Youcanuse>to
returntomorerecentdatesandtimes.
Formoreinformationaboutreportdates,seeDateFilters.
Itispossibletodisplayfuturedaysinreportsifyouuse>.Ifareportabruptlyshowsnodatawhileyouarechanging
thedatesortimes,checkthedates/timesthathavenodataandexcludethemfromyouranalysis(orchangethedate
rangeagain).
FilteronDevicesorDeviceGroups
Toviewareportofdatafrommultipledevicesorfromaparticulardevicegroup:
1. DisplaythedesiredStatisticsMonitoringreport.
2. ClicktheOptionsbutton.
3. ChangetheStartDateandInterval,ifdesired.
4. UsetheFilterdrop-downlisttoselectindividualdevicesorspecifyadevicegroup.
5. Tochoosefromtheavailabledevicesordevicegroups,click .
n Device:SelectoneormoredevicesandclickOK.
n DeviceGroup:SelectonegroupandclickOK.
6. ClickSave.
Afteryousaveyourchanges,thereportdataupdatesimmediately.TheDeviceFilterdisplaysthenames(orIPaddresses)
ofthedevicesfilteredinthereports.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
ZoomInandOutonReports
Inreportsthatdisplaychangesovertime,itisusefultoseemoredetailonaspecificdatapoint.Forexample,ifyouarelook-
ingatareportwithCurrentWeekasthedaterange,zoominginonaspecificdaydisplaysthereportforthedayathourly
intervals.Zoominginonaspecifichourdisplaysthereportforthehouratfive-minuteintervals.
1. Inthereport,hoveroverthedatapointyouwanttoseeingreaterdetail.Thedatapointexpandsslightly.
2. ClickthedatapointandselectZoomIn.Thereportdisplaysthedataatthenewlevel.
3. Toreturntothepreviouslevel,clickanydatapointandselectZoomOut.
StatisticsMonitoringGraphTypes
StatisticsMonitoringgraphtypesdependonthetypeofdatarepresentedinthereport.Somereportsconsistofacom-
binationoftheseformats.
n Linegraphsshowhowdataforonedatatypechangesovertime.Youcanhoveroverthelinegraphsforextratool
tipsthatcanincludedatasuchasthedate,percentage,totalnumber,etc.
n Stackgraphsshowchangesinasetofdata,forbothfortheindividualdatatypesandthetotaloftheindividual
items.Eachcolorinastackgraphrepresentsonetypeofdatachangingovertime.
n Circlegraphsshowtheproportionsofspecificdatawithasetofdata.
Example:TheEffectiveBandwidthgraphintheTrafficMixreportshowstheproportion(inpercentage)ofeffective
bandwidthfordifferenttraffictypes.Hoveroverasegmentinthegraphtodisplaythenumberofbytesforeachtraffic
375
Management Center Configuration &Management
type.
n Tablechartsarrangedatainrowstocomparedatafrommultiplesources.
Example:TheDevicesDetailreportwidgetshowstheactualbandwidthversuseffectivebandwidthforalldevices
inthesystem.
DisplayaFullReport
Displayafullreportfromastatisticsmonitoringwidget.
1. SelectDashboards>StatisticsMonitoring.ThewebconsoledisplaystheStatisticsMonitoringDashboard.
2. Dooneofthefollowing:
n Ifthereportyouwanthasawidgetonthedashboard,expandthewidgetifnecessaryandthenclickView
FullReportatthebottomofit.
n Ifthereportdoesnothaveawidgetonthedashboard,clickReport>StatisticsMonitoring.Available
reportsaredisplayedintwolists:DevicesandWANOptimization.
3. Selectthereportyouwanttoview.Thereportopensinanewtab.
Ifyouleaveareportopenforanextendedperiodoftime,youcanrefreshittoensurethatnostaledataisdisplayed.
Torefreshareport,click atthebottomofthereport.
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
Learn about different graph types. "Statistics Monitoring Graph Types" on page384
See the report for different dates or times. "Change the Scope of a Statistics Monitoring Report" on page382
Change the metrics and other data that display "Modify Options for Statistics Monitoring Reports" on page380
on the report.
View descriptions of the Statistics Monitoring "Reference:Statistics Monitoring Reports in Management Center"
reports. on the next page
ViewStatisticsMonitoringReports
Anorganizationwithoutaneffectivemonitoringsystemissusceptibletoissuessuchasunplanneddowntimeandper-
formancedegradation;thus,theabilitytomonitornetworkactivityiscrucialforcapacityplanningandquickresponsesto
376
Management Center Configuration &Management
potentialproblems.Byanalyzingreportdata,organizationscanplanforscalabilityandanticipatefuturerequirements.
ManagementCenterkeepsupto12monthsofperhourdataand7daysofperminutedataforalldevicesthathave
statisticsmonitoringenabled.TopurgethisdatafromManagementCenter,seePurgeStatistics.
Asanadministrator,itiscriticalthatyoubeawareofissues,changes,andtrendsthatcouldariseinyournetwork.InMan-
agementCenter,youcanreportonkeymetricssuchasCPUusage,connectioncounts,bandwidthgainsandlosses,and
otherstatisticsofmanagedappliances.StatisticsMonitoringreportsprovideyouwithvisibilityintonetworkperformance.
Withreports,youcanidentifytrendssuchas:
n Usagepatterns
n Bandwidthsavings
n Peaknumbersofconcurrentusers
n Statisticsaveragedoverweeksandmonths
Toensurethatyourdataanalysisisaccurateandtimely,identifythemetricsthataremostimportanttoyouandrunreports
regularly.
Youcanmonitorthehealthofyourdeviceswithoutgeneratingareport.See"MonitorDeviceHealth"onpage106.
Prerequisites
YoucanreportonProxySGappliancesthat:
n RunSGOS6.3.xandlater
n HaveaProxyorMACH5Editionlicense(Note:thisisarequirementforWANOptimizationreports,notDevice
reports)
n Havethelatesttrustpackageinstalled
n DonothaveFederalInformationProcessingStandards(FIPS)modeenabled
n Havestatisticscollectionenabledindeviceproperties(see"AddaDevice"onpage65)
YoucanstillmanageProxySGappliancesthatdonotmeettheserequirements,buttheirstatisticswillbeunavailablefrom
StatisticsMonitoring.
Procedure
ToviewStatisticsMonitoringreports:
1. SelectReports>StatisticsMonitoring.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsinManagement
Center"belowfordescriptions.
3. Fromadashboardwidget,youcanalso"DisplayaFullReport"onpage383.
4. Refinereportstomakethemmoreuseful:
n Displaydataforaspecifictimeperiod.See"ChangetheScopeofaStatisticsMonitoringReport"on
page382.
n Addmetricstofocusonspecificdata.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
Reference:StatisticsMonitoringReportsinManagementCenter
ThefollowingStatisticsMonitoringreportsareavailableinManagementCenter.
DevicesReports
377
Management Center Configuration &Management
DevicereportsshowstatisticsonnetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesinadevice
group,orallProxySGdevices.
378
Management Center Configuration &Management
WANOptimizationReports
TheWANOptimizationreportsdisplaystatisticsforProxySGapplianceswithaProxyorMACH5Editionlicense.
379
Management Center Configuration &Management
ModifyOptionsforStatisticsMonitoringReports
Bydefault,aStatisticsMonitoringreportdisplaysdataforthelastsevendaysforallProxySGdevicesbutyoucancus-
tomizethereportbychangingthestartdateandinterval,choosingwhichdevicesordevicegrouptoreporton,andadding
overlaysofadditionalstatistics.
1. SelectReports>StatisticsMonitoring.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsin
ManagementCenter"onpage377fordescriptions.
3. Afteryouselectthereport,thereportopensinanewtab.
4. Besidethereporttitle,clickOptions.TheFiltersdialogdisplays.
380
Management Center Configuration &Management
5. Filterthereportdatausingtheoptionsdescribedinthefollowingtable.
Option Description
Start Date The date and time from which report data begins.
The interval you select is based on the start date. For example, if you specify
the 13th of the month for the start date and an interval of 7 days, the report
shows data from the 13th through the 19th.
381
Management Center Configuration &Management
Option Description
Overlays Metrics that you can add to the report to help you interpret the data. You can
add overlay(s) to the report.
(This option is not
When you add overlays, the additional data displays in a legend at the bottom
available for all
of the report.Use the legend to identify the appearance and color of each
reports)
data type.
6. ClickSave.
ThewebconsoledisplaystheStatisticsMonitoringreportwiththeoptionsyouselected.Thenameandnumberofdevices
willdisplaynexttoDeviceFilteratthetopofthereport.Ifafilterisn'tdefined,theDeviceFilterwillsayAllDevices.
ChangetheScopeofaStatisticsMonitoringReport
Bydefault,StatisticsMonitoringreportsandreportwidgetsdisplaydataforthelastsevendays.Forexample,ifyouselect
areportonApril14th,thereportopenswithL ast7Daysselectedforthedaterangeatthebottomleftcorner.Thestart
dateortimeoftheselectedraterangeisdisplayedbetween<>.Thebottomrightofthereportsindicatesthespecificdate
rangeofthedatashowninthereport,suchasDisplayingdaysfor04/14/15-4/21/15.
Toviewdatafromabroaderornarrowertimeframe,selectanintervalfromtheDateRangedrop-downlist.Thereport
dataupdatesimmediatelytoreflectyourselection.
Refertothefollowingtabletounderstandhowthedaterangeaffectsthereportdata;assumethatthecurrentdateandtime
isTuesday,October15that09:05.
382
Management Center Configuration &Management
Toviewdatafromdifferentpointsintime,usethedaterangeand<>inconjunction.Using<>causesthereporttogoback
andforward,respectively,attheintervalspecifiedinDateRange.Forexample,ifthedaterangeisLast7Daysandthe
reportshowsdatafromOctober8thtoOctober15th,clicking<causesthereporttodisplaydatafromOctober1sttoOcto-
ber8th.IfyouchangethedaterangetoTodayandclick<,thereportdisplaysdatafromthepreviousday.Youcanuse>to
returntomorerecentdatesandtimes.
Formoreinformationaboutreportdates,seeDateFilters.
Itispossibletodisplayfuturedaysinreportsifyouuse>.Ifareportabruptlyshowsnodatawhileyouarechanging
thedatesortimes,checkthedates/timesthathavenodataandexcludethemfromyouranalysis(orchangethedate
rangeagain).
FilteronDevicesorDeviceGroups
Toviewareportofdatafrommultipledevicesorfromaparticulardevicegroup:
1. DisplaythedesiredStatisticsMonitoringreport.
2. ClicktheOptionsbutton.
3. ChangetheStartDateandInterval,ifdesired.
4. UsetheFilterdrop-downlisttoselectindividualdevicesorspecifyadevicegroup.
5. Tochoosefromtheavailabledevicesordevicegroups,click .
n Device:SelectoneormoredevicesandclickOK.
n DeviceGroup:SelectonegroupandclickOK.
6. ClickSave.
Afteryousaveyourchanges,thereportdataupdatesimmediately.TheDeviceFilterdisplaysthenames(orIPaddresses)
ofthedevicesfilteredinthereports.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
ZoomInandOutonReports
Inreportsthatdisplaychangesovertime,itisusefultoseemoredetailonaspecificdatapoint.Forexample,ifyouarelook-
ingatareportwithCurrentWeekasthedaterange,zoominginonaspecificdaydisplaysthereportforthedayathourly
intervals.Zoominginonaspecifichourdisplaysthereportforthehouratfive-minuteintervals.
1. Inthereport,hoveroverthedatapointyouwanttoseeingreaterdetail.Thedatapointexpandsslightly.
2. ClickthedatapointandselectZoomIn.Thereportdisplaysthedataatthenewlevel.
3. Toreturntothepreviouslevel,clickanydatapointandselectZoomOut.
DisplayaFullReport
Displayafullreportfromastatisticsmonitoringwidget.
1. SelectDashboards>StatisticsMonitoring.ThewebconsoledisplaystheStatisticsMonitoringDashboard.
2. Dooneofthefollowing:
n Ifthereportyouwanthasawidgetonthedashboard,expandthewidgetifnecessaryandthenclickViewFull
Reportatthebottomofit.
n Ifthereportdoesnothaveawidgetonthedashboard,clickReport>StatisticsMonitoring.Availablereports
aredisplayedintwolists:DevicesandWANOptimization.
3. Selectthereportyouwanttoview.Thereportopensinanewtab.
Ifyouleaveareportopenforanextendedperiodoftime,youcanrefreshittoensurethatnostaledataisdisplayed.
Torefreshareport,click atthebottomofthereport.
383
Management Center Configuration &Management
DetermineYourNextStep
Whatdoyouwanttoaccomplish? Refertothistopic
Learn about different graph types. "Statistics Monitoring Graph Types" below
See the report for different dates or times. "Change the Scope of a Statistics Monitoring Report" on
page382
Change the metrics and other data that display on "Modify Options for Statistics Monitoring Reports" on page380
the report.
View descriptions of the Statistics Monitoring "Reference:Statistics Monitoring Reports in Management
reports. Center" on page377
StatisticsMonitoringGraphTypes
StatisticsMonitoringgraphtypesdependonthetypeofdatarepresentedinthereport.Somereportsconsistofacom-
binationoftheseformats.
n Linegraphsshowhowdataforonedatatypechangesovertime.Youcanhoveroverthelinegraphsforextratool
tipsthatcanincludedatasuchasthedate,percentage,totalnumber,etc.
n Stackgraphsshowchangesinasetofdata,forbothfortheindividualdatatypesandthetotaloftheindividual
items.Eachcolorinastackgraphrepresentsonetypeofdatachangingovertime.
n Circlegraphsshowtheproportionsofspecificdatawithasetofdata.
Example:TheEffectiveBandwidthgraphintheTrafficMixreportshowstheproportion(inpercentage)ofeffective
bandwidthfordifferenttraffictypes.Hoveroverasegmentinthegraphtodisplaythenumberofbytesforeach
traffictype.
n Tablechartsarrangedatainrowstocomparedatafrommultiplesources.
Example:TheDevicesDetailreportwidgetshowstheactualbandwidthversuseffectivebandwidthforalldevices
inthesystem.
WorkwithReports
Reporter
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
SeethefollowingforinformationaboutworkingwithReporterreports:
384
Management Center Configuration &Management
l "ViewaReporterReport"onpage339
l "CustomizeReporterReportOptions"onpage343
l "ReporterGraphTypesandViews"onpage364
l "DateFilters"onpage1
l "SearchforSpecificReportData(SearchandForensicReport)"onpage360
l "SetTimeZoneforReporterReports"onpage365
StatisticsMonitoring
SeethefollowingforinformationaboutworkingwithStatisticsMonitoringreports:
l "ViewStatisticsMonitoringReports"onpage376
l "ChangetheScopeofaStatisticsMonitoringReport"onpage382
l "StatisticsMonitoringGraphTypes"onthepreviouspage
l "ModifyOptionsforStatisticsMonitoringReports"onpage380
l "DateFilters"onpage1
385
Management Center Configuration &Management
CustomizeReportWidgets
WidgetsontheDashboardandReportstabscanbecustomizedbasedonthetypeofdatathatyouwanttoview.
CollapseReportWidgets
Youcancollapsereportwidgetsifyouhavelimitedroomonthedashboard,orifyouprefernottoseeallofthewidgets
expandedatonce.
n Toexpandareportwidget,clickthedownarrow inthewidgettitlebar.
n Tocollapseacollapsedwidget,clickuparrow theinthewidgettitlebar.
MoveReportWidgets
Youcanmovereportwidgets.Becausewidgetsalignthemselvesautomaticallywhenyoumovethem,youcanputthemin
groups.
1. Hoveroverawidgettitlebar.Thepointerchangestoa .
2. Dragthewidgettoitsnewlocation.
RemoveReportWidgets
Toremoveareportwidget,clicktheXonthetoprightcornerofthewidget.
Toaddthewidgettothedashboardagain,clickAddReportandselectthewidgetfromthelist.
AddReports
Theamountofreportwidgetsthatyoucanaddandcustomizeiswhollydependentuponwhetheryouhaveintegrated
Reporter10.xintoyournetwork.
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
CloseaReport
Whenyounolongerneedtoviewareport,closeitusingoneofthefollowingmethods.
ClosetheActiveReport
ClickClosetoclosethereport.
Alternatively,closethereportbyclickingtheXonthetabatthebottomofthescreen.
CloseaReportonAnotherWidget
Ifyouhavemultiplereportsopen,youcancloseareportotherthantheactiveonebyclickingtheXontheappropriatetab
atthebottomofthescreen.
ModifyDisplayofTableData
Youcanmodifytheviewoftabledataasdescribedbelow.Eachtablesupportsspecificactions;allactionsmaynotbe
available.
ShowAvailableActions
386
Management Center Configuration &Management
Clickthearrowtotherightofthecolumnheadingstoshowtheavailableactions.
ChangeColumns
HoveroverColumnstochangethedisplayedcolumns.
GroupTableData
SelectGroupbythisfieldtogroupthetabledatainaccordancewiththatcolumnheading.DeselectShowingroupstoput
dataintoaplainlist.
387
Management Center Configuration &Management
Thedataisthengrouped.Intheexamplebelow,theTypecolumnwasgrouped.
388
Management Center Configuration &Management
ViewRawReportData
TheSourceDataViewerdisplaysareportinrawdataformat,whichbreaksdownspecificdatatypesthatManagement
Centercollectsfromdevices.Iftheinteractionofdatainastandardreportseemswrongormisleading,youcanviewthe
datainisolationfromothermetrics.
1. SelectReports>StatisticsMonitoring.
2. ClickSourceDataViewer.TheSourceDataVieweropensonanewtab.
3. Inthetreeontheleft,browsetothedatayouwanttodisplayandselectit.Thereportopensonanewtabontheright.
389
ManageDashboards
Dashboardsallowyoutoquicklyviewimportantdevicedata.Thisdataisrepresentedbywidgets.Widgetsrepresentdata
frommanageddevices.Dashboardsarehighlycustomizableandcanhelpyouquicklyviewtheinformationyoudeemimport-
ant.
Tomonitordevicesfromasinglescreen,adddashboardsandaddwidgetstothosedashboardsusingtheoptionsonthe
Dashboards>ManageDashboardspage.
1, 2, 3, etc. The order The name of Reporter - dis- Each dashboard can display mul- The description helps
is displayed from left the dash- plays only tiple widgets. For a quick ref- to differentiate the
to right on the dash- board as it Reporter widgets erence of what is displayed on dashboard type, and
board tab beginning appears on on the dashboard. each dashboard, view the widget the widgets within
with 1 on the left. the Dash- count for each dashboard. the dashboard.
WAF Reporter -
board tab.
displays only WAF
widgets on the
dashboard
Mixed - Can dis-
play data from all
widgets on the
dashboard.
Statistics Mon-
itoring - displays
only Statistics
Monitoring wid-
gets on the dash-
board.
Notes
l ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
l Dashboardsaredependentonthereportsthatyoucangenerateforeachmanageddevice.Togenerateadvanced
reportsandviewadvancedreal-timedatawithindashboards,see"AddReporterasaManagedDevice"onpage338.
AddaDashboard
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethenumberofdashboardsthatdisplay,aswell
asdefinethelayoutofthedashboards.Youmustalsodefinethedashboardtype.Layoutsarrangewidgetsinonetofour
columnsofequalwidth,withthecolumnsexpandingtofitthewidthofthescreen.Whenyouselectalayout,yourchangeper-
sists(beyondthecurrentsession)untilyouchangethelayoutagain.
Management Center Configuration &Management
Althoughyoucanaddmultipledashboards,rememberthatdashboardsdisplaydatafromdatabasesthatmaynotbe
theonlydatabaseavailable.Forexample,aReporterEnterpriseServercanprovidedatafrommultipledatabases.
WhenaddingReporterwidgetstodashboards,youcanchoosefromtheavailabledatabases.
1. FromDashboards>ManageDashboards,clickAddDashboard.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EnteradescriptiveDashboardNameandDescription.
3. ChooseaType:
n Mixed-AdashboardthatdisplaysbothProxySGapplianceandReporterwidgets
n Reporter-AdashboardthatdisplaysReporterwidgets
IfyouselectReporterasthedashboardType,fromtheTemplatedrop-downlist,selectfromthefollowing
templatestopre-populatewidgets:
n WebApplicationUsage
n ThreatDetection
n ContentFiltering
n WAFReporter-AdashboardthatdisplaysReporterWebApplicationFirewall(WAF)widgets.
391
Management Center Configuration &Management
IfyouselectReporterWAFasthedashboardType,selectWebApplicationFirewalllfromtheTemplate
drop-downlist.
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets.
4. SelecttheLayoutforthedashboard.
5. ClickSave.ThesaveddashboardisdisplayedintheDashboarddrop-downwiththenamethatyougaveit.
Afteryouhavecreatedadashboard,youcannoteditthetype.
ReorderDashboardList
Whenyouaddanewdashboard,themostrecentlyaddeddashboardisappendedtotheendofthelist.Forexampleifyou
havethreedashboardsandaddone,thenewdashboardbecomesthefourthdashboardonthelistandwillappeartothe
rightofthepreviouslyaddeddashboards.Tochangetheorderdashboardsaredisplayed:
1. FromDashboards>ManageDashboards,selectthedashboardyouwanttomove.
2. ClickMoveUporMoveDowntochangetheorder.
DuplicateaDashboard
Touseadashboardasatemplateforadashboardthatyoumaywanttoclone(andperhapseditlater),youcanduplicatea
dashboardthatalreadyexists.Youareunabletochangethetypeofdashboardwhenyouduplicate.
1. FromDashboards>ManageDashboards,clickDuplicate.
2. FromtheDuplicateDashboarddialog,givethedashboardauniquename.
3. ClickDuplicate.TheduplicateddashboardisdisplayedunderManageDashboards.
392
Management Center Configuration &Management
DashboardsandWidgets
Adashboardprovidesasimplifiedviewofdatainwidgets.Awidgetisagraphicalrepresentationofinformation,designedto
provideaquickoverviewofstatisticsorotherimportantinformation.Thevarietyofwidgetsavailabletoaddtodashboardsis
dependentupondashboardType.See"ManageDashboards"onpage390.
ThewebconsoledisplaystheHomedashboardafteruserslogintothewebconsole.ThedashboarddisplaysDevice
HealthandTopProblemDeviceswidgetsbydefault,butyoucanaddandremovewidgetstoanydashboard.
WhenyouopenorviewtheStatisticsMonitoringdashboarditdoesnotdisplayfiltereddatafromthelastsession.
Eachnewsessionopenswithnofiltersapplied.
AddaWidgettotheCurrentDashboard
1. SelecttheDashboardstab.
2. ClickAddWidgets.
Theavailablewidgetsarecontrolledbythereportpermissionsassociatedwithauser'srole.Userscannot
addwidgetsforrestrictedfields.
3. (Optional)Fromthereportgroupsintheleftpane,selectthegroupthatcontainsthereportwidgetyouwanttoadd:
BandwidthUsage,Devices,Health,Security,UserBehavior,WANOptimization,WebApplications.Therightpane
updateswiththelistofreportwidgetsfortheselectedreporttype.
4. Selectthereportwidgetyouwanttoadd.
5. ForReporterwidgets,selecttheRole,Database,andtheLayout.
6. ClickAddWidgetNow.
7. Repeatsteps3to6toaddmorewidgets,andthenclickClose.
393
Management Center Configuration &Management
AddtheBookmarkedDevicesWidget
TheHomedashboarddisplaystheDeviceHealthandtheTopProblemDeviceswidgetsbydefaultafteryoulogin.Toadd
awidgetspecificallytoviewreal-timedataforfavoritedevices,addtheBookmarkedDeviceswidgettoadashboard.
1. FromtheHomeDashboard,selectAddWidgets.ThewebconsoledisplaystheAddWidgetswizard.
2. ScrolltoHealthandselectBookmarkedDevices.
3. SelectAddWidgetNow.ClickClose.Thedashboarddisplaysanemptywidget.
4. SelectAddDevices.Givethewidgetanameandselectthedevicesthatyouwanttomonitorinthedashboard.
394
Management Center Configuration &Management
5. Selectthedevicesthatyouwantto"bookmark"asyourfavoritedevicesandclickOK.Thenewwidgetdisplaysthe
selecteddevices.
EditorDuplicateDashboards
ManagementCenterdisplaysthefollowingdefaultdashboardsafterusers"LogintotheWebConsole"onpage31.
395
Management Center Configuration &Management
Home
Thehomedashboarddisplayswhenyoulogintothewebconsolebydefault.DefaultwidgetsdisplayedaretheDevice
HealthandTopProblemDeviceswidgets.
ThehomedashboarddisplaysDeviceHealthandTopProblemDeviceswidgetsbydefault,butyoucanaddandremove
widgetsbasedon:
n Thetypeofdatathatyouwanttomonitor(suchasstatistics)
n Reporterserverintegration
1. SelecttheDashboardstab.
2. ClickAddWidgets.
StatisticsMonitoringDashboard
ThewebconsoledisplaystheStatisticsDashboardwhenyouselectDashboards>StatisticsMonitoring.Itdisplays
widgetsthatprovideasimplifiedviewofthestatisticsmonitoringdatainafullreport.
TocustomizethelayoutandwidgetsofyourStatisticsDashboard,see"ChangetheDashboardLayout"below.
ChangetheDashboardLayout
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethelayoutofthemainDashboardtaband
definethedashboardtype.Layoutsarrangewidgetsinonetofourcolumnsofequalwidth,withthecolumnsexpandingto
fitthewidthofthescreen.
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
Whenyouselectalayout,yourchangeissavedbeyondthecurrentsessionuntilyouchangethelayoutagain.
1. SelecttheDashboardtab.Tocustomizethelayoutandtype,clickOptions.ThewebconsoledisplaystheLayout
Optionsdialog.
2. Selectthedesiredlayoutoption.
3. ClickSave.
Afteryouaddadashboard,youcannotchangethedashboardtype.DashboardTypesaredefinedasfollows:
n Mixed-AdashboardthatdisplaysbothProxySGapplianceandReporterwidgets
n Reporter-AdashboardthatdisplaysReporterwidgets
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets
396
Management Center Configuration &Management
AdministrateManagementCenter
n "ConfigureGeneralSystemSettings"below
n "Upgrade/DowngradeSystemImages"onpage406
n "BackUptheManagementCenterConfiguration"onpage408
n "EncryptSensitiveSystemData"onpage409
n "RestoreaManagementCenterBackupConfiguration"onpage410
n "ConfigureManagementCenterFailover"onpage411
ConfigureGeneralSystemSettings
ConfigureManagementCentergeneralsettingsaboutbandwidthcost,thenumberofbackupslotsforManagementCenter
backupsandthemaximumnumberofpolicyandscriptrevisionstostore.Youcanalsocreateapasswordresetemailand
configuresettingstoapplytoManagementCenterusers.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
1. SelectAdministration>Settings.Aredasterisk(*)denotesfieldsthataremandatory.
2. FromSystemSettings,selectGeneralontheleft.
3. SpecifyGeneralsettings.
Setting InputValue/Format
BandwidthCostperGB*
See "Set Bandwidth Cost for Reports" on page399
DevicePollingInterval *
See "Set the DevicePolling Interval" on page399
Numberofbackupslots *
"Set the Number of Backup Slots" on page399
Maximumnumberofpolicyrevisionstostore*
"Set the Maximum Number of Policy Versions to Store in
Management Center" on page244
Inactivitytimeout(minutes)*
Specifies the number of minutes before an inactive user
is logged out. Users are warned 30 seconds before they
are logged out.
397
Management Center Configuration &Management
Setting InputValue/Format
Inactivitytimeoutexclusions text: Enter comma-separated usernames
The list of usernames that should be excluded from the
Inactivity timeout setting.
Maximumnumberofscriptrevisionstostore*
"Set the Maximum Number of Script Revisions to Store in
Management Center" on page158
IsResetPasswordenabled?* false|true
See "Reset Password" on page280
ResetPasswordEmailSubject* text: Management Center Reset Password
ResetPasswordEmailMessage* text: Enter the body text of the email
that will be sent upon a user's request of a
password reset.
Click OK.
4. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
5. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.
Afterauserlogsin,youcanmanagetheiraccountinManagementCenter.
398
Management Center Configuration &Management
SetBandwidthCostforReports
StatisticsMonitoringreportsrequirethatyouspecifyabandwidthcosttodisplaydata.Thebandwidthcostisamultiplier
andisthusnotexpressedinaspecificcurrencyunit.Forexample,youcanenteravaluetorepresentonaveragehowyou
paypergigabitfordatausageonyournetwork.
1. SelectAdministration>Settings.SelectGeneral.Generalfieldsdisplayontheright.
2. Enteradecimalvalue.
3. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
SettheDevicePollingInterval
YoucanspecifythefrequencywithwhichManagementCenterlooksforupdatesonmanageddevices.Specifyanappro-
priateintervaltoensurethatdevicehealthstatusesdisplayaccurately.Thedefaultintervalis10seconds.
1. Inthewebconsolebanner,selecttheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.Generalfieldsdisplayontheright.
3. SelectDevicePollingInterval(sec).
4. Enteravalueinseconds.
5. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
SettheNumberofBackupSlots
Bydefault,ManagementCenterstoresuptofivebackupsperdevice,witheachbackupplacedinaslot.Afterfivebackups,
ManagementCenterprunes(deletes)anunpinnedbackuptomakeroomforthenewbackup.(Backupsthatarepinnedare
preservedandcannotbemanuallydeletedorautomaticallypruned.)IfyouwantManagementCentertostoremoreorfewer
backupsperdevice,youcanadjustthenumberofbackupslots.
1. ClicktheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.
3. IntheNumberofbackupslotsenteranewvalue.
4. ClickSave.
YoucanoverridethedefaultnumberofbackupsthatareretainedforadevicebyenteringaRetentionCountwhen
exportingbackups.See"ExportDeviceBackups"onpage85.
399
Management Center Configuration &Management
SpecifyExplicitProxySettings
Ifyouhaveconfiguredanexplicitproxyserverinyourenvironment,youcanspecifythesettingsinManagementCenter.
ThesesettingsareusedforalloutgoingHTTPrequestsandotherfunctionssuchaslicensing,heartbeats,andsupport
casereports.
1. SelectAdministration>Settings>HTTPProxy.Fieldsmarkedwitharedasterisk(*)arerequiredsettings.
2. Specifyexplicitproxysettings.
3. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
SynchronizetheSystemClockusingNTP
NetworkTimeProtocol(NTP)synchronizestheclocksofcomputersoveranetwork.Toensurethattimestampsdisplayed
inAuditLogrecords,ApplianceMonitoringreports,andothersystemchangesareaccurateandconsistent,youcandefine
NTPserversinManagementCenter.
1. SelectAdministration>Settings.
2. ClickNetworkTimeProtocol.NTPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifyNTPsettings.
400
Management Center Configuration &Management
Whenyou"AddaJob"onpage324,rememberthatthescheduleisrunoffoftheserver'stimezone.
4. Performoneofthefollowingtasks.
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textat
thetopleftofthedialogasanexample.
ConfigureDiagnosticsLogging
Usethispagetosetthelogginglevels.TheMasterLogincludesalloftheGeneralandDevicePlugindata.Toreducethe
sizeoftheMasterLogortoproduceatargetedlog,configurethelevelsaccordingly.Thelevelyouchoosedeterminesthe
amountofinformationprovidedineachlog.Forexample,debuglogscanlaterbeusedtosenddiagnosticinformationtoSup-
port.Thelogginglevelsaredescribedinthefollowingtable.
Log Description
Level
DEBUG Logs detailed informational events and is most useful when you are attempting to diagnose
problems.
INFO Logs high-level informational messages only.
WARN Logs potentially harmful events.
ERROR Logs all errors that do not cause the system to restart.
OFF Disables logging. The Master Log cannot be disabled.
ALL Logs everything. Applicable only to the Master Log.
Whenyouenablealog,dataiswrittentoaspecificlogfile.Forexample,iftheMasterlogissettoINFOorabove,mes-
sagesarewrittentolog.log.IftheMasterLogissettoDEBUG,allmessagesarewrittentodebug.logandalsoto
log.log(messagesforINFOandabove).Allotherlogssenddatatoalogofthesamename,forexample,secur-
ity.logandnetwork.log.
ConfigureDiagnosticLogging
1. SelectAdministration>Settings>Diagnostics.
ThesystemdisplaystheDiagnosticswindow.Aredasterisk(*)denotesfieldsthataremandatory.
2. SpecifytheMasterLoggingLevel,General,andDevicePluginsettings.
401
Management Center Configuration &Management
3. Dooneofthefollowing:
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
ConfigureHousekeepingSettings
Configuregeneralhousekeepingsettings.Whenthesesettingsareactivated,theyaffectwhatisdisplayedintheAudit
LogViewerandhowbigauditlogscangrow.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
1. SelectAdministration>Settings.
2. ClickHousekeepingontheleft.
3. Selectthedefaulthousekeepingsettings.Aredasterisk(*)denotesfieldsthataremandatory.
Setting Description InputValue/Format
Run every n hours.* Default is 12. The value represents (in hours) numeric using up and down
how often to run a full audit. arrows
Number of days of audit records to keep.* The value represents the number of numeric using up and down
Default is 120. days that audit records are kept. arrows
Number of days of job execution records The value represents the number of numeric using up and down
to keep.* Default is 120. days that job executions records arrows
are kept.
Number of days of closed alert records to The value represents the number of numeric using up and down
keep.* Default is 120. days that alerts are kept after arrows
being closed.
4. Performoneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
ConfigureMailSettings
Inordertoreceivenotificationsviaemail,youmustconfigureSMTPalerts.ManagementCenterstoresthesettings
sothatSMTPalerts(emails)canbetransmittedandreceivedcorrectly.See"ConfigureSMTPAlerts"onpage318.
1. SelectAdministration>Settings.
2. SelectMailSettings.Mailsettingsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. Specifyemailsettings.
402
Management Center Configuration &Management
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
ConfiguretheSNMPAgentPassword
TheSimpleNetworkManagementProtocol(SNMP)itselfdoesnotdefinewhichvariablesamanagedsystemshouldoffer.
Rather,SNMPusesanextensibledesign,wheretheavailableinformationisdefinedbyManagementInformationBases
(MIBS).
TheMIBsareavailableontheBTODownloadspage.RefertotheBlueCoatManagementCenterReleaseNotesfor
informationonMIBs.
Configuretheagent'spassword:
1. SelectAdministration>Settings.
2. SelectSNMPSettingsontheleft.
3. EnterthepasswordintheCommunitytextfield.Thispasswordmustbeenteredasalpha-numericwithnospecial
characters.
4. Performoneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythenewpasswordforSNMPagent.SeeCommunityin
"ConfigureSNMPAlerts"onpage319.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
ConfigureConsentBanner
ANoticeandConsentbannerprovidesnoticetousersofcomputernetworks,computers,andothersystemsandresources.
403
Management Center Configuration &Management
Usersarerequiredtoacceptthetermsinthebannerpriortoauthentication.Thebannerispresentedtousersbeforealogin
process,anditrequiresuserstoacknowledgeandagreetothemessagebeforetheycanloginoraccessresourcesonthe
network.
Implementtheconsentbannertodosomeorallofthefollowing:
n Obtainusers'noticeof,andconsentto,lawfulmonitoringofusageanddatacollection.
n Notifyusersthattheymustconcedecertainexpectationsofprivacyinordertoaccessthenetwork.
n Ensureusers'compliancewithorganization-specificpolicies.
Thelogodisplays,asisandcentered,abovethebannertext.Thebannertextdisplayswithinatextboxthatisun-editable.
Ablue"Accept"buttondisplaysbelowandtotherightofthebannertext,asshownintheexamplebelow.
Procedure
1. SelectAdministration>Settings.
2. ClickConsentBanner.ConsentBannerfieldsdisplayontheright.
3. InShowconsentbanner,clickthe andselecttrue.
4. IntheConsenttextbox,enterthetexttopresenttousersuponlogintoManagementCenter.
5. ClickintheConsentimagefield.Youcanselectafilefromyourlocalsystemtoupload.
6. Afterselectinganimagefile,clickdownload.
7. (Optional)Clickremovetodeletethedownloadedimage.
8. Performoneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
404
Management Center Configuration &Management
ConfigureHardwareMonitorSettings
Tobetterunderstandhoweachdeviceisreportingdiskandmemoryusage,configurehardwaremonitorsettingsandthe
DiskandMemoryCriticalandWarningLevels.
1. SelectAdministration>Settings.
2. SelectHardwareMonitorSettings.Hardwaremonitorfieldsdisplayontheright.Aredasterisk(*)denotesfields
thataremandatory.
3. SpecifythehardwareHardwareMonitorthresholdsettings.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
IfyouenablethehardwaremonitorandalsoenableDiskUsage-Shutdownoncritical?,theweb
consoleshutsdownwhenthethresholdforcriticalisreached.TheManagementCenterCLIisstill
available.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
405
Management Center Configuration &Management
Upgrade/DowngradeSystemImages
WhennewfeaturesandimprovementsaremadetoManagementCenter,youcandownloadasystemimagefromBlue
Coatandupgradetheappliance.Ifyoueverexperienceissueswithanewimage,youcanactivateanolderimagetodown-
gradetheappliance.
ManageSystemImages
ManagementCenterstoresuptofiveimagesonthesystem.Theimagethatismarkedasthedefaultimagewillbeloaded
thenexttimethattheapplianceisrebooted.
Ifthemaximumnumberofimagesarestoredonyoursystemandyoudownloadasixthimage,ManagementCenter
deletestheoldestunlockedimagetomakeroomforthenewimage.Topreventanimagefrombeingdeletedorreplaced,
youcanlocktheimage.
YouperformimagemanagementusingManagementCenterCLIcommands.See"#installed-systems"onpage452fora
descriptionofthecommandsforadding,deleting,locking,unlocking,andviewingimages.
InstallaNewSystemImage
Toinstallanewsystemimage,youfirstdownloadtheimagefromBlueCoat,placethefileonawebservertheMan-
agementCenterappliancecanaccess,thenuseaCLIcommandtoaddthefile.Thefinalstepistoreboottoactivatethe
image.
1. (Optional,butrecommended)"BackUptheManagementCenterConfiguration"onpage408.
2. LogintoBlueTouchOnline(BTO):https://bto.bluecoat.com/
3. DownloadthedesiredimagefromBTO.
a. TransfertheimagedirectlytoManagementCenter.SelectConfiguration>Filesandtransfertheimage
usingtheTransferFilebutton.
b. Downloadtheimagetoalocaldrive,selectConfiguration>Files,anduploadtheimagetoManagement
Center.
Alternatively,youcanstoretheimagefileonawebserverthattheManagementCenterappliancecan
access.TheaddimageprocessworkswithanyHTTPserver,andHTTPSserversconfiguredwithtrusted
certificates.IfyourHTTPSserverdoesnothaveatrustedcertificate,placethefileonaninternalHTTP
server.
where<URL>isthelocationoftheimageonawebserver,inthefollowingformat:
http://host/path,forexamplehttp://webserver.mycompany.com/images/542386.bcsi
IftheimagewasuploadedtoManagementCenter,dothefollowing:
a. CopythefileURL.IntheConfiguration>Filespage,selecttheimageandclickCopyURL.Thefilewill
haveaformatsimilartothefollowing:
https://10.131.38.36:8082/fs/download/6c80d3a2cc124347aedb2a688da3859e
406
Management Center Configuration &Management
b. ChangetheprotocoltoHTTPandtheportto8080.TheURLshouldnowlooklikethis:
http://10.131.38.36:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
Alternatively,youcanchangetheURLtothefollowing:
http://localhost:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
c. Executetheinstalled-systems addcommand.
5. Makesurethenewimageisthedefaultimage.(Rebootingwillinstallwhicheverimageismarkedasthedefault.)
# installed-systems view
Aplus(+)signindicatesthedefaultsystemimage.Ifthenewimageisnotthedefault,makenoteoftheindexvalue
nexttotheimageyouwantasthedefault.
6. Ifnecessary,makethenewimagethedefaultsystemimage:
Replace<index_number>withtheimage'sindexIDvalue.
7. Rebootthehardwareappliancetorunthenewimage:
# restart reboot
Whentheappliancerestarts,thenetworkconnectioncloses.Ifbootfailureoccursuponanupgrade,Management
Centerdowngradestothepreviousversionautomatically.
Viewtheprogressofdownloadsinprogressorthestatusofthelastdownloadusingthe# installed-systems
view-downloadscommand.Ifyouneedtocancelanimagedownload,usethe# installed-systems can-
cel-downloadscommand.
DowngradetoanEarlierManagementCenterVersion
IfyouarerunninganupgradedversionofManagementCenter,youcandowngrade(revert)toapreviousversion.Down-
gradinghasthefollowingspecialguidelinesyoumustfollow:
n Downgradescanbeperformeddowntwodotreleases(e.g.,from1.6to1.4).
n Allmaintenance/patchreleasesofaversionwillbetreatedasequivalent.Forexample,1.6.2.1wouldbethesameas
anyother1.6.xrelease.
n Upondowngrade,newerdata(datafromtheupgradedimagethatisnothandledintheolderversion)islost.
n Upondowngrade,newerconfigurationsettings(settingsfromtheupgradedimagethatarenothandledintheolder
version)arelost.
n Dataandconfigurationsettingsthatarecommontotheupgradedimageanddowngradedimageareseamlessly
maintained,regardlessofschemadifferencesbetweenversions.
n AdministratoraccessandpermissionsareneededtodowngradeManagementCenter.
Todowngrade:
1. "BackUptheManagementCenterConfiguration"onthefacingpage.
2. Decidewhichinstalledimagetorevertto.(Makesuretofollowtheguidelineslistedaboveregardingrelease
numbers.)
# installed-systems view
407
Management Center Configuration &Management
Makenoteoftheindexvaluenexttotheimageyouwanttorevertto.
3. Makeanolderimagethedefaultimage.(Makesuretofollowtheguidelineslistedaboveregardingrelease
numbers.)
Replace<index_number>withtheimage'sindexIDvalue.
4. Rebootthehardwareappliancetoactivatethedefaultimage:
# restart reboot
5. Beforetryingtousetheolderversion,restoretheManagementCenterbackupimmediately.See"Restorea
ManagementCenterBackupConfiguration"onpage410.
BackUptheManagementCenterConfiguration
BlueCoatrecommendsthatyoubackuptheManagementCenterconfigurationoften.ThebackupcontainsManagement
Centerdatabase,settings,and,optionally,devicereportingstatistics.Tosavediskspaceontheappliance,youcan
exportthebackuptoanexternalserveraspartofthebackupjob.Exportingbackupstoanexternalserverisrequired
beforeupgradingordowngradingthesoftwareimage.See"Upgrade/DowngradeSystemImages"onpage406.
BackupRequirements
BackinguptheManagementCenterconfigurationrequiresspecificpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.Additionally,sensitivedatainthebackupwillbeencryptedwithanencryptionkey.Youmusthave
therecoverykeytorestoretheencrypteddatainthebackup.See"EncryptSensitiveSystemData"onthenextpagefor
moreinformation.
BackUpManagementCenter
TobackuptheManagementCenterconfiguration,youmustcreateajobforit.Youcaneitherschedulethejobtorunona
regularbasis,runimmediately,orondemandatatimethatyouwanttocreateabackup.
1. FromJobs>ScheduledJobs,selectNewJob.ThewebconsoledisplaystheNewJobwizard.Aredasterisk(*)
denotesfieldsthataremandatory.
2. EnterauniqueName.
3. EnteraDescription(perhapsthereasonwhyabackupofManagementCenterisneeded).ClickNext.
4. FromtheOperationdrop-downlist,selectBackupManagementCenter.
5. (Optional)SelecttheExcludeStatisticsMonitoringTrendDatacheckboxtoexcludedevicereportingstatistics.
Byexcludingthesestatistics,thebackupwillbesubstantiallysmaller(perhapsbyhundredsofgigabytes).Keepin
mind,however,thattherestoredbackupwillnothaveanystatisticsdata.
6. IfyouwantthebackupfiletobeexportedtoanexternalHTTP,FTP,orSCPserver,selecttheExporttoServer
checkboxandfillintheserverdetails:
n ServerURL:Entertheprotocol(SCP,FTP,FTPS,HTTP,HTTPS)andservernameandpath.For
example:ftp://mycompany.com/backups
n EncryptionPhrase:Thisisrequiredforexportingthearchive.
n Username
n Password
408
Management Center Configuration &Management
7. IntheTargetsscreen,clickNext.(Notargetsarerequiredforthisoperation.)
8. IntheSchedulescreen,defineascheduleforthejob.See"JobSchedulingOptions"onpage328forexplanationsof
eachoption.ClickFinish.
ManagementCenterretainsonlyfivebackups.Whenthesixthbackupoccurs(suchasinarecurringjob),theoldest
backupisdeleted.Thisisarollingfivebackupretentionandcannotbeconfigured.Toretainadditionalbackupcon-
figurations,youcanexportthebackuptoanexternalserveraspartofthebackupjob,oryoucanexportbackupslater
usingthebackup exportCLIcommand.
BackUpManagementCenterUsingtheCLI
1. LogintotheCLI.See"AccesstheManagementCenterCLI"onpage439
2. Enterprivilegedmode.See"PrivilegedModeCommands"onpage446.
3. Atthecommandprompt,typethefollowingcommandandpressEnter:
# backup create
TheCLIindicatesthatthebackupisbeingcreated.Youshouldseearesponsesimilartothefollowing:
Creating backup ...
Backing up runtime configuration and plugins ...
Backing up database ..
Completed backup, Wed Jun 3 11:01:33 CMT 2015.
EncryptSensitiveSystemData
InManagementCenter1.6andlater,eachdevicehasauniqueencryptionkeythatisusedtoencryptdatainthesystem.
TheadministratorgeneratesthiskeyintheAdministration>DataProtectionpage.Whenthekeyisgenerated,arecovery
keyisalsogeneratedincaseyoulaterneedtorestoretheencryptionkey.Makesuretosavetherecoverykeyinasafe
place.
PotentialDataLoss
n Aspartofthisprocess,youshouldkeeptherecoverykeyinasafeplaceintheeventthatyouneedtorestorethe
encryptionkeylater.DONOTLOSETHEKEY.Ifyoulosethekey,youwillnotbeabletorecoveryourencrypted
data.
n Youshouldnotrecoverakeyunlessyouarecertainthatyouneedto.IfyouusetheRestorepreviouskeyfeature
andthecurrentdatainthedatabasewasnotencryptedwiththatkey,thatdatawillnotbeabletobedecryptedand
youwillhavetoreenterallofthedevicepasswords.
NewManagementCenterApplianceRecommendations
Uponreceivinganewappliance,youshoulddothefollowing:
1. SelectAdministration>DataProtection.
2. ClickGenerateKey.
Anewencryptionkeyiscreatedandarecoverykeyisdisplayed.
3. Recordtherecoverykeyandsecureitinasafelocation.
4. ClickRestartSystem.
409
Management Center Configuration &Management
5. Configuretheappliance.
6. RunaManagementCenterbackup.See"BackUptheManagementCenterConfiguration"onpage408.
Thisprocessensuresthatyoucanrestoreyourconfigurationasnecessary.
UpgradeRecommendations
IfyouareupgradingManagementCenter,BlueCoatrecommendsregeneratinganewkeyandthentakinganewbackup.
Doingsowillensurethatyouhavethelatestprotectionschemesandavalidbackupthatcanberestoredtothedeviceif
necessary.
1. SelectAdministration>DataProtection.
2. ClickGenerateKey.
Anewencryptionkeyiscreatedandarecoverykeyisdisplayed.
3. Recordtherecoverykeyandsecureitinasafelocation.
4. ClickRestartSystem.
5. RunaManagementCenterbackup.See"BackUptheManagementCenterConfiguration"onpage408.
Thisprocessensuresthatyouwillbeabletorestorethepreviousconfigurationiftheupgradehasissues.
RestoreaManagementCenterBackupConfiguration
Youcanrestoreaconfigurationbackupafterreinstalling,upgrading,ordowngradingManagementCenterorifyouwantto
reverttoapreviousconfiguration.Youperformthisoperationusingthecommand-lineinterface.
Restoringabackuprequiresshuttingdownservices;youshouldperformtherestoreduringoff-hours.
RestoreManagementCenterBackup
Beforeyourestoreabackup,youshouldviewthebackupfilescurrentlystoredonthesystemtomakesurethatyou
restorethecorrectversion.Ifthebackupyouwanttorestorewasexportedtoanexternalserver,youshouldimportthe
backupfilebeforetherestoreprocess.
1. "AccesstheManagementCenterCLI"onpage439.
2. Enterprivilegedmode.See"PrivilegedModeCommands"onpage446.
3. Atthecommandprompt,typethefollowingcommandandpressEnter:
# backup view
TheCLIdisplaysalistofallthebackupsthatwerecreatedforthisinstanceofManagementCenter.Youshouldsee
aresponsesimilartothefollowing:
Available Backups:
Timestamp Version
1 | 2015-May-29 03:33:00 UTC 1.4.1.1 (555156)
2 | 2015-Apr-15 09:02:00 UTC 1.3.3.1 (555000)
Thebackupsarelistedindescendingchronologicalorder;forexample,thebackupwithindexnumber1ismore
410
Management Center Configuration &Management
recentthanindex2.Eachbackupindicatesthedateandtimewhenthebackupwascreated,thebuildversion,andin
parentheses,thebuildnumber.
4. Onceyouidentifythebackupyouwant,makenoteoftheindexnumber.
5. (Optional)Ifthebackupyouwanttorestorewasexportedtoaserverandisnotonthelistofbackupsstoredonthe
appliance,youcanimportittoManagementCenter.
<URL>istheURLoftheserverandpathtothebackupfile.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,
andSCP.
6. Atthecommandprompt,typetheappropriatecommand.
l Torestorethelatestversion(thebackupwiththemostrecenttimestamp):
# backup restore latest
l Torestoreaspecificversion:
# backup restore <index_number>
where<index_number>istheindexnumberofthebackup.
7. PressEnter.TheCLIindicatesthatyouareabouttorestoreabackupandasksyoutoconfirmtheaction:
Warning, restoring a backup replaces all Management Center configuration.
Do you wish to proceed with restoring the backup taken on 2015-May-29 03:33:00
UTC? [Y/N]
8. TypeYtoproceed.TheCLIdisplaystheprogressoftherestore:
Restoring backup ...
Decompressing ...
Verifying backup contents ...
Shutting down services ...
Restoring database ...
Restoring configuration ...
Restarting services ...
Completed restoring backup.
ConfigureManagementCenterFailover
ManagementCentersupportsfailoverusingtwophysicalappliances.Oneapplianceisdelegatedastheprimaryandthe
otherasthesecondary.Afterfailoverisconfigured,thesecondaryreplicatesdatafromtheprimaryappliance.Duringcon-
tinuousreplication,userscanperformallnormaloperationsontheprimaryfailoverpartner.Userscannotaccessthesec-
ondaryfailoverpartneritssolepurposeistoreplicateactionsoccurringontheprimarynodesothatitcantakeoverif
somethinghappenstoprimarynode.
Licensinginformationandsystemsettingsarenottransferredduringfailoverreplication.
Becausethesecondaryfailoverpartnerreplicatestheprimarypartner'sdata,itisreadytotakeoveratanytime.Whenthe
primaryfailoverpartnerbecomesunresponsive,youconfigurethesecondarytotakeoverandstartservicingrequests.
Forsystemssetupinfailover,thedataencryptionkeyiskeptinsyncbetweentheprimaryandsecondarydevices.
411
Management Center Configuration &Management
ConfigurationLimitations
Duringreplication,configurationforboththeprimaryandsecondaryfailoverpartnersislimited.Replicationrequiresthat
boththeprimaryandsecondarypartnersrunthesameversionofManagementCenter.Toenforcethis,theinstalled-
systemsCLIcommandisdisabledonbothfailoverpartners(todenyinstallingandchangingsystemimages).If,forany
reason,thesystemimagesdonotmatchontheprimaryandsecondarypartnersreplicationispauseduntiltheproblems
areresolved.
Thesecondaryfailoverpartnerhasstricterrestrictionsonwhatcanbeconfigured.Inadditiontonotbeingabletomanage
systemimages,thefollowingCLIcommandsaredisabledonthesecondarypartner:
backup(allcommands)
license(allcommands)
http-proxy(allcommands)
service db-maintenance
service purge-vpm-cache
snmp(allcommands)
statistics-monitoring(allcommands)
FailoverPrerequisites
Toprepareforfailover:
l IdentifyaManagementCenterappliancetoactastheprimaryfailoverpartner.RecordtheIPaddressand
passwordofthe"admin"accountofthisdevice.
l IdentifyaManagementCenterappliancetoactasthesecondaryfailoverpartner.RecordtheIPaddressofthis
device.
l Ensurethatport22isopenbetweentheprimaryandsecondarypartners.ManagementCenterfailoveremploysan
SSHconnection.
ConfigureFailover
YoumustenablefailoverusingtheCLI.
Step1ConfigurethePrimaryAppliance
1. UseanSSHclienttologintotheCLIoftheManagementCenterappliancethatistobetheprimaryfailoverpartner.
2. EnterEnablemode:
#enable
3. Confirmthatfailoverhasnotalreadybeenconfiguredontheappliance:
#failoverview
Failover:
Status: Disabled
4. Makethisappliancetheprimaryfailoverpartner:
412
Management Center Configuration &Management
#failovermake-primary
Atthispoint,thesecondaryisnotconfiguredsothecommandoutputissimilartothefollowing:
Failover
Status: ERROR: Secondary not configured
Primary*: 198.51.100.20
Secondary: not configured
Last status update 1 second(s) ago
(*) this Management Center
Becausethesecondaryfailoverpartnerhasnotbeenconfigured,thefailovericondisplayswithanexclamationmark
asshownbelow:
Thisiconalsodisplaysiffailoverhasbeenconfiguredandthesecondaryisunresponsive.
Step2ConfiguretheSecondaryAppliance
Beforebeginningthisprocedure,completealltasksrequiredforthesecondaryappliancetoservicerequests(setup
authentication,etc.).
1. UseanSSHclienttologintotheCLIoftheManagementCenterappliancethatistobethesecondaryfailover
partner.
2. EnterEnablemode:
#enable
3. Confirmthatfailoverhasnotalreadybeenconfiguredontheappliance:
#failoverview
Failover:
Status: Disabled
4. Makethisappliancethesecondaryfailoverpartner:
Duringthisprocess,theservicesonboththeprimaryandsecondaryappliancesareunavailable.
#failovermake-secondary
413
Management Center Configuration &Management
will not be
available while initial failover setup is performed.
Thepasswordisnotsavedandisnotreusedforfurtherreplicationprocess.
5. Verifythatfailoverhasbeensuccessfullyconfigured:
#failoverview
Failover:
Primary: 198.51.100.20
Secondary*: 198.51.100.24
Iffailoverhasbeensuccessfullyconfigured,thefailovericondisplaysinthewebUIbannerasshownbelow.
Youcanalsomouseoverthefailovericontoreviewthefailoverstatus.
SwitchtoSecondaryWhenthePrimaryisUnresponsive
Iftheprimaryfailoverpartnerisunresponsive,youmustdothefollowing:
1. Makethesecondaryfailoverpartneractive.Dothisbyenteringthefollowingcommand:
#failovermake-primary
2. Reactivatestatisticsmonitoring.
Atthispoint,thesecondaryisactiveandisnowtheprimaryfailoverpartner.
3. Fixtheproblemswiththeoriginalprimarydevice.
414
Management Center Configuration &Management
4. Maketheoriginalprimarydevice(thedevicethatwasunresponsive)thenewsecondaryfailoverpartner:
#failovermake-primary
Failoverisnowsuccessfullyreconfigured.
Step1MakeSecondaryPartnerActive
Issuethefailover make-primarycommandtomakethesecondaryappliancetheprimaryfailoverpartner.Iftheori-
ginalprimarydevicelaterbecomesresponsive,youcanmakeitthesecondaryfailoverpartner,thuspreservingthefailover
capability.
#failovermake-primary
System is configured as secondary, promoting state to primary will break replication.
Primary*: 198.51.100.24
Step2ReactivateStatisticsMonitoring
Aftermakingthesecondaryfailoverpartneractive,youmustreactivethestatisticsmonitoringjob.Thisjobinstructs
devicesthathavePDMExport(statisticsmonitoring)enabledtosendupdatestothenewprimarydevice.
1. SelectJobs>ScheduledJobs.
2. ClickNewJob.ThesystemdisplaystheNewJob:BasicInfodialog.
3. IntheBasicInfodialog,enteranameforyourjob.Aredasterisk(*)denotesfieldsthataremandatory.
4. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.
5. ClickNext.
6. IntheOperationdialog,selectReactivateStatisticsMonitoring.
7. ClickNext.
ThesystemdisplaystheTargetsdialog.ManagementCenterautomaticallyfindsallapplicabletargets.
8. ClickNext.
ThesystemdisplaystheScheduledialog.Optionally,enteraschedule.
9. ClickFinish.
DisableFailover
Usethefailover deletecommandtodisablefailover.
#failoverdisable
415
Management Center Configuration &Management
Failover:
Status: Healthy (0 second replication delay)
Primary: 198.51.100.20
Secondary*: 198.51.100.24
416
Management Center Configuration &Management
UpdatetheManagementCenterLicense
TheManagementCenterlicensecontainsallofthefeaturesforwhichyouhavepurchasedasubscription.Thedoc-
umentationcoversallfeatures,includingonesthatyoumaynothavepurchased.
YoucanupdateyourexistinglicensefromBTO,downloadthelicensefromawebserverorworkstation,orinstallitmanu-
ally.
1. Toviewlicensestatusortoupdateorinstallalicense,selectAdministration>License.
2. Toviewdetailedlicensecomponentinformation,selecttheLicenseComponentstab.
Usethepassphrasefieldwhenyouareinstallingalicenseyougeneratedwithapassphrase;thepassphrase
isrequiredforVAOfflinelicensing.
3. Todeterminehowyouwillinstallthelicense,selecttheInstallNewLicensetab.Seethefollowingsectionsfor
instructions.
4. (Optional)Totroubleshootthelicenseinstallation,dothefollowing:
n Tocheckthestatusofalicense,runtheCLIcommand#license view.
n Toverifynetworksettings,runtheCLIcommand#show interface.
n Toverifysiteaccessibility,runtheCLIcommand>pingwiththefollowingsites:
o ping bto-services.es.bluecoat.com
o ping validation.es.bluecoat.com
n Toupdatethelicense,runtheCLIcommand#license get-from-bluecoat.
n Trytoupdatethelicenseagain,afterrunningtheCLIcommand#restart reboot.
5. (Optional)Fromawebbrowser,logintoManagementCenter.Ifthewebconsoleloads,thelicensewasinstalled
successfully.
Ifthewebconsoledoesnotload,runtheCLIcommand# license viewtodetermineifthelicensewasinstalled
andisvalid.
InstallthelicensefromBTO
YoumustinstallthelicensefromBTOusingthe#license get-from-bluecoatCLIcommandatleastonce
beforeyoucaninstallitfromBTOusingthewebconsole.
1. SelectInstallfromBTO.
2. EnteryourBTOUserIDandBTOPassword.
3. ClickInstallLicense.
4. ClickRefreshtodisplaytheupdatedlicenseinformationintheLicenseComponentstable.
InstallfromURL
Beforeyoucaninstallyourlicenseyoumustfirstgetthelicensefile(*.bin)andsaveittoalocationonawebserverorwork-
stationthattheVAcanaccess.
1. SelectInstallfromURL.Thewebconsoledisplaysatextfield.
2. Enterthelocation(avalidURL)ofthelicensefileintothefield.
417
Management Center Configuration &Management
3. ClickInstallLicense.
4. ClickRefreshtodisplaytheupdatedlicenseinformationintheLicenseComponentstable.
Pastelicensetextfromatexteditor
Beforeyoucaninstallyourlicenseyoumustfirstgetthelicensefile(*.bin)andsaveittoalocaldirectory.Openthelicense
fileinatexteditor(suchasNotepad)andmakesureyousavethefile.
1. SelectPastelicensetext.Thewebconsoledisplaysatextbox.
2. Copyandpastethelicensefromthetexteditortothebox.
3. ClickInstallLicense.
4. ClickRefreshtodisplaytheupdatedlicenseinformationintheLicenseComponentstable.
VerifyLicenseComponentsfromtheWebConsole
ManagementCenterhasaflexiblelicensemodel.Componentscanbelicensed,andareexposeddependentuponthe
licensetypeandcomponentname.Youcanviewthevalidityoflicensedcomponents,addmoredevicestoyourlicense,
andviewtheserialnumberandappliancemodelofthehardwareappliance.Installorupdateyourlicensesdirectlyfrom
BTOwhileloggedintothewebconsole.
1. Toverifythelicensecomponents,typeandstatus,logintothewebconsole.
2. SelectAdministration>License.FromtheLicenseComponenttabyouverifythefollowingGeneral
Informationaboutthelicense:
n Manufacturer(BlueCoatSystemsInc.)
n NumberofMaximumDevicesallowed
n SerialNumber
n ApplianceModel
n Status
n ComponentName
n Activationdate
n Expirationdate
n LicenseType
418
TroubleshootandResolveIssues
ThissectiondiscussestroubleshootingstepsandadvancedproceduresforManagementCenter.
Thefollowingtopicsprovideinformationforresolvingcommonissues:
l "ResetorRestoreAdminAccountPasswords"onpage283
l "Upgrade/DowngradeSystemImages"onpage406
l "EncryptSensitiveSystemData"onpage409
l "BackUptheManagementCenterConfiguration"onpage408
l "RestoreaManagementCenterBackupConfiguration"onpage410
Management Center Configuration &Management
AuditTransactions
ToaccesstheAuditLogViewer,clicktheAuditingtab.
Bydefault,recenttransactionsaredisplayedonthefirstpageofrecords.Iftheyarenotonthefirstpage,orifyouarelook-
ingforhistoricaldata,youcannavigatetodifferentpagesorlimitthenumberofrecordstolocatethecorrectones.For
instructions,see"CustomizetheAuditLog"onpage423.
RecordsdonotdisplayintheAuditLogViewerimmediatelyaftertransactionsoccur;refreshthewebconsoleto
seemostrecentrecords.YoucanclicktheRefreshiconatthebottomofthescreentoupdatethemostrecent
entries.
Tounderstandandanalyzethedatarecordedforeachtransaction,refertothefollowingtable.
Column Description
Operation The date (in YYYY-MM-DD format) and time (in 24-hour notation) the transaction was com-
Time pleted.
420
Management Center Configuration &Management
Column Description
Operating The user who performed the operation. If no user is associated with the operation, SYSTEM is
User displayed.
Record Type The transaction level: AUDIT or EVENT. An audit record is a system-level transaction; an
event record is a user-level transaction. For more information, see "Understand Transaction
Types" on the next page.
This column is hidden by default.
Object Type The type of object on which the operating user performed the action.
Operation The operation that was completed.
Type
Info 1 - Info 5 Additional reference fields for the record. Not all transaction types have additional inform-
ation.
Columns Info 3 through Info 5 are hidden by default.
421
Management Center Configuration &Management
UnderstandTransactionTypes
TheAuditLogrecordstwolevelsoftransactions:
n EventHigh-leveltransactionsthatoccurasaresultofauseraction,suchasaddingordeletingadevice
n AuditLow-levelinternalsystemactions,suchasdeletingconnectioninformation
Eachrecordcontainsthetargetoftheoperation,theoperationdetected,theuserwhoexecutedtheoperation,andadditional
datadependingupontransactiontype.
Inthepreviousexample,theObjectTypeisRoleandtheAUDITtransactionsarechangesatthesystemandadminlevels.
Youmightfindthatinmostcases,EVENTrecordsprovideenoughdetailabouttransactionsandtheireffectsonthesys-
tem.Filterswereappliedtotherecordtype.
422
Management Center Configuration &Management
CustomizetheAuditLog
BecausetheAuditLogrecordsalltransactionsonmultiplelevels,thelogcangrowveryquicklyespeciallyifyoumany
devicesaremanagedinManagementCenterandthereisahighlevelofuseractivity.AlthoughtheAuditLogisdesigned
tomakeiteasyforyoutolocatetherecordsyouwant,youcancustomizethedisplayfurthertohelpyoulocatespecific
records,isolaterecordsfromacertaindateortime,filterrecordspertainingtospecificusersorobjects,andmore.
UsethefollowingmethodsinconjunctiontocustomizetheAuditLogdisplaytosuityourpurposes.
WhenyoumakethefollowingchangesintheAuditLogViewer,thechangesdonotpersistbeyondthecurrent
browsersession;thenexttimeyoulogintothewebconsole,youmustgothroughthesamestepstochangethe
vieweragain.
Showorhidecolumns
Youcanshowcolumnsthatyouhid,orcolumnsthatarenotvisiblebydefault,suchasRecordTypeandInfo3through
Info5.Youcanhidesomecolumnsifyouwantamoregenerallookatthelogorifyourscreensizeislimited.
ToseeallinformationavailableintheAuditLogandensurethatyoucanseeanappropriatelevelofdetail,youcanshowall
columnsfirstandthenchoosewhichones,ifany,youwanttohide.
1. Onanycolumnheader,clickthearrow.Thewebconsoledisplaysalistofoptions.
2. Selectanoptiontoshowthecolumn.
Clearanoptiontohidethecolumn.
3. Clickanywhereoutsideofthelisttocloseit.
TheAuditLogshows/hidesthecolumnsyouspecified.
Sortcolumns
BecausetheAuditLogdisplaysrecordsindescendingchronologicalorderbydefault,youcanre-arrangethemtoanalyze
thedatamoreeffectively.Bydefault,therecordsaresortedindescendingorderofOperationTime(latesttoearliest).
1. Clicktheheaderofthecolumnyouwanttosort.
n Iftheheaderdisplaysanuparrow,thedataisarrangedinascendingorder(A-Z,earliesttolatest).
n Iftheheaderdisplaysadownarrow,thedataisarrangedindescendingorder(Z-A,latesttoearliest).
2. Clicktheheaderagaintoreversethesortorder.
InthefollowingexamplethecolumnsaresortedbyOperationType,soallAuthenticationsaredisplayedfirst.
Filterrecords
Tolimittheamountthedatathatthelogdisplaysandfocusonlyonspecificrecords,applyfiltersusingthedrop-downlists
ontheright.Dependingonthetransactionlevel,youmayneedtofilterpagesofrecords.Thefilterslimittherecordtype.To
narrowthesearch,applyoneormorefilters.
423
Management Center Configuration &Management
Ifapplyingafilterresultsintoofewrecordsornottherightrecords,removeorchangesomefilters.Toresetthefiltersto
default,clickClear.
424
Management Center Configuration &Management
ConfigureHousekeepingSettings
Configuregeneralhousekeepingsettings.Whenthesesettingsareactivated,theyaffectwhatisdisplayedintheAudit
LogViewerandhowbigauditlogscangrow.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
1. SelectAdministration>Settings.
2. ClickHousekeepingontheleft.
3. Selectthedefaulthousekeepingsettings.Aredasterisk(*)denotesfieldsthataremandatory.
Setting Description InputValue/Format
Run every n hours.* Default is 12. The value represents (in hours) numeric using up and down
how often to run a full audit. arrows
Number of days of audit records to keep.* The value represents the number of numeric using up and down
Default is 120. days that audit records are kept. arrows
Number of days of job execution records The value represents the number of numeric using up and down
to keep.* Default is 120. days that job executions records arrows
are kept.
Number of days of closed alert records to The value represents the number of numeric using up and down
keep.* Default is 120. days that alerts are kept after arrows
being closed.
4. Performoneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
ConfigureDiagnosticsLogging
Usethispagetosetthelogginglevels.TheMasterLogincludesalloftheGeneralandDevicePlugindata.Toreducethe
sizeoftheMasterLogortoproduceatargetedlog,configurethelevelsaccordingly.Thelevelyouchoosedeterminesthe
amountofinformationprovidedineachlog.Forexample,debuglogscanlaterbeusedtosenddiagnosticinformationto
Support.Thelogginglevelsaredescribedinthefollowingtable.
Log Description
Level
DEBUG Logs detailed informational events and is most useful when you are attempting to diagnose
problems.
INFO Logs high-level informational messages only.
WARN Logs potentially harmful events.
ERROR Logs all errors that do not cause the system to restart.
425
Management Center Configuration &Management
Log Description
Level
OFF Disables logging. The Master Log cannot be disabled.
ALL Logs everything. Applicable only to the Master Log.
Whenyouenablealog,dataiswrittentoaspecificlogfile.Forexample,iftheMasterlogissettoINFOorabove,mes-
sagesarewrittentolog.log.IftheMasterLogissettoDEBUG,allmessagesarewrittentodebug.logandalsoto
log.log(messagesforINFOandabove).Allotherlogssenddatatoalogofthesamename,forexample,secur-
ity.logandnetwork.log.
ConfigureDiagnosticLogging
1. SelectAdministration>Settings>Diagnostics.
ThesystemdisplaystheDiagnosticswindow.Aredasterisk(*)denotesfieldsthataremandatory.
2. SpecifytheMasterLoggingLevel,General,andDevicePluginsettings.
3. Dooneofthefollowing:
n ClickSavetostorethesettingsontheserver.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
426
Management Center Configuration &Management
RequiredPorts,Protocols,andServices
ManagementCenterusesthefollowingportswhileoperating.EnsurethatyouallowtheseportswhensettingupMan-
agementCenter.
Management Center 22 Management Center Management Center communication
TCP with failover partner
Management Center 22 User's Client Management Center CLI
TCP
Management Center 8080 User's Client Management Center's UI (web con-
8082 sole)
TCP
EnsureconnectivitytothefollowingURLs.
427
Management Center Configuration &Management
DetermineWhichVersionYouareUsing
Toaidintroubleshooting,youmightneedtodeterminetheversionandbuildofManagementCenterthatiscurrentlyrunning.
RefertotheManagementCenterReleaseNotestoidentifyissuesorlimitationsthatyourbuildmightinclude.
1. Inthewebconsolebanner,click?>About.ThewebconsoledisplaystheManagementCenter-Aboutdialog.
ThedialogdisplaysinformationabouttheManagementCenterversion.Seethetablefollowingthisprocedure.
428
Management Center Configuration &Management
2. ClickClosetoclosethedialog.
BuildInformationFields
Field Description
Version TheManagementCenterversion.
Build Thenumberoftheinstalledbuild.
SerialNumber The serial number of the appliance.
AutomatePasswordResetProcess
AsanadministratoronManagementCenter,youneedtoconfiguresettingssothatuserscanrequestapasswordresetif
theyforgettheirpassword.
1. SelectAdministration>Settings>General.
2. SettheIsResetPasswordenabled?fieldtotrue.
3. ForResetPasswordEmailSubject,modifytheemailsubjectline,ifdesired.
4. ForResetPasswordEmailMessage,modifythebodyoftheemailthatisautomaticallysenttouserswhenthey
clicktheResetPasswordlink.Forexample,youcanaddaperson'snametothesignatureinsteadofthegeneric
BlueCoatManagementCenter.
429
Management Center Configuration &Management
Themessagecontainstwosubstitutionvariables:{fullname}and{password}.ManagementCenter
automaticallyreplaces{fullname}withtheuser'sfirstandlastnameandreplaces{password}witha
temporarypassword.
5. ClickSavetostorethesettingsontheserver.
6. Makesureanemailserverisconfigured.See"ConfigureMailSettings"onpage402.
Whentheemailissentwiththetemporarypassword,theuser'saccountismarkedsotheadministratorsknowthat
thepasswordisonlytemporary.Thetemporarypasswordwillexpire.
430
Management Center Configuration &Management
PreventLicensingIssuesonaVirtualAppliance
Topreventlicensingissues,ensurethattheVAisallowednetworkaccesstothelicensevalidationserverathttps://val-
idation.es.bluecoat.com.See"VerifyWebConsoleAccess"onpage35.
Ifcommunicationwiththeserverfails,thelicensemaybesuspended.UnlessyouhavepurchasedaVAofflinelicense,
constantInternetconnectionisrequiredforManagementCentertocommunicateregularlywiththelicensevalidation
servertoconfirmthattheserialnumberisvalid.
DuplicateSerialNumbers
Ifthelicensevalidationserverdetectsduplicateserialnumbers,yourlicenseisinvalidatedandthelicensehealthstatus
goestoacriticalstate.VerifyyourlicenseinBCLPandcontactBlueCoatSupportifyoucontinuetohaveproblems.
ExpiringLicenses
ManagementCenterhealthgoesintoaWarningstatewhenthelicenseis15daysfromexpiring.Forexample,ifthe
licensewillexpireonJanuary30th,theMessagesoptioninthewebconsolebannerdisplaysWarning-levelalerts,suchas
thefollowing,startingonJanuary15th.
Thewebconsolebannerdisplaysanalertforeachlicensedcomponent.
Oncethelicenseexpires,ManagementCentergoesintoanErrorstateandremainsinthatstateforanother15daysor
untilthelicenseisupdated(whicheveroccursfirst).Forexample,startingonJanuary30th,theMessagesoptioninthe
webconsolebannerdisplaysWarning-levelalertsforeachlicensedcomponentuntilthelicenseisrenewed.
Ifyoudonotrenewthelicensewithin15daysaftertheexpirationdate,youwillbeunabletoloadthewebconsole.You
mustrenewthelicensethroughtheCLIusing# license get-from-bluecoat or# license get-from-url.
RestartServices
Totroubleshootsomeissues,youmightneedtorestartManagementCenterservices.Youwillneedtorestarttheservices
afteryouinstallorupdateaManagementCenterlicense.
1. "AccesstheManagementCenterCLI"onpage439.
2. Enterprivilegedmodebytypingenableatthecommandprompt.
3. EnteryourenablepasswordandpressEnter.
4. Atthe#prompt,typerestart servicesandpressEnter.
TheCLIdisplaysthecommandprompt.
431
Management Center Configuration &Management
Youcannotaccessthewebconsolewhiletheservicesarerestarting;however,youcantryaccessingthewebcon-
soleafewminutesafterissuingthecommand.
TestNetworkConnectivity
VerifythatyournetworkissetupcorrectlybyusingthepingcommandorthetracepathcommandintheCLI.Besureto
specifyahostnameorIPaddressthatyouknowisreachableandworking.
1. "AccesstheManagementCenterCLI"onpage439.
2. EnterPrivilegedmode."PrivilegedModeCommands"onpage446.
3. PinganIPaddress:
# ping <hostname or IP address>
4. TracethepathbetweenthehostandadestinationIPaddress:
# tracepath <destination>
Ifyoureceiveanerrormessage,checkyournetworkconfiguration.
432
Management Center Configuration &Management
UploadSystemDiagnostics
TohelpBlueCoatTechnicalSupporttroubleshootaManagementCenterissue,youcansenddiagnosticsinformationto
anexternalserverusingasupportedprotocol(FTP,HTTP,HTTPS,orSCP).
1. LogintotheCLI.See"AccesstheManagementCenterCLI"onpage439.
2. (Ifrequired)EntertheprivilegedmodepasswordandpressEnter.
3. Entertheappropriatecommandtouploadthediagnostics:
UsingFTP
where<username:password>istheusernameandpasswordtoauthenticatetotheserverand
host/pathisthepathtowhereyouwanttosavethefile.
UsingHTTP
wherehost/pathisthepathtowhereyouwanttosavethefile.
UsingHTTPS
wherehost/pathisthepathtowhereyouwanttosavethefile.
UsingSCP
where<username:password>istheusernameandpasswordtoauthenticatetotheserverand
host/pathisthepathtowhereyouwanttosavethefile.
ViewHardwareDiagnosticsandMemoryResources
UsetheHardwareDiagnosticsscreentocheckonhowmuchmemoryandstoragespaceisbeingusedbyManagement
Centersystemcomponentsandprocesses.Inaddition,youcanmonitorvarioushardwaresensorstospotpotentialprob-
lemswithCPUs,fans,powersupplies,andsoforth(notapplicabletovirtualappliances).
n SystemMetricsDetailsaboutmemoryusageoftheCPUsandManagementCenterprocesses
n StorageUsageAdditionalmemorysettings
n DataStorageAmountofdatausedbyeachfeature
n DatabaseStorageAmountofstorageusedforeachdatabase(ManagementCenter,DeviceStatistics,
Reporter)
n TemperatureSensorsTheresultsoftemperaturemonitoringforthechassis,CPU,andothercomponentsthat
produceheatintheappliance
n RPMSensorsReportsthespeedatwhichthefansontheappliancespin
n VoltageSensorsReportsthevoltage,statusandstateofcomponentsforwhichtheappliancehasavoltage
433
Management Center Configuration &Management
sensorsuchasCPUcores,powersupply,andothers
n OtherSensorsReportsstatusofoptionalhardwarecomponents,suchasextrapowersupplies
Bytecountsformemoryusageareapproximations,notprecisevalues.
Toviewhardwarediagnosticsforyourappliance:
1. SelectAdministration>HardwareDiagnostics.
2. ClickRefreshtoviewthemostcurrentappliancestatustotalsandusage.
434
ProblemsandErrors
ThefollowingareerrormessagesthatyoumightencounterinManagementCenter.
Management Center Configuration &Management
ReadAlerts
Inthewebconsolebanner,Messagesdisplaysalertstocommunicatethatachangewasmade,suchasaconfirmationof
deviceactivation.Alertsindicatetheseveritylevelofthechange;forexample,MessagesdisplaysagreenMessage-level
alertwhenyouaddadeviceandaredError-levelmessagewhendeviceactivationfails.
Ifyouhaveunreadalerts,theMessageslabelinthebannerdisplaysthenumberofunreadalertsandthestatusofthealert
withthehighestseveritylevel.
Toreadmessages,inthewebconsolebanner,clickMessages.ThewebconsoledisplaystheRecentMessagesdialog.
Tofilteralerts,clickErrors,Warnings,orMessagesatthebottomofthedialog.Tounderstandmoreaboutcolorsand
status,see"AboutColor-CodedStatusIndicators"onpage28.
Whenyounavigatetoanotherscreen,Message-levelalertsareremovedfromtheMessagesdialog,butErrors
andWarningsremainonthedialoguntilyoureadthem.
"Couldnotenablestatisticscollectionduetounexpectedserverfailure"whenactivating
adevice
Problem:Whenyouactivateadevice,youreceivethealert"Statisticscollectionfailed.Couldnotenablestatisticscol-
lectionon<device>duetounexpectedserverfailure".Whenyouaddedthedevice,youhadselectedCollectstatisticsfor
thisdevice.
Resolution1:StatisticscollectionrequiresSGOS6.3.x.IftheProxySGapplianceisnotrunningSGOS6.3.xorlater,dis-
ablestatisticscollectionbyeditingthedevicedetailsandclearingCollectstatisticsforthisdevice.Youcanenablestat-
isticscollectionforthedeviceagainlaterifyouupgradeSGOStoasupportedversion.
Resolution2:Connectionsettingsareincorrect.Verifydeviceconnectionparametersandeditthedevicedetails.
"Importbatchcontainsduplicatedevicenameviolation"whenimportingmultipledevices
Problem:Whenyouimportdevices,youreceivetheerror"Importbatchcontainsduplicatedevicenameviolation."
436
Management Center Configuration &Management
Resolution:Eachdeviceintheimportfilemusthaveauniquename.ManagementCenterdetectsduplicatedevicenames
evenifyouselectonlyoneornoneofthedevicesforimporting,andregardlessoftheirplacementinthehierarchy.
Renameduplicatedevicesintheimportfileandimportthemagain.Alternatively,removedevicesthatyoudonotwantto
addfromthefileandimportdevicesagain.
"LocalChangesDetected"errorwheninstallingpolicy
Problem:WhenyouclickInstallPolicy,thePolicyEditordisplaysa"LocalChangesDetected"message:
ThismessagemeansthatthepolicyonadevicehaschangedoutsideofManagementCenter.Itcouldhavebeenchanged
ontheProxySGapplianceitself,orthroughanoverlayinstallationifyoualsouseBlueCoatDirectortomanagedevices.
Resolution:Toresolvethisconflict,clickComparetoseethedifferencesbetweenthepolicyonthedeviceandthepolicy
youwanttoinstall.See"ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225forinformation.
Then,clickInstallPolicytooverwritetheversiononthedevice,orclickCanceltokeeptheversiononthedevice.
Userhas"accessdenied"errorwhenrunningajob
Problem:Auserrunsajobmanually(throughtheRunNowoption)orusingtheImmediatescheduleoption,butthejob
completeswithan"accessdenied"error.
Resolution:Checktheuser'spermissions;iftheydonothavesufficientpermissionsfortheoperation,theycannotruna
manualorimmediatejobfortheoperation.Formoreinformation,see"Reference:UnderstandingJobPermissions"on
page261.
"Multi-tenantpolicysupportisnotenabledforthisdevice"wheninstallingpolicy
Problem:AttemptstoinstallpolicytoaProxySGappliancefailandyoureceivethemessage"Error:Multi-tenantpolicyis
notenabledforthisdevice".
Resolution1:Multi-tenantpolicywasintroducedinSGOS6.6.x;ifthedeviceisrunninganearlierversionofSGOS,you
cannotinstallmulti-tenantpolicytoit.IfthedeviceisrunningSGOS6.6.x,proceedtothenextresolution.
Resolution2:ThedevicedoesnothavetheMulti-TenantPolicylicenseorthelicenseisinvalid.Ifthisisthecase,con-
tactyourBlueCoatsalespointofcontactorBlueCoatcustomercareforassistance.
Todetermineiftheappliancehasthelicense:
1. LogintotheProxySGManagementConsole.
2. SelectMaintenance>Licensing.
3. InthelistofLicensedComponents,lookforMulti-TenantPolicy.Ifthelicenseisinstalledandvalid,proceedtothe
nextresolution.
Resolution3:Multi-tenantpolicyisnotenabledonthedevice.Toenableit,enterthefollowingcommands:
#(config) general
ok
437
CLICommandReference
ManagementCenterincludesacommand-lineinterface(CLI)thatallowsyoutoperformbasicadministrativetasks.APDF
oftheManagementCenterCLIcommanddocumentationisavailableonBlueTouchOnline:
n "AccesstheManagementCenterCLI"onthenextpageDescribeshowtoaccesstheCLIviaanSSHconnection.
n "CLIURLSyntax"onpage440DescribesthevalidsyntaxforcommandsthatrequireaURLpath
n CLICommandReference:ListNavigatelinkstoviewcommanddescriptionsandsyntax.
Management Center Configuration &Management
AccesstheManagementCenterCLI
LogontotheCLIthroughanSSHconnectionorthroughtheManagementCenterVMwareconsole.
Forhardwareappliances,accesstheCLIthroughtheserialconsole.
LogonusingSSH
1. InstallanSSHclient.ThisprocedureusesPuTTYasanexample;yourstepsmightbeslightlydifferent.
2. OpenPuTTYandspecifythefollowinginformation:
n HostName(orIPaddress)TheIPaddressthatyouspecifiedfor
n Port22
3. (Optional)SpecifyanamefortheconnectionandclickSavetosavethesettings.
4. ClickOpen.TheSSHwindowopens,withaloginprompt.
5. Atthelogin as:prompt,typeadminandpressEnter.
6. Attheadmin@IP_address's password:prompt,typeyourpasswordandpressEnter.Theconsoledisplays
theCLIbanner.
LogonthroughtheVMwareconsole
UsetheVMwareconsoleorSSHifyouareloggingintoaVirtualAppliance.
1. IntheVMwareclient,browsetotheVMintheinventory.
2. SelecttheVM,right-click,andselectOpenConsole.
TheconsoledisplaystheCLIconsoleandpromptsyoutopressEnterthreetimes.
3. PressEnterthreetimes.TheconsoledisplaystheCLIbanner.
439
Management Center Configuration &Management
CLIURLSyntax
AllCLIcommandsthatacceptaURLasadownloadsourceoruploaddestinationareformattedas:
protocol://host/path
Forexample,theSCPprotocolmustusetheformat:
scp://host/path
Ifpathisadirectory,itmustendwithaforwardslash(/).
Thefollowingprotocolsaresupported,althoughsomecommandsdonotsupportalloftheprotocols:
n ftp://hostname[:port]/path
n ftps://hostname[:port]/path
n http://hostname[:port]/path
n https://hostname[:port]/path
n scp://hostname[:port]/path
Notes
l URLscannotcontainspaces.Ifthehostnameorpathcontainsaspace,youmustusetheURL-encoded
charactersinstead:%20.
Forexample,enterthefollowingURL
http://yourserver.com/d/backup 2.tgz.gpg
as
http://yourserver.com/d/backup%202.tgz.gpg.
l The@symbolisavailableforuseinservercredentialsforthefollowingcommands:
o backup import
o installed-systems add
o license get-from-url
o service upload-diagnostics
o security ssl import server-certificate
440
StandardModeCommands
StandardmodeisthedefaultmodewhenyoulogontotheCLI.Instandardmode,youcanviewconfigurationsettings,but
notchangethem.
>enable
Usethiscommandtoenterprivilegedmode.Privilegedmodecommandsenableyoutoviewandchangeyourconfiguration
settings.
Bydefault,youarenotrequiredtoenterapasswordforprivilegedmode.Youcanconfigureapasswordforprivilegedmode
usingthe#security enable-passwordCLIcommand.
See"PrivilegedModeCommands"onpage446forinformationoncommandsavailableinprivilegedmode.
Syntax
> enable
Example
Management Center#
>exit
ExittheCLIandreturntothebanner,whereyoucanchoosetoentertheCLIorManagementCentersetup.
Syntax
> exit
Example
--------------------MENU--------------------
2) Setup
--------------------------------------------
Enter option:
>help
Displayalistofallcommandsandabriefdescriptionofeach.Alternatively,use?todisplaythelist.
Thiscommandisalsoavailableinprivilegedmode.
Syntax
> help
or
>?
Example
>ping
VerifywhetheraparticulardestinationexistsandisrespondingtorequestsbysendingICMPechopackets.
Thiscommandisalsoavailableinprivilegedmode.
Syntax
442
Management Center Configuration &Management
Example
>show
Displaysysteminformation.
Thiscommandisalsoavailableinprivilegedmode.
Syntax
Subcommands
DisplaysHTTPproxystatus(enabledornot)andconfiguration(host,port,username,password).
> show installed-systems
Liststheimagesthatarecurrentlyinstalledonthesystemandeachimage'ssoftwareversionnumber,releasebuildnum-
ber,andwhentheimagewaslastbooted.
> show interface
Displaysinterfaceandnetworksettings,includingIPaddress,subnetmask,gateway,andDNSservers.
> show license
Liststhecomponentnamesofalllicensesinstalledonthesystemand,foreachlicense,displaysthestatus(Valid,Invalid,
Expired,Unknown),datethelicensewasactivated,expirationdate,andtype(suchasSubscriptionorDemo).
> show setupinfo
Displaysystemconfiguration,suchasIPaddressandDNSservers.Thisreflectsthesettingsspecifiedduringinitialcon-
figurationofManagementCenter.
> show snmp
Displaysthecommunitystringandwhetherremotereadaccessisenabledordisabled.
> show status
#showstatus
Displaysthefollowingsystemstatistics(exampleonly):
443
Management Center Configuration &Management
l Configuration
l General status
l RAID status(displaysforHWappliancesonly)
l Service status
VAexample:
Displayinformationsuchassystemversion,buildversion,andserialnumber.
Example
Network settings:
IP address: 10.169.21.51
IP gateway: 10.169.21.1
Enabled: false
Username:
Password:
444
Management Center Configuration &Management
>tracepath
Identifiestheroutepacketstaketoreachadestination.Thecommandexecutesuntiltheentireroutetothehostistraced;
alternatively,youcanpressyoupressControl+Ctoreturntothecommandpromptwhilethetraceisinprogress.
Thiscommandisalsoavailableinprivilegedmode.
Syntax
Example
9: no reply
445
PrivilegedModeCommands
Privilegedmodeprovidesasetofcommandsthatenableyoutoview,manage,andchangeconfigurationsettings.
Enterprivilegedmodefromstandardmodebyusingtheenablecommand.Thepromptchangesfroma>toa#,indicating
thatyouareinprivilegedmode.
# backup 446
# diagnostic-systems 448
# disable 449
# exit 449
# failover 449
# help 450
# http-proxy 451
# installed-systems 452
# license 453
# pcap 455
# ping 456
# restart 456
# restore-defaults 457
# rsyslog-output 458
# security 459
# service 462
# show 464
# shutdown 466
# snmp 466
statistics-monitoring 466
# subscriptions 467
# tracepath 468
# verify-hardware 469
#backup
BackuptheManagementCenterconfiguration,andview,export,andrestoreexistingbackups.
Management Center Configuration &Management
Syntax
# backup [subcommands]
Subcommands
# backup create
BackupthecurrentManagementCenterconfiguration.
# backup delete <index_number>
Deletethespecifiedconfigurationbackup.
Usethebackup viewcommandtodeterminetheindexnumbertouse.
# backup export <index_number> <URL>
Exportthespecifiedbackuptoadestinationserver.Youmustenterapassphrasetosecurethebackup.
Usethebackup viewcommandtodeterminetheindexnumbertouse.<URL>istheURLofthedestinationserverand
path.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,andSCP.See"CLIURLSyntax"onpage440forinformationon
howtoformattheURL.
# backup import <URL>
Importabackupfromthespecifiedserver.Toimportthebackup,youmustenterthepassphrasethatwasspecifiedduring
thebackupexport.
<URL>istheURLoftheexternalserverandpath.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,andSCP.See
"CLIURLSyntax"onpage440forinformationonhowtoformattheURL.
# backup restore <index_number>
RestoreaManagementCenterbackup,specifiedbytheindexnumber.
Usethebackup viewcommandtodeterminetheindexnumbertouse.
# backup restore latest
Restorethemostrecentconfigurationbackup.
# backup restore-data <index_number>|latest
Restoretheconfigurationanddatafromabackup.CanbeusedtotransferconfigurationanddatafromoneManagement
Centertoanother.Theserialnumber,license,CLIpassword,andnetworkconfigurationisnotrestoredsincethisisnot
applicablewhentransferringtheconfigurationanddatatoanotherunit.
# backup view
Viewexistingconfigurationbackups.
TransferConfigurationandDatatoAnotherAppliance
TotransferconfigurationanddatafromoneManagementCenterappliancetoanother:
447
Management Center Configuration &Management
1. OnthefirstManagementCenter:usethebackup createcommandtobackuptheconfiguration.
2. Usethebackup exportcommandtouploadthebackuptoaWeb,FTP,orSCPserver.
3. LogintothesecondManagementCenterappliance,andusethebackup importcommandtodownloadthe
backupfromtheserverspecifiedinstep2.
4. Restorethebackupusingthebackup restore-datacommand.
Example
Available Backups:
Timestamp Version
#diagnostic-systems
Upgradeandmanagediagnosticsystems.Toswitchbetweendiagnosticandsystemimages,presstheSPACEBARdur-
ingthebootcountdown.
UpgradingandmanagingdiagnosticsystemsisforManagementCenterhardwarereleasesonly.
Syntax
# diagnostic-systems [subcommands]
Subcommands
Downloadsandinstallsthespecifieddiagnosticimage.Theuserisshownprogress(bytesdownloaded)whichtheycan
safelystopwatchingbyenteringCtrl+C.Theymayresumewatchingthedownloadprogressbyrunningdiagnostic-
systems view-downloads.
# diagnostic-systems view
Displaysthelistofdiagnosticimagesinstalledontheappliance.
#diagnostic-systems view-downloads
Displaysrunningprogressofthediagnosticimagecurrentlybeingdownloaded.Ifnoimageisbeingdownloaded,itdis-
playsthestatusofthelastdownloadrequest.TheusercanstopwatchingtheprogressbyenteringCtrl+C.
Deletesthespecifieddiagnosticimagefromtheappliance.Lockedsystemscannotbedeleted.
Locksthespecifieddiagnosticimage,preventingitfrombeingdeleted.
448
Management Center Configuration &Management
Unlocksthespecifieddiagnosticimage,allowingittobedeleted.
#disable
ReturntostandardmodeintheCLI.
Syntax
# disable
Example
ManagementCenter# disable
#exit
ExittheCLIandreturntothebanner,whereyoucanchoosetoentertheCLIorManagementCentersetup.
Toreturntostandardmodefromprivilegedmode,usethedisablecommand.See"#disable"aboveforinformation.
Syntax
# exit
Example
ManagementCenter# exit
Copyright (c) 2015, Blue Coat Systems, Inc.
--------------------MENU--------------------
2) Setup
--------------------------------------------
Enter option:
#failover
ConfiguresManagementCenterfailover.ManagementCentersupportsfailoverusingtwophysicalappliances.Oneappli-
anceisdelegatedastheprimaryandtheotherasthesecondary.Afterfailoverisconfigured,thesecondaryreplicatesdata
449
Management Center Configuration &Management
fromtheprimaryappliance.Duringcontinuousreplication,userscanperformallnormaloperationsontheprimaryfailover
partner.Userscannotaccessthesecondaryfailoverpartneritssolepurposeistoreplicateactionsoccurringonthe
primarynodesothatitcantakeoverifsomethinghappenstoprimarynode.See"ConfigureManagementCenterFailover"
onpage411formoreinformation.
Syntax
# failover [subcommands]
Subcommands
# failover view
Displaycurrentfailoversettings.
# failover make-primary
Configurestheappliancetobetheprimarypartnerinthefailovergroup.
# failover make-secondary
Configurestheappliancetobethestandbypartnerinthefailovergroup.
# failover disable
Disablesallfailoversettings.
Example
# failover view
Failover:
Primary: 198.51.100.20
Secondary*: 198.51.100.24
#help
Displayalistofallcommandsandabriefdescriptionofeach.Alternatively,use?todisplaythelist.
Thiscommandisalsoavailableinstandardmode.
Syntax
#help
or
#?
Example
450
Management Center Configuration &Management
#http-proxy
ConfigureExplicitHTTPProxysettings.
Syntax
# http-proxy [subcommands]
Subcommands
DisplaynetworksettingsandHTTPProxysettings,suchasIPaddress,DNSservers,HTTPProxyhostIPaddressand
HTTPProxyportnumber.
# http-proxy enable
Enablesuseoftheproxy.
# http-proxy disable
Disablesuseoftheproxy.
# http-proxy configure
Configuresproxysettings,suchasProxyhost,port,usernameandpassword.
Example
Network settings:
IP address: 10.169.0.219
451
Management Center Configuration &Management
IP gateway: 10.168.0.1
Enabled: true
Username: user1
Password: *****
#installed-systems
Upgradeandmanageinstalledsystems.
BeforeupgradingtheManagementCenterimage,setthedefaultsystemimagetothecurrentlyrunningimage.
Syntax
# installed-systems [subcommands]
Subcommands
Downloadandinstallasystemimage.
<URL>isthelocationonaserverwhereimageresides,inthefollowingformat:
http://host/path
Specifythedefaultsystemimage.Thedefaultsystemimagewillberunafterthenextreboot.
<index_number>isthenumberoftheimage.Useinstalled-systems viewcommandtodeterminetheimageto
use.
# installed-systems delete <index_number>
Deletethespecifiedsystemimage.
<index_number>isthenumberoftheimage.Useinstalled-systems viewcommandtodeterminetheimageto
use.
# installed-systems view
452
Management Center Configuration &Management
Displaytheinstalledsystemimages,withversion,buildnumber,andlastboottime.Thecommandalsoindicatestherun-
ningimageanddefaultimage,whichwillberunuponthenextreboot.
# installed-systems view-downloads
Viewtheprogressofdownloadsinprogressorthestatusofthelastdownload.Ifnosystemshavebeendownloaded,the
CLIrespondsNo systems are being downloaded.
#installed-systems cancel-downloads
Canceltheprogressofalldownloadsinprogress.TheCLIdisplaysalistofactivedownload(s),alongwiththemessage
Are you sure you want to cancel image download? [Y/N].Ifthedownloadcancellationisconfirmed,the
CLIrespondsSystem image download canceled.Iftherearenodownloadsinprogress,theCLIrespondsNo
image downloads in progress.
Exampleofcanceledimagedownload:
Lockthespecifiedsystemimagesothatitcannotbedeleted.
# installed-systems unlock <index_number>
Unlockthespecifiedsystemimagesothatitcanbedeleted.
Example
#license
InstallaManagementCenterlicenseorviewthestatusofthelastlicensedownload.
453
Management Center Configuration &Management
TheCLIpromptsyoutoenteryourBTOcredentialswhenyouinstallthelicenseforthefirsttime.
Syntax
#license [subcommands]
Subcommands
#license get-from-bluecoat
InstallanewlicenseorupdatetheexistinglicensefromBTO.TheCLIonlypromptsyouforyourBTOusernameandpass-
wordifyouareinstallinganewlicenseonaVAappliance.
Thiscommanddisplaysthedownloadprogressuntildownloadiscomplete.
#license get-from-url <URL>
Updatetheexistinglicensefromalicensefileonalocalserver.Thecommandpromptsforanoptionalpassphrase,which
isusedtodecodebirthcertificatesembeddedinlicensefiles.
Thiscommanddisplaysthedownloadprogressuntildownloadiscomplete.See"CLIURLSyntax"onpage440forinform-
ationonhowtoformattheURL.
#license view
Viewgeneralinformationsuchasapplianceserialnumber,informationonlicensedcomponents,andstatusofthelast
attemptedlicensedownload,includinganydownloadinprogress.
IfyouarerunningaManagementCenterVAandhavenotpurchasedtheOfflineVAsupportoption,issuingthelicense
viewcommandrequiresconnectivitytotheBlueCoatlicensevalidationserver.IfyouissuethecommandwithoutOffline
VAsupportandManagementCenterisunabletocontactthelicensevalidationserver,theCLIdisplaystheerror:
Cannot communicate with license validation server
Formoreinformation,refertotheKBarticleYoureceivea"Cannotcommunicatewithlicensevalidationserver"errorin
ManagementCenter.
IfyouarerunningaversionofManagementCenterthatcontainsfeaturesavailableonlythroughlicensecom-
ponents,contactyoursalesengineertoensurethatyouhavethecorrectlicense.
Example
General Information
454
Management Center Configuration &Management
#pcap
ThePCAPutilityenablesyoutocapturepacketsofEthernetframesenteringorleavingManagementCenter.Packetcap-
turingallowsfilteringonvariousattributesoftheframetolimittheamountofdatacollected.Thecollecteddatacanthenbe
transferredtothedesktopforanalysisviaservicediagnosticupload.
Toviewthecapturedpackets,youmusthaveatoolthatcanreadPacketSnifferPro1.1filessuchasWiresharkorEther-
eal.
Packetcapturesarelimitedto100MB.Thefilesrotateoncethe100MBlimitisreached.
Syntax
# pcap [subcommands]
Subcommands
#pcap filter
SpecifiesfilterstouseforPCAP.IfyousetafilterandsubsequentlychangeitwhilethePCAPisrunning,thechangewill
notbeapplieduntilyourestartthepacketcapture.
Subcommands:
# pcap filter clear
Clearsallpcapfilters.
# pcap filter set-host ipv4_address | hostname
CapturesdataonlybetweenManagementCenterandthespecifiedhost.
# pcap filter set-port port
Capturesdataonlyonthespecifiedport.
# pcap filter view
Displaysthefilterscurrentlyenabled.
455
Management Center Configuration &Management
#pcap info
Reportscurrentstateofthepacketcapture.
#pcap start
Startsthecapture.
#pcap stop
Stopsthecapture.
Example
Filtering: port 80
#ping
VerifywhetheraparticulardestinationexistsandisrespondingtorequestsbysendingICMPechopackets.
Thiscommandisalsoavailableinstandardmode.
Syntax
Example
#restart
RestarttheManagementCenterVAorservices.
Syntax
# restart [subcommands]
456
Management Center Configuration &Management
Subcommands
# restart reboot
Rebootthevirtualappliance.Whentheapplianceshutsdown,thenetworkconnectionclosesandyoumuststartanewCLI
session.
# restart services
RestartManagementCenterservices.
Example
Management Center#
#restore-defaults
Restorefactorydefaultsontheappliance/devicerunningManagementCenter.Thiscommandisonlyavailableusingthe
serialconsole.
Syntax
# restore-defaults [subcommands]
Subcommands
# restore-defaults factory-defaults
Rebootstheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults factory-defaults-halt
Haltstheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults factory-defaults-shutdown
Powersofftheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults reset-admin
ResetstheUIadminpasswordtoadmin/admin.
# restore-defaults configuration
ResetstheUIconfigurationbacktodefaults.Retainsallotherdata.
457
Management Center Configuration &Management
Example
This operation will restore admin password on UI to default. Management Center service
will be unavailable during this operation.
#rsyslog-output
Configuretheremoteserverswhereremotesyslogoutputcanbesent.
Syntax
# rsyslog-output [subcommands]
Subcommands
# rsyslog-output add
Addnewsyslogserverconfiguration.
# rsyslog-output configure
Configureexistingsyslogserver.
# rsyslog-output delete
Deletesyslogserverconfiguration.
#rsyslog-output disable
Disableuseofremotesyslogoutput.
# rsyslog-output enable
Enableuseofremotesyslogoutput.
# rsyslog-output view
Viewconfiguredsyslogservers.
Examples
458
Management Center Configuration &Management
#security
SpecifysecurityoptionsforManagementCenterincludingbasiccertificatemanagementusingssl.
Syntax
# security [subcommands]
Subcommands
# security enable-password
Turnsonthepasswordforprivilegedcommands.Ifyouturnonthepassword,youmustenteranenablepass-
wordtoenterprivilegedmode.
<password>istheenablepasswordyouspecify.
# security generate-ssl-certificate
GenerateanewSSLcertificateforManagementCenter.WhenanSSLcertificateexpires,youcanusethis
commandtogenerateanewone.
# security http
Subcommands:
# security http enable
EnablesofdisablesHTTPaccesstoManagementCenter.Bydefault,HTTPisdisabled.Youmustenable
HTTPtoinstallsystemimageswithoutasecureconnectiononmanageddevices.
# security icmp
Subcommands:
# security icmp enable
EnablesordisablesICMPecho.Bydefault,ICMPisdisabled.ManagementCenterwillrespondtopingsafter
ICMPisenabled.
# security password
459
Management Center Configuration &Management
ChangethepasswordusedtoaccesstheCLI.Tochangethepassword,youmustenterthecurrentpass-
word,andthenspecifyandconfirmthenewpassword.
# security reset-password
ResetsthepasswordusedtoaccesstheCLIfortheadminaccount.Thiscommandisonlyavailablethrough
theserialconsole.TorestorethedefaultpasswordfortheadminUIaccount,see"#restore-defaults"on
page457.
# security unset-enable-password
Turnsoffthepasswordforprivilegedcommands.Ifyouturnoffthepassword,youcanenterprivilegedmode
withouthavingtoenteranenablepassword.
# security ssl
Subcommands:
# security ssl client-authentication disable
DisableX.509clientauthentication.
UsersmustuseX.509clientauthentication.IfX.509clientauthenticationfails,noconnection
isestablished.
Whenconfigured,alltrafficrequiresacertificate.Forexample,toaccessfileservicerequests
andAPI's,clientauthenticationismandatory.
IfX.509clientauthenticationfails,userscanloginusingthestandardManagementCenter
loginpage.IssuingthiscommandrequiresManagementCentertorestart.
Setstheregexcommandusedtoextractthecertificate'sname;thedefaultisCN=(.*?),.
Subcommand:
default
Resetstheprincipleregextothedefault.
ViewcurrentX.509clientauthenticationsettings.
DownloadsthecertificatefromthespecifiedURLandinstallsittothetruststorewiththespe-
cifiedname.Certificatesarenotcasesensitive.See"CLIURLSyntax"onpage440forinform-
ationonhowtoformattheURL.
DownloadsthecertificatefromthespecifiedURLandinstallsittothekeystore,replacingthe
460
Management Center Configuration &Management
appliancesSSLcertificateifitexists.ThiscommanddoesnotrestarttheMCservices;users
mustdosomanuallybyrunningrestart services.See"CLIURLSyntax"onpage440for
informationonhowtoformattheURL.
Displaysthenamesofallcertificatesinthetruststore.Certificatenamesarenotcasesens-
itive.
Displaysthenamesofallsystemcertificatesinthetruststore.Certificatenamesarenotcase
sensitive.
Displaysthenamesofalluseraddedcertificatesinthetruststore.Certificatenamesarenot
casesensitive.
Displaysthenamesofallservercertificatesinthekeystore.Currently,therewillonlyeverbe
one,anditwillbenameddefaultcertkey.
Deletethespecifiedcertificatefromthetruststore.Systemcertificatescannotbedeleted.
DeletestheappliancescertificatebeingusedforSSL.ThiscommanddoesnotrestarttheMC
services;usersmustdosomanuallybyrunningrestart services.
Displaysdetailsofthecertificateinthetruststorewiththegivenname.Detailsincludeowner,
issuer,expirationdateandfingerprints.Certificatenamesarenotcasesensitive.
Displaysdetailsofthecertificateinthekeystorewiththegivenname.Detailsincludeowner,
issuer,expirationdateandfingerprints.Certificatenamesarenotcasesensitive.
# security ssl-protocols
BeginninginManagementCenter1.5.3.2,TLSv1.1isdisabledbydefault.ThiscommandenablesyoutomanageTLSv1.1
operation.
Subcommands:
# security ssl-protocols disable TLSv1.1
DisablesTLSv1.1tprotocol.
EnablesTLSv1.1tprotocol.
461
Management Center Configuration &Management
DisplaystheenabledSSLprotocols.
Example
1. Importanexternalcertificatefromaserverusingthepublickey.ThisallowsManagementCentertoconnecttoan
externalserverwithoutusingausernameorpasswordforauthentication.
2. Namethecertificate.
3. GototheURLoftheserver,andcopyandpastetheURLintothesubcommand.
4. ClickReturn.Whilethecertificatedownloads,theCLIdisplaysthedetailsoftheconnectiontotheserverand
inspectsthecertificatefordetailssuchas:
l Owner
l Issuer
l Serial Number
l Certificate fingerprints
l Extensions
Whenthedownloadiscomplete,theCLIqueries:
Are you sure you want to import this as a trusted certificate? [y/N]
#service
Theservicecommandallowsyoutoviewdiskusageandtroubleshootthefollowing:
l Diskspaceorpossiblefilecorruptionissues
l Enableverboselogging
l UploaddiagnosticdatatoBlueCoatusinganopensupportcase
l PossibleVPMcachecorruptionissues
ViewDiskUsage
Viewyourcurrentdiskusagebeforeperformingdiskmaintenance.
Syntax
#service disk-usage
462
Management Center Configuration &Management
PerformDiskMaintenance
Cleanyourdiskbyusingthe#service db-maintenancecommandandsubcommand.Thisisusedformanualdata-
basecleanupandre-indexing.Whilerunningthismaintenancecommand,bothManagementCenterandstatisticsmon-
itoringareunavailable.
Syntax
#service db-maintenance
AutomateddiskspacecleanupoccurswhenManagementCenterreaches85%ofdiskutilization.Thisautomated
cleanupremovesbackedupdumpfilesandallbutthelatestManagementCenterbackup.Thisautomatedcleanupis
notasthoroughasperformingdiskmaintenancemanually.ManagementCenterandstatisticsmonitoringremain
availableandrunning.
EnableVerboseLogging
Toenableverbosedebuglogging,executethecommand#service enable-verbose-logging.W henyouhavecom-
pletedcapturingwhatyouwant,stoptheloggingbyexecutingthecommand#service disable-verbose-logging.
Youcanthenexportthedebuglogfromthewebconsoleorincludetheloginasupportcaseupload.
Syntax
#service enable-verbose-logging
#service disable-verbose-logging
Youshouldenableverboseloggingtoincludemoredebug-leveldetailsinsystemlogs,whichcanbeusedto
troubleshootissuesyoumayhaveencountered.Becausethesystemlogisincludedinthediagnosticsuploadto
BlueCoatSupport,enablingverboseloggingincludesdebug-levellogsinthediagnosticsarchive.
UploadDiagnosticsData
UploaddiagnosticsdatatoadestinationserverordirectlytoBlueCoatifyouhaveanopensupportcase.
Syntax
#service upload-diagnostics[subcommands]
Subcommands
SCP:scp://<host>/<path>
FTP:ftp://<host>/<path>
FTPS:ftps://<host>/<path>
HTTP:http://<host>/<path>
HTTPS:https://<host>/<path>
463
Management Center Configuration &Management
UploadthediagnosticstoBlueCoatSupportwithyourexistingcasenumber.
<case_number>isthenumberforyouropenBlueCoatSupportcase.
PurgeVPMCache
IfyoureceiveamessagewhenstartingtheVisualPolicyManagerEditorfromthewebconsolethatajarmismatchexists,
youwillneedtopurgetheVPMcache.Thishappensrarely,suchasifthereisanetworkfailurewhilejarsarebeingtrans-
ferredbetweendevices.
PurgeallVisualPolicyManager.jarfilesbyusing#purge-vpm cachecommand.
Syntax
#purge-vpm cache
#show
Displaysysteminformation.
Thiscommandisalsoavailableinstandardmode.
Syntax
# show [subcommands]
Subcommands
# show http-proxy
DisplaysHTTPproxystatus(enabledornot)andconfiguration(host,port,username,password).
# show installed-systems
Liststheimagesthatarecurrentlyinstalledonthesystemandeachimage'ssoftwareversionnumber,releasebuildnum-
ber,andwhentheimagewaslastbooted.
# show interface
Displaysinterfaceandnetworksettings,includingIPaddress,subnetmask,gateway,andDNSservers.
# show license
Liststhecomponentnamesofalllicensesinstalledonthesystemand,foreachlicense,displaysthestatus(Valid,Invalid,
Expired,Unknown),datethelicensewasactivated,expirationdate,andtype(suchasSubscriptionorDemo).
# show setupinfo
Displaysystemconfiguration,suchasIPaddressandDNSservers.Thisreflectsthesettingsspecifiedduringinitialcon-
figurationofManagementCenter.
# show snmp
Displaysthecommunitystringandwhetherremotereadaccessisenabledordisabled.
464
Management Center Configuration &Management
# show status
Displaysthefollowingsystemstatistics(exampleonly):
l Configuration
l General status
l RAID status(displaysforHWappliancesonly)
l Service status
VAexample:
# show version
Displayinformationsuchassystemversion,buildversion,andserialnumber.
Example
Network settings:
IP address: 10.169.21.51
IP gateway: 10.169.21.1
Enabled: false
Username:
Password:
465
Management Center Configuration &Management
#shutdown
Shutthehardwareorvirtualappliancedown.
Syntax
# shutdown
Example
Management Center#shutdown
#snmp
Enablesyoutodisallowremotereadaccessoronlyallowread-onlyremoteaccess.Youcansetthecommunitystringand
viewtheSNMPsettingsforSNMPtraps.
YoucanviewSNMPsettingsinthestandard">show"onpage443command.
Syntax
# snmp [subcommands]
Subcommands
# disable-remote-read-access
Disallowsremotereadaccess
# enable-remote-read-access
Allowsread-onlyremoteaccess.
# set-community
Setthecommunitystring(youcannotusethedefault).
# view
ViewSNMPsettings.
Example
statistics-monitoring
Shutthehardwareorvirtualappliancedown.
466
Management Center Configuration &Management
Syntax
# statistics-monitoring [subcommands]
Subcommands
# statistics-monitoring set-per-hour-lifetime
Setperhourtrenddatalifetime.Mustbeenteredinnumberofdays.
#statistics-monitoringset-per-minute-lifetime
Setperhourtrenddatalifetime.Mustbeenteredinnumberofdays.
#statistics-monitoringview
Viewcurrentstatisticsmonitoringlifetimesettings,recordstatistics,anddiskusagedata.
Example
#statistics-monitoring view
Total devices: 2
Reporting devices: 1
Data characteristics:
Lifetime Records Disk Usage
minute 7 days 131240 113 MB
hour 366 days 50927 26 MB
#subscriptions
DownloadandviewthecurrentstatusofBlueCoatsubscriptions.
InManagementCenter1.6.1.1,thesubscriptionscommandcontrolsonlytheWebApplicationProtection
(WAP)subscription.TouseWebApplicationFirewall(WAF)features,youmustensurethatManagementCenter
canconnecttohttps://subscription.es.bluecoat.comtodownloadtheWAPsubscriptionbundle.IftheWAPsub-
scriptioncannotbedownloaded,theBlacklistandAnalyticsFilterrulestableintheSecurityProfilewillnotbeavail-
able.However,allotherWAFfeaturesshouldstillbeavailableandfunctioning.TheWAPsubscriptioncannot
currentlybeloadedwhenManagementCenterisinofflinemode.
Syntax
#subscriptions [subcommands]
Subcommands
#subscriptions application-protection
# subscriptions application-protection download
Downloadstheapplication-protectionsubscriptionupdate.
# subscriptions application-protection download-force
Downloadstheapplication-protectionsubscriptionupdate,evenifaninstanceoftheidenticalupdatealreadyexists.
467
Management Center Configuration &Management
Viewtheapplication-protectionstatus.
Example
ManagementCenter#subscriptionsapplication-protectionview
ThedownloadURLisnotconfigurable.
#tracepath
Identifiestheroutepacketstaketoreachadestination.
Thecommandexecutesuntiltheentireroutetothehostistraced;alternatively,youcanpressyoupressControl+Cto
returntothecommandpromptwhilethetraceisinprogress.
Thiscommandisalsoavailableinstandardmode.
Syntax
Example
468
Management Center Configuration &Management
9: no reply
#verify-hardware
DisplaysallhardwaresysteminformationfortheappliancerunningManagementCenter.Thiscommandhelpswhendia-
gnosinganyproblemsencounteredduringinstallationorinitialconfiguration.
Syntax
# verify-hardware [subcommands]
Todiagnoseproblemswiththehardware,see"#diagnostic-systems"onpage448
Example
RAM:
16384 MB
Number of cores: 4
Storage:
469