MCCMG161

Configuration &
Management Guide
Management Center v1.6.1.1

Guide Revision: August 04, 2016
Management Center Configuration &Management
2
TOC
ManagementCenterOverview 23
WebConsoleOverview 25
Dashboard 26
Network 26
Configuration 27
Jobs 27
Reports 27
Administration 28
Example 29
LogintotheWebConsole 31
NavigatetheWebConsole 32
RequiredPorts,Protocols,andServices 33
VerifyWebConsoleAccess 35
MoveItems 36
EncryptSensitiveSystemData 38
PotentialDataLoss 38
HowDoI? 39
AddandMonitorDevices 39
CreateandManageJobs 40
UploadFilestoManagementCenter 41
AddUsersandGrantPermissions 45
MonitorDeviceHealth 47
ManageDashboards 50
Notes 51
IntegrateReporterintoManagementCenter 53
ViewConsolidatedReports 53
MigrateDeviceMetadatainDirectorasManagementCenterScripts 55
3
DetermineYourNextStep 60
ViewAuditLog 61
RegularlyBackUpaGroupofDevices 62
ManageDevices 64
AddaDevice 65
AddaDeviceGroup 68
SettheDevicePollingInterval 68
AddMultipleDevicesatOnce 70
ImportDevicesUsingaCSVFile 70
EditaDevice 72
Procedure 72
ViewEffectivePolicyforEachSlotontheDevice 72
EditaDeviceGroup 74
LaunchaDeviceConsole 75
UpgradeSystemImagesonManagedDevices 75
Troubleshooting 77
BackUpDeviceConfigurations 78
NextSteps 80
UseDeviceInformationforBackupJobImageMetadata 81
ViewDeviceBackups 83
RestoreDeviceBackups 84
ExportDeviceBackups 85
RestoreDeviceBackups 87
SettheNumberofBackupSlots 88
SSLVisibilityAppliance-WhatisBackedupandSynchronized? 88
Policy 88
4
PKI 88
Users 88
Platform 88
Alerts 89
Remoteauthentication 89
MonitorDeviceHealthandStatistics 90
StopManagingaDevice 95
AboutPre-DeployedandDeactivatedDevices 96
RestartaDevice 96
SynchronizeDevices 97
Prerequisites 97
DeviceSyncDetails 97
SupportforSSLVisibilityAppliance 97
SupportforContentAnalysis 97
SupportforMalwareAnalysisAppliance(MA) 98
PerformDeviceSynchronization 98
ConfigureHierarchyforDevicesandDeviceGroups 100
HierarchicalConfigurations 100
EditaHierarchy 102
DeleteaHierarchy 102
SearchforManagedDevices 103
SearchbyNameorIPAddress 103
BrowsetheHierarchy 103
PerformanOperationonaManagedDevice 104
EnsureDevicesBelongtoDeviceGroups 105
MonitorDeviceHealth 106
VerifyDeviceDetails 110
DeviceOverviewTab 110
ViewSystemMetrics 112
5
TheSystemMetricsTab 112
TheHealthChecksTab 112
TheBackupTab 113
RMAaDevice 114
PutDeviceinMonitor-OnlyMode 115
UseWAFPolicyToProtectServersFromAttacks 119
Requirements 120
SolutionSteps 120
AboutWAFPolicy 121
AbouttheDefaultTenant 121
AboutTenantDetermination 122
Reference:ConditionsandExamples 122
ManageTenants 124
WAFPolicyUse 124
SpecifyTenantDeterminationRules 126
WAFPolicyUse 126
ConfigureWAFSecurityRules 130
WAFPolicyUse 130
ConfigureWAFApplicationObjects 133
WAFPolicyUse 133
AnalyzeandRefineWAFPolicy(MitigateFalsePositives) 139
WAFPolicyUse 139
AnalyzeandRefineWAFPolicyWorkflow 139
ManageWAFSecurityPolicy 140
WAFPolicyUse 140
DistributeConfigurationstoDevices 144
CreateandDistributeConfigurationsUsingScripts 145
CompareVersionsoftheScript 148
6
CustomizeObjectFilters 149
ExecuteaScript 150
Example 150
ToExecuteaScript 150
FilterbyAttributesandKeywordSearch 151
SearchbyKeyword 151
Procedure 152
Canquotesbeusedinasearch? 152
Howdoyousearchforwholewords? 152
Howdoyousearchforpartialwords? 152
ExampleSearches 152
IPv4127.0.0.1 152
IPv60:0:0:0:0:1 152
Hostnames 152
Whatifthesearchfindsnomatch? 152
Whatifthesearchsucceedsinfindingmatches? 152
Howdoyouclearthesearchresults? 152
ImportScriptfromaDevice 153
ManageAttributes 155
ViewandSorttheFollowingAttributesLists 155
RestoreaVersionofScript 156
ViewScriptInformation 157
UseSubstitutionVariablesinPoliciesandScripts 158
Syntax 158
Examples 159
SupportedVariables 159
SpecifyaDefaultSubstitutionValue 160
Syntax 161
Example 161
7
CreateandDistributePolicy 162
UseContentPolicyLanguage(CPL)toCreatePolicy 165
WorkingwithCPLPolicyFragments 165
CreateaCPLPolicyObject 167
AddorEditCPLPolicySections 169
RefineExistingCPLPolicy 171
WorkwithCPLPolicySections 172
Navigatesections 172
Collapseasection 172
Collapseallsections 172
Movesections 172
FindaPolicySection 173
Ifthesearchfindsnomatch 173
Ifthesearchfindsmatches 173
Clearthesearchresults 173
ChangetheOrderinwhichPolicyRulesareEvaluated 175
UseSubstitutionVariablesinPoliciesandScripts 176
Syntax 176
Examples 176
SupportedVariables 177
SpecifyaDefaultSubstitutionValue 178
Syntax 178
Example 179
LaunchVisualPolicyManager 180
SetUpandEnableJavainYourBrowser 182
LaunchVisualPolicyManager 183
8
SelectReferenceDeviceforVPMPolicy 185
ViewVPMPolicySource 186
CreateSharedObjects 187
CreateaCPLPolicyFragment 188
CreateURLList(URLPolicyExceptions) 189
EnablingandDisablingURLs 190
URLListExample 191
StepOne-CreatetheURLListObject 191
StepTwo-AddAllowedURLs 191
StepThree-AddtheURLListtotheASUPPolicy 192
CreateCategoryLists 193
CategoryListExample 196
StepOne-CreatetheCategoryListObject 197
StepTwo-SelectCategoriesthatShouldbeDenied 197
StepThree-AddtheCategoryListtotheASUPPolicy 198
UseCategoryListTemplates 200
IncludeaPolicyFragment 204
DeployTenantPolicy 207
ManageTenants 209
WAFPolicyUse 209
CreateaVPMTenantPolicyObject 212
ImportVPMTenantPolicyfromSourceDevice 213
DeployTenantPolicy 217
ConfigurePolicy 219
AddorRemoveDevicesAssociatedwithPolicy 220
CheckConsistencybetweenPolicyandDevices 222
9
CompareDifferentVersionsoftheSamePolicy 224
ComparetheDevicePolicyVersionwithCurrentPolicyVersion 225
ExportPolicyorSharedObjectstoLocalDisk 226
InstallPolicy 227
PolicyInstallationMethods 227
Install... 227
InstalltoAll... 230
InstalltoDevice 230
InstallMultiplePolicies 231
ImportPolicyorSharedObjects 232
ImportExternalPolicy 238
Prerequisites 238
Procedure 238
ManageCPLPolicies 239
ViewPolicyVersions 239
RestoreaVersionofPolicy 242
ViewExistingPolicyInformation 243
ViewDeployedPolicyforeachDeviceSlot 246
ViewDevicesAssociatedwithPolicy 247
UseSpecificAttributeValuestoControlAccesstoPolicy 247
Procedure 247
PermissionsReference 249
Reference:PermissionsInterdependencies 250
Reference:PermissionsFiltersObjectandAttributes 259
Reference:UnderstandingJobPermissions 261
UserrunsajobimmediatelyafterconfiguringitormanuallyusingRunNow 261
Userconfiguresajobscheduledinthefuture 261
10
ConfigureUsers,Roles,andAttributes 262
ManageManagementCenterUsers 263
AddLocalUsers 264
AddUsersfromanExistingDirectoryorService 266
AuthenticateUsersAgainstLDAPorLDAPS 267
AuthenticateUsersAgainstActiveDirectoryLDAP 270
AuthenticateUsersAgainstRADIUS 272
AuthenticateUserswithSSLMutualAuthentication 273
Note 276
EditaLocalorImportedUser 277
DeleteaUser 277
ChangeandResetPasswords 278
ChangeYourPassword 279
ResetPassword 280
AutomatePasswordResetProcess 281
ManuallyResetaUser'sWebConsolePassword 282
ResetorRestoreAdminAccountPasswords 283
ManageUserGroups 284
AddUserGroups 284
EditaUserGroup 286
DeleteaUserGroup 286
ManageUserSessions 287
DefineRoles 288
AboutRoles 288
Procedure 288
DuplicateanExistingRole 290
EditanExistingRole 290
GrantPermissions 291
UpdateAccessWhenaUser'sJobChanges 293
UpdateaUser'sRoles 293
11
FilterDevicesorDeviceGroupsinaPermission 294
RestrictAccesstoReporterReports 294
Procedure 294
UsersAssociatedWithMultipleRoles 296
AddAttributes 298
MandatoryAttributes 300
EditAttributes 301
SetUser-DefinedDeviceAttributesforAccessControl 302
FilterandKeywordSearch 303
Procedure 303
SearchbyKeyword 303
Canquotesbeusedinasearch? 304
Howdoyousearchforwholewords? 304
Howdoyousearchforpartialwords? 304
ExampleSearches 304
IPv4127.0.0.1 304
IPv60:0:0:0:0:1 304
Hostnames 304
Search 304
Whatifthesearchfindsnomatch? 304
Whatifthesearchsucceedsinfindingmatches? 304
Howdoyouclearthesearchresults? 304
PrevieworDownloadLogs 305
AvailableLogs 305
LogTypes 305
ManageUserSessions 306
ReceiveErrorNotifications 307
ManageAlerts 307
12
ConfigureSMTPAlerts 318
ConfigureSNMPAlerts 319
CustomizetheAuditLog 321
CreateandManageJobs 323
AddaJob 324
JobOperations 325
JobSchedulingOptions 328
MonitorJobs 330
EditaJob 331
ViewCurrentJobs 332
CancelaCurrentlyRunningJob 333
ViewJobHistory 334
ViewJobProgress 334
ManagementCenterReports 336
StatisticsMonitoringReports 336
ReporterReports 336
IntegrateReporterintoManagementCenter 337
AddReporterasaManagedDevice 338
ViewaReporterReport 339
CustomizeReporterReportOptions 343
AddReportFilters 343
Examples 346
ChangetheReportSummary 346
SetTimeZoneforReporterReports 348
Reference:ReportDescriptions 351
SearchforSpecificReportData(SearchandForensicReport) 360
ReporterGraphTypesandViews 364
SetTimeZoneforReporterReports 365
DetermineWhyAReporterDatabaseDoesNotDisplay 368
13
ViewStatisticsMonitoringReports 368
Reference:StatisticsMonitoringReportsinManagementCenter 369
ModifyOptionsforStatisticsMonitoringReports 372
ChangetheScopeofaStatisticsMonitoringReport 374
FilteronDevicesorDeviceGroups 375
ZoomInandOutonReports 375
StatisticsMonitoringGraphTypes 375
DisplayaFullReport 376
ViewStatisticsMonitoringReports 376
Reference:StatisticsMonitoringReportsinManagementCenter 377
ModifyOptionsforStatisticsMonitoringReports 380
ChangetheScopeofaStatisticsMonitoringReport 382
FilteronDevicesorDeviceGroups 383
ZoomInandOutonReports 383
DisplayaFullReport 383
StatisticsMonitoringGraphTypes 384
WorkwithReports 384
CustomizeReportWidgets 386
CollapseReportWidgets 386
MoveReportWidgets 386
RemoveReportWidgets 386
AddReports 386
CloseaReport 386
ClosetheActiveReport 386
CloseaReportonAnotherWidget 386
ModifyDisplayofTableData 386
ViewRawReportData 389
ManageDashboards 390
14
Notes 390
DashboardsandWidgets 393
AddaWidgettotheCurrentDashboard 393
AddtheBookmarkedDevicesWidget 394
EditorDuplicateDashboards 395
Home 396
StatisticsMonitoringDashboard 396
ChangetheDashboardLayout 396
AdministrateManagementCenter 397
ConfigureGeneralSystemSettings 397
SetBandwidthCostforReports 399
SettheDevicePollingInterval 399
SettheNumberofBackupSlots 399
SpecifyExplicitProxySettings 400
SynchronizetheSystemClockusingNTP 400
ConfigureDiagnosticsLogging 401
ConfigureHousekeepingSettings 402
ConfigureMailSettings 402
ConfiguretheSNMPAgentPassword 403
ConfigureConsentBanner 403
Procedure 404
ConfigureHardwareMonitorSettings 405
Upgrade/DowngradeSystemImages 406
BackUptheManagementCenterConfiguration 408
BackupRequirements 408
BackUpManagementCenter 408
BackUpManagementCenterUsingtheCLI 409
EncryptSensitiveSystemData 409
PotentialDataLoss 409
15
RestoreaManagementCenterBackupConfiguration 410
RestoreManagementCenterBackup 410
ConfigureManagementCenterFailover 411
ConfigurationLimitations 412
FailoverPrerequisites 412
ConfigureFailover 412
SwitchtoSecondaryWhenthePrimaryisUnresponsive 414
DisableFailover 415
UpdatetheManagementCenterLicense 417
VerifyLicenseComponentsfromtheWebConsole 418
TroubleshootandResolveIssues 419
AuditTransactions 420
UnderstandTransactionTypes 422
CustomizetheAuditLog 423
ConfigureHousekeepingSettings 425
ConfigureDiagnosticsLogging 425
RequiredPorts,Protocols,andServices 427
DetermineWhichVersionYouareUsing 428
BuildInformationFields 429
AutomatePasswordResetProcess 429
PreventLicensingIssuesonaVirtualAppliance 431
DuplicateSerialNumbers 431
ExpiringLicenses 431
RestartServices 431
TestNetworkConnectivity 432
UploadSystemDiagnostics 433
ViewHardwareDiagnosticsandMemoryResources 433
ProblemsandErrors 435
16
ReadAlerts 436
"Couldnotenablestatisticscollectionduetounexpectedserverfailure"whenactivatingadevice 436
"Importbatchcontainsduplicatedevicenameviolation"whenimportingmultipledevices 436
"LocalChangesDetected"errorwheninstallingpolicy 437
Userhas"accessdenied"errorwhenrunningajob 437
"Multi-tenantpolicysupportisnotenabledforthisdevice"wheninstallingpolicy 437
CLICommandReference 438
AccesstheManagementCenterCLI 439
CLIURLSyntax 440
Notes 440
StandardModeCommands 441
>enable 441
Syntax 441
Example 441
>exit 441
Syntax 441
Example 441
>help 442
Syntax 442
Example 442
>ping 442
Syntax 442
Example 443
>show 443
Syntax 443
Subcommands 443
Example 444
>tracepath 445
Syntax 445
Example 445
17
PrivilegedModeCommands 446
#backup 446
Syntax 447
Subcommands 447
TransferConfigurationandDatatoAnotherAppliance 447
Example 448
#diagnostic-systems 448
Syntax 448
Subcommands 448
#disable 449
Syntax 449
Example 449
#exit 449
Syntax 449
Example 449
#failover 449
Syntax 450
Subcommands 450
Example 450
#help 450
Syntax 450
Example 450
#http-proxy 451
Syntax 451
Subcommands 451
Example 451
#installed-systems 452
Syntax 452
Subcommands 452
Exampleofcanceledimagedownload: 453
18
Example 453
#license 453
Syntax 454
Subcommands 454
Example 454
#pcap 455
Syntax 455
Subcommands 455
Example 456
#ping 456
Syntax 456
Example 456
#restart 456
Syntax 456
Subcommands 457
Example 457
#restore-defaults 457
Syntax 457
Subcommands 457
Example 458
#rsyslog-output 458
Syntax 458
Subcommands 458
Examples 458
#security 459
Syntax 459
Subcommands 459
Example 462
#service 462
ViewDiskUsage 462
19
Syntax 462
PerformDiskMaintenance 463
Syntax 463
EnableVerboseLogging 463
Syntax 463
UploadDiagnosticsData 463
Syntax 463
Subcommands 463
PurgeVPMCache 464
Syntax 464
#show 464
Syntax 464
Subcommands 464
Example 465
#shutdown 466
Syntax 466
Example 466
#snmp 466
Syntax 466
Subcommands 466
Example 466
statistics-monitoring 466
Syntax 467
Subcommands 467
Example 467
#subscriptions 467
Syntax 467
Subcommands 467
Example 468
#tracepath 468
20
Syntax 468
Example 468
#verify-hardware 469
Syntax 469
Example 469
21
ThirdPartyCopyrightNotices
2016BlueCoatSystems,Inc.Allrightsreserved.BLUECOAT,PROXYSG,PACKETSHAPER,CACHEFLOW,
INTELLIGENCECENTER,CACHEOS,CACHEPULSE,CROSSBEAM,K9,DRTR,MACH5,PACKETWISE,
POLICYCENTER,PROXYAV,PROXYCLIENT,SGOS,WEBPULSE,SOLERANETWORKS,DEEPSEE,DS
APPLIANCE,CONTENTANALAYSISSYSTEM,SEEEVERYTHING.KNOWEVERYTHING.,SECURITY
EMPOWERSBUSINESS,BLUETOUCH,theBlueCoatshield,K9,andSoleraNetworkslogosandotherBlueCoatlogos
areregisteredtrademarksortrademarksofBlueCoatSystems,Inc.oritsaffiliatesintheU.S.andcertainothercountries.
Thislistmaynotbecomplete,andtheabsenceofatrademarkfromthislistdoesnotmeanitisnotatrademarkofBlueCoat
orthatBlueCoathasstoppedusingthetrademark.Allothertrademarksmentionedinthisdocumentownedbythirdparties
arethepropertyoftheirrespectiveowners.Thisdocumentisforinformationalpurposesonly.
BLUECOATMAKESNOWARRANTIES,EXPRESS,IMPLIED,ORSTATUTORY,ASTOTHEINFORMATIONIN
THISDOCUMENT.BLUECOATPRODUCTS,TECHNICALSERVICES,ANDANYOTHERTECHNICALDATA
REFERENCEDINTHISDOCUMENTARESUBJECTTOU.S.EXPORTCONTROLANDSANCTIONSLAWS,
REGULATIONSANDREQUIREMENTS,ANDMAYBESUBJECTTOEXPORTORIMPORTREGULATIONSIN
OTHERCOUNTRIES.YOUAGREETOCOMPLYSTRICTLYWITHTHESELAWS,REGULATIONSAND
REQUIREMENTS,ANDACKNOWLEDGETHATYOUHAVETHERESPONSIBILITYTOOBTAINANYLICENSES,
PERMITSOROTHERAPPROVALSTHATMAYBEREQUIREDINORDERTOEXPORT,RE-EXPORT,TRANSFER
INCOUNTRYORIMPORTAFTERDELIVERYTOYOU.
Americas:
BlueCoatSystems,Inc.
384SantaTrinitaAvenue
Sunnyvale,CA94085
RestoftheWorld:
BlueCoatSystemsInternationalSARL
3aRoutedesArsenaux
1700Fribourg,Switzerland
ManagementCenterOverview
BlueCoatManagementCentercentrallymanagesandmonitorstheBlueCoatdevicesinyourorganization.Youcanorgan-
izedevicesintohierarchicalgroups,monitordevicehealth,installpoliciestoProxySGdevices,backupdevicecon-
figurations,andproduceconsolidatedreports.Inaddition,youcancontrolaccesstoManagementCenteranddevicesby
addingsystemusersmanuallyorauthenticatingthroughanexistingdirectoryorservice,suchasRADIUS.
ThefollowingtablesummarizessomeofthefeaturesandbenefitsofusingManagementCenter.
Feature Benefit
Management Center provides cent- Eliminate the need to manage each remote device manually, reducing man-
ralized management for up to 500 agement costs.
devices.
Groups devices based on location, Delegate administrative duties and deploy policies for specific groups.
department, purpose, and other Enables administrators to assign attributes for managed devices that
attributes that you specify. have different purposes within their network.
Roles have greater flexibility, User Groups with the same permissions access, manage, and can report on
enabling user groups with the same devices within their management area without overlapping job duties and
permissions to access and manage wasting time and resources. Apply roles to user groups that you need to have
policies and devices within their spe- homogenous results (for example user groups that are in specific locations or
cific organization. have a specific job function).
Manages internal and external Users only access the functional areas and perform tasks required for
user accounts for Management their jobs.
Center.
Facilitates creating and deploying Ensure consistency amongst devices that have the same purpose or require
policy to multiple devices sim- standardized policy. Administrators can manage policy using the Visual
ultaneously. Includes Visual Policy Policy Manager on managed devices from within the Management Center
Manager and consistency checking web console.
between policies and devices
Manage attributes for devices, Use attributes to define custom metadata for devices, device groups, policy
device groups, policy and device and device scripts. Filter on attributes to refine searches for all objects.
scripts
Create, edit and execute scripts. Administrators can create and edit scripts as well as execute scripts on man-
Includes the ability to compare script aged devices. Variable replacement is supported, as well as the ability to
versions and to import a script from check versions of a saved script and to import a script from a device.
a managed device
Audit log records user and system Be aware of all user actions in the system and support organizational
event history accountability.
23
Feature Benefit
Default Reporting (Reports on Management Center provides centralized reporting for managed
device performance) devices. Statistics Monitoring reports are included by default and
include:

l Devices
l WAN Optimization Reports
Advanced Reporting (Reporter For advanced reporting features, you can add a Reporter Enterprise
10.x integration) Server as a managed device. After adding Reporter, four groups of
reports are available for viewing data:
l Security reports
l Web Application reports
l User Behavior reports
l Bandwidth Usage reports
Advanced Reporting provides visibility and a control point between

employees of your organization and the cloud services and SaaS applic-
ations that users access (e.g., Box, Dropbox, Google Drive, Office 365,
Salesforce, Facebook, etc.). Using full Reporter integration enables the
discovery of all of the web applications in use, enabling you maximum
visibility into all risky users, web sites and potential threats. See how
trends of risky users and sites affect your company over time.
Storing device backups on an Enables administrators to export backups to external servers using any of the
external server following 4 protocols: FTP, HTTP, HTTPS, or SCP
Job scheduling to automate repet- Administrators can set up jobs to automate tasks that recur or are otherwise
itive tasks inefficient to perform manually. Additional permissions are required to per-
form some jobs.
Hardware appliance support Hardware diagnostics information is available in the web console, such as
System Metrics, Storage Usage, Temperature, Voltage, RPMand other
sensors. From the CLI you can run hardware diagnostics, power off the appli-
ance and restore the appliance to factory defaults.
24
WebConsoleOverview
ThewebconsoleisManagementCenter'sbrowseruserinterface,asshownbelow.
Dependingonauser'spermissions,notallofthetabsmaybevisibletoaparticularuser.See"Reference:Per-
missionsInterdependencies"onpage250forinformationonuserpermissionsinManagementCenter.
Banner
ThebanneristheareaatthetopoftheManagementCenterwebconsole;lookforthetitleBlueCoatManagement
Center.Thebannerisvisibleregardlessofwhichtabormenuitemyouselect.Itprovidesyouwithaviewofdevicehealth
statusandalertmessages,accesstoyourprofile,globalsettings,andmore.Thefollowingareoptionsinthebanner,from
lefttoright(excludingthetitle):
n TaskTabsarewhereyouperformdevicemanagementoperations.
n DeviceStatusTotalsindicatethenumberofdevicesandcolorsindicatedevicehealth.Seethetablebelowforweb
consolecolordetails.
n MessagesdisplaywhenyouorotheruserscompletecertaintasksinManagementCenter.See"ReadAlerts"on
page436.
n SystemMenu containsthefollowingoptions:
o ManagementCenterlinks
o ProfiledisplaysyouruserprofileinManagementCenter.SeeUpdateYourWebConsoleProfile,Password
andSecurityQuestion.
o Logoutlogsyououtofthesystem.
o Supportlinkstohttps://bto.bluecoat.com/.
o DocumentationlinkstotheManagementCenterdocumentationonBTO.
o AboutdisplaystheManagementCenterversionandlinkstolegalnotices,includingtheEULA.
Tabs
ManagementCenterdividesfunctionalityintotabs.
Dashboard
WhenyoulogintoManagementCenter,thewebconsoledisplaystheHomedashboardbydefault.Fromhere,youcan
"ManageDashboards"onpage390andcustomizethedatathatyouwanttomonitorformanageddevices.See"Changethe
DashboardLayout"onpage396and"DashboardsandWidgets"onpage393and"AddtheBookmarkedDevicesWidget"
onpage394
Network
Networkdisplaysallmanageddevicesinyourhierarchy.Foreachdevice,youcanviewdeviceoverviewinformation(such
asplatform,OSandserialnumber),devicehealth,systemmetrics,andthebackupsforeachdevice.
26
Configuration
ProxySGconfigurationscanbeupdatedusingPolicyorScripts.Tocreateandmanagepolicyorcreateandexecute
scripts,see"DistributeConfigurationstoDevices"onpage144.
Jobs
TheJobstabenablesyoutocreateandrunjobs,viewtheprogressofanycurrentlyrunningjob,andprovidesawayto
schedulerecurringjobs.Youcanalsoseetheentirejobhistoryforeachdevice."CreateandManageJobs"onpage323.
Reports
ManagementCenterprovidescentralizedreportingformanageddevices.StatisticsMonitoringincludesreportsonthefol-
lowingcategories:
n Devices
n WANOptimization(requiresaProxyorMACH5Editionlicense)
27
Foradvancedreportingfeatures,youcanaddaReporterEnterpriseServerasamanageddevice.AfteraddingReporter,
fourgroupsofreportsareavailableforviewingdataaboutProxySGdevices:
n Securityreports
n WebApplicationreports
n UserBehaviorreports
n BandwidthUsagereports
Administration
Thesesettingsenableyoutoaddusers,assignroles,andperformotheradministrativetasks.ThetabsincludeAuditing,
Settings,Users,Groups,Roles,Attributes,HardwareDiagnostics,Logs,UserSession,andLicense.
AboutColor-CodedStatusIndicators
Colorsrepresentthestatusofsignificanteventsinseveralareasinthewebconsole:
n Alertcolors
InalertsthatpopupinthewebconsoleandarelistedintheMessageslist,colorsindicatetheseveritylevelofthe
event.Ifyouhaveunreadalerts,theMessageslabelinthebannerdisplaysthestatusofthemessagewiththe
highestseveritylevel.Forexample,ifyouhaveanunreadMessage-levelalertandanunreadErroralert,the
MessageslabeldisplaysaredErrorstatus.See"ReadAlerts"onpage436formoreinformation.
n Banner
Onthewebconsolebanner,theDeviceStatusTotalsiconsrepresentnotonlyhealthstatusbutthenumberofeach
devices.ClickanumbertoviewthedevicesintheNetworktab.
n Dashboard
ColorsintheDeviceHealthandTopProblemwidgetsindicateadevice'shealthstatus.Selectanypartofthedisplay
colorintheDeviceHealthwidgettodisplaythedevicesintheNetworktab.
28
n Example
n Network
FromtheNetworktab,adevice'scolorindicatesitshealthstatus.Thecolorsofgroupsandhierarchiesindicatethe
healthstatusofthedeviceswiththehighest-severitystatus.See"MonitorDeviceHealth"onpage106.
n Jobs
Whenviewingacurrentlyrunningjob,thestatusofthejobisdisplayed.IfyouareviewingtheJobHistory,alljobs
aredisplayedwiththecompletedjobstatus."ViewCurrentJobs"onpage332.
ThefollowingtableliststhestatusesinManagementCenter,thecolorsassociatedwiththem,anddescriptionsofeach
status.
Status Color Howitappliestodevices Howitappliestoalerts

Error A component on the device is failing, or is An error occurred, preventing
far outside normal parameters, and an event from completing.
requires immediate attention. The job has
red not completed or has completed with
errors. Red is also used for jobs that are run- Example: During the device
ning with errors. See "View Current Jobs" registration process, the con-
nection test failed.
on page332.

Example: The ProxySG appliance's Sub-
scription Communication Status metric is in
critical state.
29
Status Color Howitappliestodevices Howitappliestoalerts

Warning A component on the device is outside nor- An error might occur if you do
mal operating parameters and might not take preventative action.
require attention. Yellow is also used to
yellow show that an attribute on a device is in a
warning state. See "Monitor Device Health Example: The Management
" on page106. Center license will expire in
15 days or fewer. If you do
not renew the license within
Example: The ProxySG appliance's SGOS
15 days, Error alerts display.
Base License Expiration is in warning state.
OK (device) Components on the device are operating A task was completed or a
within normal parameters. The job has com- change was made.
Message
pleted successfully. See "View Job History"
(alert) green
on page334.
Example: A user account was

added.
Example: The monitored device has no
health warnings or errors.
Inactive The device is pre-deployment or deactivated. Not applicable.
See "About Pre-Deployed and Deactivated
Devices" on page96 for information.
gray
30
LogintotheWebConsole
LogintoManagementCenterwebconsoleusingasupportedbrowser.Foralistofsupportedbrowsers,refertotheMan-
agementCenterReleaseNotes.
TLS1.0isdisabledonManagementCenter.TosecurelyconnecttotheManagementCenterwebinterfaceusing
InternetExplorer10orlater,youmustenableTLS1.1and1.2onthebrowser.Inthebrowser,selectInternet
Options>Advanced,andenableUseTLS1.1andUseTLS1.2.
1. Inthewebbrowser,enteroneofthefollowingURLs:
l http://IP_address:8080
l https://IP_address:8082
Thebrowserdisplaystheloginscreen.
Whenenabled,theconsentbannerpagedisplaysbeforetheloginscreen.Iftheuserrecognizesboth
thetextandimage,theuserconfirmsthatthesystemwillbeusedforthepurposeshown,byclicking
Accept."ConfigureConsentBanner"onpage403.
2. Enteryourusernameandpassword,andclicklogin.
.Thedefaultusername/passwordisadmin/admin.Torestorethedefaultadminpassword,see"Resetor
RestoreAdminAccountPasswords"onpage283.
3. Youcanrequestapasswordreset.ClickResetPassword.Formoreinformation,see"ResetPassword"on
page280.Foraddedaccesscontrol,administratorsshouldenablepasswordresetsettingsforuserswiththe
correctpermissions.See"AutomatePasswordResetProcess"onpage429.
4. Uponsuccessfullogin,ManagementCenterdisplaysthemainDashboard.
See"WebConsoleOverview"onpage25and"DashboardsandWidgets"onpage393.
31
NavigatetheWebConsole
Refertothefollowingforanoverviewofnavigationaltoolsinthewebconsoleinterface.
Tabs
Thewebconsoleorganizesinformationontabsintwokeyareasatthetopofthescreen.Thefunctionalgroupingoftabs
thatincludetheDashboards,Network,Configuration,Jobs,Reports,andAdministrationtabsareorganizedforman-
agingdevicesfromManagementCenter.
l Functionalareasinthewebconsolearedividedintotabsatthetopofthescreen,underthebanner.Clickatablabel
toperformspecifictasks.Forexample,clickNetworktomanageyourdevices.
l InDashboards,youcanseetheHomeandStatisticsMonitoringdashboards.Tocloseareport,clicktheXonthe
tab.
TheAdministrationtabhasnumeroussectionsthatarespecifictomanagingManagementCenteritself:
l Auditing
l Settings
l Users
l Groups
l Roles
l HardwareAttributes
l Logs
l UsersSessions
l License
SplitScreens
Insomeareasofthewebconsole,splitbarsdividescreensintopanes:
l FromtheNetworktab,youcanmanagealldevicesinyournetwork.Thescreensaredividedintoaleftpaneanda
rightpanewithafilterspaneontheright.ThetoppanedisplaysthefiltersandasearchfieldiftheDetailsdrop-down
listhasDetails(ratherthanTiles)selected.
Ifasplitbarhasanarrowonit,youcanclickthearrowtocollapseorexpandthesplitscreen.
Youcanalsomoveasplitbartoresizepanes:hoveroverthesplitbaruntilthepointerchangestodivider.Then,dragthebar
toanewlocation.
InformationonMultiplePages
Inthefollowingareasofthewebconsole,itemsdisplayonmultiplepagesifmorethan50itemsexist:
l LogsinAuditing
l PolicyandScriptObjectsinConfiguration
l DevicesearchresultsinNetwork
Usethefollowingfeaturesofthenavigationbaratthebottomofapagetonavigatepages:
l Click<>tomovebackorforwardonepageatatime.
l Click<<>>togotothefirstpageorthelastpageofresults.
32
l EnterapagenumberinthePagefield.
Therightsideofthenavigationbarindicateswhichitemsaredisplayedandthetotalnumberofitemsinthelist:
RequiredPorts,Protocols,andServices
ManagementCenterusesthefollowingportswhileoperating.EnsurethatyouallowtheseportswhensettingupMan-
agementCenter.
System Ports InitiatedBy Function
Management Center 9009 ProxySG appliance ProxySG appliance Performance Stat-

TCP istics
Management Center 22 Management Center ProxySG appliance monitoring and

TCP management

Management Center 22 Management Center Management Center communication
TCP with failover partner

Management Center 22 User's Client Management Center CLI
TCP

Management Center 8080 User's Client Management Center's UI (web con-
8082 sole)
TCP
Management Center 389 Management Center Authentication via

636 AD/LDAP/LDAPS
TCP
Management Center 80 Management Center bto.bluecoat.com
443 License activation, the latest release
TCP information and documentation
SMTP 25 Management Center Email
SNMP 162 Management Center SNMP
NTP 123 Management Center Time sync to customer-configured

UDP NTPtime server
EnsureconnectivitytothefollowingURLs.
33
URL Protocol Notes

validation.es.bluecoat.com/phs.cgi HTTPS Validates the license every 5 minutes. After successful val-
TCP 443 idation, validation occurs every hour.
bto-services.es.bluecoat.com HTTPS Validates the license.
TCP 443
device-services.es.bluecoat.com HTTPS License related.
TCP 443
services.es.bluecoat.com HTTPS License related.
TCP 443
abrca.bluecoat.com HTTPS Blue Coat CA.
TCP 443
appliance.bluecoat.com HTTPS Trust package downloads.
TCP 443
subscription.es.bluecoat.com HTTPS Subscription services.
TCP 443
upload.bluecoat.com HTTPS Upload diagnostic reports to BlueCoat support.
TCP 443
34
VerifyWebConsoleAccess
Afteryouinstallanewlicenseorupdateanexistinglicense,verifythatyoucanaccessthewebconsole.Refertothe
ReleaseNotesforalistofsupportedbrowsers.
TLS1.0isdisabledonManagementCenter.TosecurelyconnecttotheManagementCenterwebinterfaceusing
InternetExplorer10orlater,youmustenableTLS1.1and1.2onthebrowser.Inthebrowser,selectInternet
Options>Advanced,andenableUseTLS1.1andUseTLS1.2.
1. Openawebbrowser.
2. Intheaddressbar,entertheURL.
https://ip_address:8082
Youcannotchangetheportnumber.
Thewebbrowserdisplaystheloginscreen.
Ifthewebconsoledoesnotload,runthe# license viewCLIcommandtodetermineifthelicensewasinstalled

andisvalid.
35
MoveItems
Tocompletesometasksinthewebconsole,youmoveitemsfromoneareaorcontainertoanother.Forexample,youmove
itemstoadddevicestogroups,associatedeviceswithpolicy,removeusersfromgroups,andremoverolesfromusers.
ThefollowingexampleshowstheEditUserdialog,whereyoucanaddorremoverolestoauser:
Ifthelistofitemsislong,youcanscrolldowntolocatetheitemtomove.Youcanalsosearchusingthesearchfieldabove
it.
Thewebconsoleallowsseveralwaystomoveitems:
Draganitemfromoneareatoanother.Howtodragitems
Forexample,toaddaroletoauser,selecttheroleunderAvailableRoles.Clickandhold;thepointerturnsintoa .Drag
theroletoAssignedRoles.ThedialogdisplaysagreenlineunderAssignedRolesandthepointerturnsintoa ,indic-
atingthattherolecanbemovedthere.
36
Letgoofthemousebuttontomovetherole.
Dragaselecteddevicetoadevicegroup.AssociateDeviceswithDeviceGroups
1. ClicktheNetworktab.Intheleftpane,clickUnassignedDevices.Unassigneddevicesdisplayontherightpane.
See"EnsureDevicesBelongtoDeviceGroups"onpage105.
2. Selectedthesaveddevice.
3. Toassignthedevicetoagroup,selectthedeviceanddragitintothedevicegroupintothetreeontheleft.
4. Dropthedeviceintothedevicegroup.Confirmthemove.ClickOK.
37
EncryptSensitiveSystemData
InManagementCenter1.6andlater,eachdevicehasauniqueencryptionkeythatisusedtoencryptdatainthesystem.
TheadministratorgeneratesthiskeyintheAdministration>DataProtectionpage.Whenthekeyisgenerated,arecovery
keyisalsogeneratedincaseyoulaterneedtorestoretheencryptionkey.Makesuretosavetherecoverykeyinasafe
place.
PotentialDataLoss
n Aspartofthisprocess,youshouldkeeptherecoverykeyinasafeplaceintheeventthatyouneedtorestorethe
encryptionkeylater.DONOTLOSETHEKEY.Ifyoulosethekey,youwillnotbeabletorecoveryourencrypted
data.
n Youshouldnotrecoverakeyunlessyouarecertainthatyouneedto.IfyouusetheRestorepreviouskeyfeature
andthecurrentdatainthedatabasewasnotencryptedwiththatkey,thatdatawillnotbeabletobedecryptedand
youwillhavetoreenterallofthedevicepasswords.
NewManagementCenterApplianceRecommendations
Uponreceivinganewappliance,youshoulddothefollowing:
1. SelectAdministration>DataProtection.
2. ClickGenerateKey.
Anewencryptionkeyiscreatedandarecoverykeyisdisplayed.
3. Recordtherecoverykeyandsecureitinasafelocation.
4. ClickRestartSystem.
5. Configuretheappliance.
6. RunaManagementCenterbackup.See"BackUptheManagementCenterConfiguration"onpage408.
Thisprocessensuresthatyoucanrestoreyourconfigurationasnecessary.
UpgradeRecommendations
IfyouareupgradingManagementCenter,BlueCoatrecommendsregeneratinganewkeyandthentakinganewbackup.
Doingsowillensurethatyouhavethelatestprotectionschemesandavalidbackupthatcanberestoredtothedeviceif
necessary.
Thisprocessensuresthatyouwillbeabletorestorethepreviousconfigurationiftheupgradehasissues.
38
HowDoI?
WhatdoyouwanttodoinManagementCenter?Seethefollowingtopicsforassistance.
Add and Monitor Devices 39
Create and Manage Jobs 40
Upload Files to Management Center 41
Add Users and Grant Permissions 45
Monitor Device Health 47
Manage Dashboards 50
Integrate Reporter into Management Center 53
View Consolidated Reports 53
Migrate Device Metadata in Director as Management Center Scripts 55
View Audit Log 61
Regularly Back Up a Group of Devices 62
AddandMonitorDevices
TheNetworkdashboardpresentsdataaboutmanageddevicesandenablesyoutoperformoperationsonthem.Beforeyou
canviewappliancedata,youmustaddthedevicetoManagementCenter.Toimportmultipledevices,see"AddMultiple
DevicesatOnce"onpage70or"MigrateDeviceMetadatainDirectorasManagementCenterScripts"onpage55.
Torunoperationsonmanageddevices,see"PerformanOperationonaManagedDevice"onpage104.
Youcanmanageupto500devicesinManagementCenter.
39
Clickthecalloutsinthegraphicaboveformoreinformation.
CreateHierarchyandGroupViews
Yourequireawaytoadministerandmonitordevicesinyournetwork,whichmightcompriseacomplexorganizationalorgeo-
graphicalscheme.InManagementCenter,youcanmanagethedevicesinyournetworkwithinahierarchicalstructure.
ManagementCentercomeswithapredefinedstructurefordevicemanagement,asfollows:
l Location(Hierarchy)
l World(Group)
l France,Canada,Germany,andothers(Subgroups)
l Organization(Hierarchy)
l Company(Group)
l Finance,Sales,Legal,andothers(Subgroups)
Youcanusethesepredefinedhierarchiesandgroups,butifyoumustorganizethedevicesinyournetworkusingdifferent
criteria,youcancreateyourownhierarchiesandgroups.Then,createdevicegroupsandsubgroupstologicallyrepresent
thestructureofyournetwork.
CreateandManageJobs
ManagementCenterallowsyoutocreatejobsforrunningavarietyofoperationsonadefinedschedule.Forexample,you
cancreatejobsforbackingupManagementCentereachday,installingpolicyonagroupofProxySGappliancesimme-
diately,orexecutingaProxySGscriptonamonthlybasis.Jobsdon'tnecessarilyneedapreciseschedule,though;ifyou
40
don'tdefineascheduleforajob,youcanrunthejobmanually.Inaddition,youmayoverridethedefinedscheduleforajob
andrunitimmediately.
Schedulingajobandrunninganoperationrequiredifferentpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.
1. Planthejob:
n Determinewhichoperationyouwanttocreateajobfor.See"JobOperations"onpage325.
n Whichdevicesdoyouwanttoperformtheoperationon?Thesewillbethetargetsofthejob.
n Decidehowoftenthejobshouldrun.Thiswillbethejobschedule.See"JobSchedulingOptions"on
page328.
2. Createthejob.See"AddaJob"onpage324.
3. Monitorscheduledjobs,andrununscheduledjobsasneeded.See"MonitorJobs"onpage330.
4. Monitorjobsastheyarerunning.See"ViewCurrentJobs"onpage332.
5. Viewjobhistory.SeeJobHistory.
UploadFilestoManagementCenter
UsetheConfiguration>FilespagetoaddfilestoManagementCenter.Thesefilescanbeusedforvariousoperations,
includingupgradingManagementCenter.
Allfiletypesexcept.execanbeuploaded.Ifyouuploadafilewithoneoftheseextensions:.bcl,.bcsi,.nru,.nsu,
.pac,.patch,.si,.txt;thefileisautomaticallyassociatedwiththeproperfiletypeconfig,image,license,text.If
thefiletypeisnotoneofthepreceding,ManagementCenterlabelsitasunknown.
YoucanlimittheactionsusersareallowedtoperformonthispagebyaddingtheFilepermissiontoaneworexistingrole.
ManagementCenterreplacesspecialcharactersinfilenames.
UploadFiles
1. SelectConfiguration>Files.
2. Addthefileusingoneofthefollowingmethods:
l Bybrowsing:
a. ClickAddFile.
b. ClickSelectFileandbrowsetothefile(s).
c. Selectthefile.
d. ClickOpen.
e. ClickUpload.
Bydragginganddroppingoneormorefiles:
a. ClickAddFile.
b. DraganddropthefilesintotheUploadFileswindow
c. ClickUpload.
3. ManagementCenterindicatestheprogressoftheupload,asshownbelow.
41
Ifafilewithsamenamealreadyexists,thesystempromptsyoutochoosewhethertouploadandreplacethe
existingfile,skipthedownload,ortokeepbothanduploadthefilewithanewname.Iftheuploadwillexceed
theavailablespaceondisk,youarepromptedtodeletefilestomakeroomforthenewfile.
Youcancanceltheuploadafteritbeginsbyclicking ortheXiconasshownbelow.
TransferFiles
ClickTransferFiletoretrievefilesfromaURL.
42
1. ClickTransferFile.ThesystemdisplaystheFileTransferwindow.
2. EntertheURLintotheServerURLfield.
3. SelecttheFileType.
4. Selectthebehaviortooccurifthefilealreadyexists.
5. ClickRunNowtostartthejobimmediatelyorcreateascheduledjob.
AssociateFilewithDeviceType
Ifyouuploadanimagefilewiththeintentionofupgradingoneofyourmanageddevices,youmustassociatethefilewitha
devicetype.
1. Selectthefile.
2. RightclicktheDeviceTypefieldinthatrowandclickEdit.
43
ThesystemdisplaystheEditFilewindow.
3. SelectthedevicetypefromtheDeviceTypedrop-down.
4. ClickSave.
EditUploadedFiles
Toeditafile,selectthefileandclickEdit.ThesystemdisplaystheEditFiledialog.Here,youcaneditthefollowing:
l DisplayName
l FileType
l DeviceType
l Description
Sort,Group,andModifyUploadedFileData
Clickthearrowtotherightofthecolumnheadingstosortandgroupuploadedfiles.
44
HoveroverColumnstochangethedisplayedcolumns.SelectGroupbythisfieldtogroupthetabledatainaccordance
withthatcolumnheading.DeselectShowingroupstoputdataintoaplainlist.
DeleteUploadedFiles
Todeleteafile,selectthefileandclickDelete.
CopyFileURL
Tocopythefile'sURL,clickCopyURL.TheURLopensinasmallsub-window.Youcanthenright-clickthe
URLandselectCopyorenterCTRL-CtocopytheURL.youcanthenpasttheURLintoManagementCenter
CLIcommands(forexample,installinganewimage),andotheroptionsoroperationsthatacceptURLs.
AddUsersandGrantPermissions
ManagementCenteremploysarole-basedsecuritymodelforaccesscontrol,whichconsistsofdefiningrolesandthen
addinguserstorolesratherthangrantingexplicitrightstofeaturesandfunctions.
Youshouldcreatearolestructurethatensures:
l Usershaveenoughaccessandnomoretoperformtheirday-to-dayjobs.
l Onlyauthorizeduserscanaccesssensitivefeaturesanddata.
l Thepermissionsthatadefinedrolerequires.
l Enforcementofyourorganizationsaccesscontrolpolicies.
ToconfigureaccesscontrolinManagementCenter,createarolestructurethatmeetsyourtechnicalandbusinessrequire-
ments.Asyourorganizationchanges,youmayneedtochangeroledefinitionsandassignmentstobecertainthatusers
continuetohaveappropriateaccess.
45
l Users(basedontheirrole)shouldonlymanagespecificdevices,includingreportsonthosedevices.
l Userrolescontroltheactionsthatindividualswithinanorganizationshouldperformondevicesforwhichtheyhave
access.
l Usersrolesshouldbeorganizedintoahierarchicalcontrolmodeltoconformtoanorganization'sITstructure.
DefineRolesandUsers
TocontrolaccesstoManagementCenter,youshouldfirstcreateeachroletoallowaccesstospecificareasandtheoper-
ationsthatuserscanperformthere;then,youcanassigntheserolesinaccordancewithusers'functionsandrespons-
ibilities.
1. DefinerolestoprovideaccesstodifferentareasandfunctionsintheManagementCenter.
l Tocreateanewrole,see"DefineRoles"onpage288.
l Toduplicateanexistingrole,see"DuplicateanExistingRole"onpage290
l (Optional)"EditanExistingRole"onpage290.
2. "AddLocalUsers"onpage264afteryouhavecreatedarolestructureanddefinedroles.
(Optional)"AddUserGroups"onpage284.IfmultipleusersrequirethesametypeofaccesstoManagementCenter,
usergroupsmakeiteasytoapplyrolesandpermissionstoalargenumberofusersatonetime.Usergroupscontain
usersthatcontrolaccesstoManagementCenter;youshouldfirstcreateeachroletoallowaccesstospecificareas
andtheoperationsthatuserscanperformthere;then,youcanassignrolesinaccordancewithusers'functionsand
responsibilities.
GrantPermissions
TograntpermissionstoManagementCenterthatarolerequires,youshouldunderstandhowpermissionsworkwithroles.
Grantpermissionstousersbasedontheactionsyouneedthemtoperformonspecificobjects.See"Reference:
46
PermissionsInterdependencies"onpage250.
l "GrantPermissions"onpage291tousers.See"Reference:PermissionsFiltersObjectandAttributes"on
page259.
l (Optional)Grantjobpermissionstousers.See"Reference:UnderstandingJobPermissions"onpage261
(Optional)FilterDevicesinPermissions
(Optional)Filterdevicesordevicegroupsinpermissions.Somepermissionsallowaccessatthedeviceanddevicegroup
levels.
l Tospecifydevicesordevicegroupsinspecificpermissions,see"FilterDevicesorDeviceGroupsinaPermission"
onpage294.
l Tospecifyobjectfilters,see"Reference:PermissionsFiltersObjectandAttributes"onpage259.
(Optional)AddUsersfromExternalDirectoryServices
ToauthenticateusersusingRADIUS,LDAPorActiveDirectoryservices,seeAddUsersfromanExistingDirectorySer-
vice.Availabledirectoryservicestowhichyoucanauthenticateusersinclude:
l "AuthenticateUsersAgainstActiveDirectoryLDAP"onpage270
l "AuthenticateUsersAgainstLDAPorLDAPS"onpage267
l "AuthenticateUsersAgainstRADIUS"onpage272
MonitorDeviceHealth
ManagementCentercollectshealthstatusinformationondevicecomponentsincludingsystemresources,licensevalid-
ity,anduser-definedhealthchecks,anddisplaystheaggregatehealthstatusinseveralareas.
Devicehealthisalwaysrepresentedbystatuscolors:Error(red),Warning(yellow),andOK(green).Adevice'shealth
statusisdeterminedbysystem-definedthresholdsonthedevice:ifaserviceorothermonitoredcomponentexceedsa
threshold,thedevicegoesintoaWarningorErrorstate.
IfyoucannotgetthedeviceoutoftheErrorstate,regardlessofwhatyoutry,youmayneedtoRMAthedevice.See"Per-
formanOperationonaManagedDevice"onpage104.
AgraystatuscolorindicatesanabsenceofhealthstatusandrepresentsanInactivedevice.Somejobsandoperations
cannotoccuroninactiveorpre-deployeddevices.
See"AboutColor-CodedStatusIndicators"onpage28formoreinformationonstatuscolorsinvariousareasoftheweb
console.
FormoreinformationonmonitoringhealthstatusontheProxySGappliance,refertotheSGOSAdministration
Guide.
ViewDeviceHealthStatusontheDashboard
TheDashboarddisplaysoverallhealthstatusinformationinwidgets.Twowidgetsdisplaybydefault,butyoucanclose
thembyclickingtheXinthetoprightcorner.
TheDeviceHealthwidgetgivesanoverallpictureofthehealthofmonitoreddevicesinacirclegraph.
47
Clickastatusiconbelowthecharttoseethedevicesthathavethatstatus.
TheTopProblemDeviceswidgetliststhedevicesthatareconsistentlydisplayingwitherrorsorwarnings.
Forexample,IfyouclickonSanClemente,theDeviceOverviewdisplaysYellowwiththespecificwarningsforeach
devicevalue.
IfyouhaveremovedawidgetfromtheDashboard,youcandisplayitagain.See"ChangetheDashboardLayout"on
page396forinstructions.
ViewHealthStatusintheBanner
Inthewebconsolebanner,lookforthedevicestatusicons.
Clickastatusicontoseethedevicesthathavethatstatus.Thesetotalsarethesameasthedevicestatustotalsthatdis-
playundertheDeviceHealthwidgetontheDashboard;becausetheseareinthebanner,theyarevisibletoyounomatter
whichtabyouareworkingon.
ViewDeviceHealthStatus
1. SelecttheNetworktab.
2. Selectthedevicewhosehealthyouwanttoview.Overview,SystemMetrics,Dashboard,HealthChecksand
Backuptabsdisplayatthebottomofthescreen.
3. ClickHealthChecks.Thewebconsoledisplaysinformationaboutthesystemresources.Scrolltothebottomofthe
48
screentoviewthefollowing:
ViewDeviceDashboards
Adynamicallygenerateddashboardisavailablefordevicemonitoring.CASandMAarecurrentlysupported.
3. ClickDashboard.Thewebconsoledisplayssystemstatusmetrics.Thecontentavailablewillvarywiththe
device:
ProxySG/AdvancedSecureGatewayDashboard
MADashboard
CASDashboard
49
Themetricsmaybedisplayedinoneofseveraldifferentways:
n Counters:Displaysacountforaspecifictimeperiod.
Examples:ObjectCount,TotalScan.
n State:Displaysatextvalue.
Examples:Condition-Green/Yellow/Redconditionindicator.
n Series:Displaysvaluesoveraperiod;thispresentationmaybeinanareadisplay,abar,acolumn,apiechart,ora
donutchart.
Examples:CPU,ICAPScan.
ResolveDeviceErrors
Toresolvedeviceerrors,seeResolveDeviceErrors.
ManageDashboards
Dashboardsallowyoutoquicklyviewimportantdevicedata.Thisdataisrepresentedbywidgets.Widgetsrepresentdata
frommanageddevices.Dashboardsarehighlycustomizableandcanhelpyouquicklyviewtheinformationyoudeem
important.
Tomonitordevicesfromasinglescreen,adddashboardsandaddwidgetstothosedashboardsusingtheoptionsonthe
Dashboards>ManageDashboardspage.
50
Order Name Type Widget Description
1, 2, 3, etc. The The name of Reporter - dis- Each dashboard can display mul- The description helps
order is displayed the dash- plays only tiple widgets. For a quick ref- to differentiate the
from left to right on board as it Reporter widgets erence of what is displayed on dashboard type, and
the dashboard tab appears on on the dash- each dashboard, view the widget the widgets within
beginning with 1 on the Dash- board. count for each dashboard. the dashboard.
the left. board tab.
WAF Reporter -
displays only WAF
widgets on the
dashboard
Mixed - Can dis-
play data from all
widgets on the
dashboard.
Statistics Mon-
itoring - displays
only Statistics
Monitoring wid-
gets on the dash-
board.

Notes
l ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
l Dashboardsaredependentonthereportsthatyoucangenerateforeachmanageddevice.Togenerateadvanced
reportsandviewadvancedreal-timedatawithindashboards,see"AddReporterasaManagedDevice"on
page338.
AddaDashboard
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethenumberofdashboardsthatdisplay,aswell
asdefinethelayoutofthedashboards.Youmustalsodefinethedashboardtype.Layoutsarrangewidgetsinonetofour
columnsofequalwidth,withthecolumnsexpandingtofitthewidthofthescreen.Whenyouselectalayout,yourchange
persists(beyondthecurrentsession)untilyouchangethelayoutagain.
Althoughyoucanaddmultipledashboards,rememberthatdashboardsdisplaydatafromdatabasesthatmaynot
betheonlydatabaseavailable.Forexample,aReporterEnterpriseServercanprovidedatafrommultipledata-
bases.WhenaddingReporterwidgetstodashboards,youcanchoosefromtheavailabledatabases.
1. FromDashboards>ManageDashboards,clickAddDashboard.Aredasterisk(*)denotesfieldsthatare
mandatory.
51
2. EnteradescriptiveDashboardNameandDescription.
3. ChooseaType:
n Mixed-AdashboardthatdisplaysbothProxySGapplianceandReporterwidgets
n Reporter-AdashboardthatdisplaysReporterwidgets
IfyouselectReporterasthedashboardType,fromtheTemplatedrop-downlist,selectfromthefollowing
templatestopre-populatewidgets:
n WebApplicationUsage
n ThreatDetection
n ContentFiltering
n WAFReporter-AdashboardthatdisplaysReporterWebApplicationFirewall(WAF)widgets.
IfyouselectReporterWAFasthedashboardType,selectWebApplicationFirewalllfromtheTemplate
drop-downlist.
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets.
4. SelecttheLayoutforthedashboard.
5. ClickSave.ThesaveddashboardisdisplayedintheDashboarddrop-downwiththenamethatyougaveit.
52
Afteryouhavecreatedadashboard,youcannoteditthetype.
ReorderDashboardList
Whenyouaddanewdashboard,themostrecentlyaddeddashboardisappendedtotheendofthelist.Forexampleifyou
havethreedashboardsandaddone,thenewdashboardbecomesthefourthdashboardonthelistandwillappeartothe
rightofthepreviouslyaddeddashboards.Tochangetheorderdashboardsaredisplayed:
1. FromDashboards>ManageDashboards,selectthedashboardyouwanttomove.
2. ClickMoveUporMoveDowntochangetheorder.
DuplicateaDashboard
Touseadashboardasatemplateforadashboardthatyoumaywanttoclone(andperhapseditlater),youcanduplicatea
dashboardthatalreadyexists.Youareunabletochangethetypeofdashboardwhenyouduplicate.
1. FromDashboards>ManageDashboards,clickDuplicate.
2. FromtheDuplicateDashboarddialog,givethedashboardauniquename.
3. ClickDuplicate.TheduplicateddashboardisdisplayedunderManageDashboards.
IntegrateReporterintoManagementCenter
ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
Prerequisites
n ObtainorverifyadministratoraccesstoReporterEnterpriseServer10.1.xorlater.
n VerifythatReporterEnterpriseServerisdeployedinlinewithProxySGapplianceswithinyournetwork.
n EnsurethatyouhaveaccesstoaReporterEnterpriseServer(usernameandpassword).
n TobeabletoviewReporterreportsonmanageddevices,youwillneedtoaddaReporterEnterpriseServerfromthe
Networktab.
Procedure
TointegrateReportersothatyoucanviewReporterreportsintheManagementCenterwebconsole:
1. Verifyprerequisitesabove.
2. AddReporterasamanageddeviceinManagementCenter.
3. "ViewaReporterReport"onpage339.
ViewConsolidatedReports
WhenusingManagementCentertomanageandmonitorProxySGdevices,youcanproducereportsthatconsolidatethe
datafromallthesedevicesoragroupofdevices,allowingyoutogetacompletepictureofactivityonyournetwork.For
example,youcanviewthebandwidthsavingsforallMACH5appliancesorgetalistofthetopwebapplicationsseenon
thenetworksyourProxySGappliancesareconnectedto.
DeviceReports
ToviewreportsaboutthenetworktrafficseenbyagroupofProxySGdevices,orbyallProxySGdevicesmanagedin
53
ManagementCenter:
1. (Optional)CreatedevicegroupsfortheProxySGdevicesyouwanttoreporton.See"AddaDeviceGroup"on
page68.
2. DecidewhichDevicesreporttoview(suchasTrafficMixorTrafficStatistics).Fordescriptionsofeachreport,see
"DevicesReports"onpage377.
3. SelectReports>StatisticsMonitoringandchoosethereportfromtheDevicespanel.Bydefault,thereport
displaysdatafromallProxySGdevicesmanagedinManagementCenter.
4. (Optional)Tonarrowdowntheconsolidatedreporttoagroupofdevices:
a. ClickDeviceFilter:AllDevicesorclicktheOptionsbutton.TheFiltersdialogdisplays.
b. FromtheFilterdrop-down,selectDeviceGroup.
c. Click andselectthedevicegroup.
d. ClickSave.
WANOptimizationReports
TodisplayconsolidatedreportsforProxySGapplianceswithProxyorMACH5Editionlicenses:
1. (Optional)CreatedevicegroupsfortheProxySGdevicesyouwanttoreporton.See"AddaDeviceGroup"on
page68.
2. DecidewhichWANOptimizationreporttoview.Fordescriptionsofeachreport,see"WANOptimizationReports"
onpage379.
3. SelectReports>StatisticsMonitoringandchoosethereportfromtheWANOptimizationpanel.Bydefault,the
reportdisplaysdatafromallProxySGdeviceswithaProxyorMACH5Editionlicensethatarebeingmanagedin
ManagementCenter.
4. (Optional)Tonarrowdowntheconsolidatedreporttoagroupofdevices:
a. ClickDeviceFilter:AllDevicesorOptions.TheFiltersdialogdisplays.
b. FromtheFilterdrop-down,selectDeviceGroup.
c. Click andselectthedevicegroup.
d. ClickSave.
ReporterReports
IfyouhaveintegratedBlueCoatReporterintoManagementCenter,thefollowingadditionalcategoriesofreportsareavail-
able:Security,WebApplications,UserBehavior,LogDetail,andBandwidthUsage.TheReporterreportsconsolidatedata
fromallProxySGappliancesintheselectedReporterdatabase.
1. MakesureyouhaveaddedReporterasamanageddeviceinManagementCenter.See"IntegrateReporterinto
ManagementCenter"onpage337.
2. SelectReports>Reporter>Databaseandselectthedatabasefromwhichyouwanttoproduceaconsolidated
report.
3. DecidewhichReporterreporttoview.Fordescriptionsofeachreport,see"Reference:ReportDescriptions"on
page351.
4. Viewthereport.See"ViewaReporterReport"onpage339.
54
MigrateDeviceMetadatainDirectorasManagementCenter
Scripts
TomigrateaBlueCoatDirectordevicehierarchy(includingoverlays)intoManagementCenter,youneedtoexportthe
devicemetadatafromDirector,placingthemigrationfileinalocationthatManagementCentercanaccess.
Prerequisites:
n ObtainorverifyaccesstotheBlueCoatDirectorCLI.
n ObtainorverifyaccesstoanHTTP,SCP,orFTPserver,andensurethatyouhaveaccessprivilegestoupload
datatoit.
n ObtainorverifyaccesstotheManagementCenterwebconsole.
ExportMetadatafromDirectorasanEncryptedFile
1. LogintotheDirectorCLIandgointoconfigmode.
2. Typethefollowingcommandtogeneratethemigrationfile:
(config)# mc-migration generate
TheCLIpromptsyoutoenterapassphrase.Youwillberequiredtoenterthispassphrasetogeneratethemetadata
andimportitintheManagementCenterapplication.
3. EnterapassphraseconsistingofatleastfourcharactersandpressEnter.
TheCLIgeneratesthedevicemetadata.ThemetadataisencryptedandcompressedinaGnuPrivacyGuard
(GPG)encrypted(*.tgz.gpg)file.Forexample:SGME-Director-to-MC-Migration-2015.03.13-154907.tgz.gpg.
Makenoteofthefilename.
4. UploadthecompressedandsecuredfiletoanexternalHTTP,SCP,orFTPserver.Enterthecommand:
(config)# mc-migration upload fileserver
where:
fileisthefilenameyourecordedinthepreviousstep.
serveristhehostnameorIPaddressofanexternalserver:
http://hostname_or_address[:port]/path_and_filename
ftp://hostname_or_address/path_and_filename
scp://hostname_or_address//path_and_filename
Ifnecessary,copyormovethefiletoalocationthatManagementCentercanaccess.
ExportMetadatafromDirectorasanUnencryptedFile
1. LogintotheManagementCenterwebconsole.
2. ClicktheNetworktab.
3. SelectOperations>ImportfromFile.ThewebconsoledisplaystheImportfromFiledialog.
55
4. OntheImportfromFiledialog,selectDownloadJSONSchematodownloadtheschematowhichtheJSONfile
mustconform.
5. LogintoDirectorandpreparetheJSONfile.Tohelpyouunderstandtheschema,refertotheexamplebccm-data-
sample.jsonfoundinthedownload.
BlueCoatrecommendsthatyoufamiliarizeyourselfwiththeJSONSchemaasdefinedbytheIETFindraft4
(seehttp://tools.ietf.org/html/draft-zyp-json-schema-04).ThiswillhelpyouunderstandBlueCoat'sJSON
schemaforimport.BlueCoatisnotyetstrictlyconformingtothisstandard,noristhecustomer'sJSONfile
validatedagainstthisschema.However,theintentionisthatManagementCenterstrictlyconformswhenthe
IETFdraftbecomesastandard.Inthemeantime,shouldtheyexistintheJSONdocument,Management
Centerreturnshelpfulerrorstoindicateproblemareasanderrors.
6. AfteryourJSONdocumentisprepared,compressitin*.tar.gzor*.tgzformat.
LinuxExample:tar -cvzf myjsondata.tgz data.json
7. (Optional)Secureyourcompressedfile.
a. TosecureyourcompressedfilewithGnuPrivacyGuard(GPG)encryption(*.gpgformat),useconfigmodein
Director.
LinuxExample:echo 'password' | /usr/bin/gpg --batch --yes --no-tty --compress-

level 0 --cipher-algo AES256 --symmetric --passphrase-fd 0 myjsondata.tgz
(config)# mc-migration generate
TheCLIpromptsyoutoenterapassphrase.Youwillberequiredtoenterthispassphrasetogeneratethe
metadataandimportitinManagementCenter.
b. EnterapassphraseconsistingofatleastfourcharactersandpressEnter.
TheCLIgeneratesthedevicemetadataintoanencryptedandcompressedfile(*.tgz.gpg).Forexample,
SGME-Director-to-MC-Migration-2015.03.13-154907.tgz.gpg.
8. Makenoteofthefilename.
9. UploadthecompressedfiletoanexternalHTTP,SCP,orFTPserver.Enterthecommand:
(config)# mc-migration upload fileserver
where:
fileisthefilenameyourecordedinthepreviousstep.
56
serveristhehostnameorIPaddressofanexternalserver:
http://hostname_or_address[:port]/path_and_filename
ftp://hostname_or_address/path_and_filename
scp://hostname_or_address//path_and_filename
Ifnecessary,copyormovethefiletoalocationthatManagementCentercanaccess.
ImportDirectorMetadataasScriptsintoManagementCenter
FromtheManagementCenterwebconsole,importthedevicemetadatafilethatiscurrentlysavedonanexternalserver.
1. LogintotheManagementCenterwebconsole.
4. SelecttheImportfromfileexportedfromanexternalsystemcheckbox,thenclickLaunchImportWizard.
5. OntheImportfromFile:SelectFiledialog,selectthefilethatyouwanttoimport.TheGPGencryptedfilecheck
boxisselectedbydefaultfor(*.gpg)files.Clearthecheckboxifyourfileisnotencrypted(*.tar.gzor*.tgzformat).
Filesmusthavetheextensions*.gpg(GnuPrivacyGuard[GPG]encryptedcompressedfile),*.tar.gz,or
*.tgz(unencryptedcompressedfiles).
57
6. Ifnecessary,enterthepassphrasethatyouspecifiedwhengeneratinganencryptedfile,thenclickNext.Ared
asterisk(*)denotesfieldsthataremandatory.
7. Selectdevicesanddevicegroupstoimportfromahierarchy.Ifanydeviceisnotamemberofahierarchy,apseudo-
hierarchyisavailable,namedUnassigned.Ifanyerrorsorwarningsexist,foranydevice,thestatusisshownonthe
right.Toselectalldevicesinallhierarchies,selectAllHierarchies.
58
Adevicecanonlyexistinonegroupforagiven,distincthierarchy.Devicescanbemembersofdifferent
hierarchies.
8. TheavailablescriptsshowontheImportfromFile:SelectScriptsdialog.Bydefault,allscriptsareselected.Clear
thecheckboxforanyscriptyoudonotwanttoimport.Whenfinishedselectingscripts,clickImport.
AnyProxySGappliancesthatarerunningSGOS5.xareimportedinadeactivated(pre-deployment)status.
9. TheImportfromFilewizarddisplaystheDeviceImportStatusdialog.TheOverlaysSummaryandlistofimported
overlaysshowatthebottom.Whenfinishedviewingtheimportstatus,clickClose.
59
10. Viewthesuccessfullymigrateddevices,devicegroups,andhierarchiesintheManagementCenterNetworktab.
11. ViewimportedoverlaysbyselectingConfiguration>Scripts.
(Optional)DeleteMigrationFileinDirector
AfteryouhavesuccessfullyimporteddevicesfromDirector,youcandeletethemigrationmetadatafilefromDirector.
1. LogintotheDirectorCLI.
2. Typethefollowingcommand:
(config)# mc-migration delete file
wherefileisthenameofthemigrationfile.
Afterthefileisdeleted,theCLIdisplaysthe(config)#promptagain.
DetermineYourNextStep
Whatdoyouwanttodonext? Refertothistopic
Ensure that all devices belong to a hierarchy and group "Ensure Devices Belong to Device Groups" on page105
60
Change device information "Edit a Device" on page72
ViewAuditLog
YoucanviewthehistoryofalltransactionsinManagementCenterintheAuditLog.Thelogisachronologicalrecordof
changesmadebyusersofthesystem.
AuditLogrecordsare:
l Comprehensive.Recordsarecreatedautomaticallyandcannotbedeleted.
l Centralized.Multiplelevelsoftransactionsareloggedanddisplayedononescreen.
l Security-oriented.Theoperatinguserforeachtransactionislogged.
AuditLogrecordscangiveyouinsightintodailyactivitiesatahighlevelaswellashelpyoudiagnoseandtroubleshoot
issues.Forexample,ifanumberofdevicesexperiencepolicy-relatedissues,youcouldcheckthelogforpolicy-related
transactionswithinaselecteddaterange.YoucanalsoexaminerecordsintheAuditLogtoensureprocessintegrity.
Theauditlogdisplayssystem,web-accessandweblogs,ifconfigured.Toaccessremotesystemlogs,fromthe
CLIenter"#rsyslog-output"onpage458.
AuditLogrecordscanbeprintedinauser-friendlyformat.Beforeprinting,checkthebottomofthepageoftheAuditLog
Viewertoseehowmanypagesofrecordswillprint.
1. LearnaboutthetypesoftransactionsrecordedintheAuditLog.See"UnderstandingTransactionTypes"below
below.
2. Inspectthedatarecordedfortransactions.See"AuditTransactions"onpage420.
3. (Optional)"CustomizetheAuditLog"onpage423tofocusonspecifictransactiondata.
Youcanexporttheinformationintheauditlog.FromtheNetwork>ExportData.Youwillbepromptedtoname
the.csvfilethatyouareexporting.ClickOK.
UnderstandingTransactionTypes
TheAuditLogrecordstwolevelsoftransactions:
l EVENT:High-leveltransactionsthatoccurasaresultofauseraction,suchasaddingordeletingadevice
l AUDIT:Low-levelinternalsystemactions,suchasdeletingconnectioninformation
Eachrecordcontainsthetargetoftheoperation,theoperationdetected,theuserwhoexecutedtheoperation,
andadditionaldatadependingupontransactiontype.
61
Inthepreviousexample,theObjectTypeisRoleandtheAUDITtransactionsarechangesatthesystemandadminlevels.
Filterswereappliedtotherecordtype.Youmightfindthatinmostcases,EVENTrecordsprovideenoughdetailabouttrans-
actionsandtheireffectsonthesystem.
RegularlyBackUpaGroupofDevices
Tobeabletorestoreorrollbackaconfigurationincaseitgetscorrupted,youneedtobackupyourconfigurationsonareg-
ularbasis.Inthisexample,wewillbackupadevicegrouponaweeklybasis,duringatimewhenthenetworkislessbusy
(suchasaweekend).
ManagementCentersupportsconfigurationbackup/restore/import/exportofthefollowingdevicetypes:ProxySG,
ContentAnalysis,MalwareAnalysis,andSSLVisibility.
1. Createadevicegroupforthedevicesyouwanttobackuponaschedule.See"AddaDeviceGroup"onpage68.
2. CreateaBackupDevicesjob.Selectthedevicegroupyoucreatedinstep1,andschedulethejobtorunona
Periodicbasis,every7daysstartingonaweekendday.See"BackUpDeviceConfigurations"onpage78.
3. Verifythebackupsarebeingcreatedforeachdeviceinthegroup.See"ViewDeviceBackups"onpage83,
4. Restoreabackupwhennecessary.See"RestoreDeviceBackups"onpage87.
62
ManageDevices
Refertothefollowingtopicsforassistance.
"AddaDevice"onthefacingpage
"AddaDeviceGroup"onpage68
"AddMultipleDevicesatOnce"onpage70
"EditaDevice"onpage72
"EditaDeviceGroup"onpage74
"LaunchaDeviceConsole"onpage75
"BackUpDeviceConfigurations"onpage78
"UseDeviceInformationforBackupJobImageMetadata"onpage81
"ViewDeviceBackups"onpage83
"RestoreDeviceBackups"onpage87
"ExportDeviceBackups"onpage85
ImportDeviceBackups
"SettheNumberofBackupSlots"onpage399
"MonitorDeviceHealthandStatistics"onpage90
"StopManagingaDevice"onpage95
"AboutPre-DeployedandDeactivatedDevices"onpage96
"RestartaDevice"onpage96
"SynchronizeDevices"onpage97
"ConfigureHierarchyforDevicesandDeviceGroups"onpage100
"SearchforManagedDevices"onpage103
"PerformanOperationonaManagedDevice"onpage104
"EnsureDevicesBelongtoDeviceGroups"onpage105
"MonitorDeviceHealth"onpage106
VerifyDeviceDetails
"ViewSystemMetrics"onpage112
"RMAaDevice"onpage114
"PutDeviceinMonitor-OnlyMode"onpage115
AddDeviceGroupAttributes
64
AddaDevice
Beforeyoucanmanageandmonitoryourdevices,youmustaddthemtoManagementCenter.Devicesthatcanbeadded
toandmanagedbyManagementCenterincludethefollowing:
n ContentAnalysisAppliances
n MalwareAnalysisAppliances
n PacketShapers
n ProxySGAppliances
n AdvancedSecureGateways
n Reporter
n SSLVisibilityAppliances
Toaddadevicethathasnotarrivedinyourorganizationyetorisnotsetup,selectUnavailable(pre-
deployment)forthedeploymentstatusinstep4inthefollowingprocedure.
1. SelecttheNetworktab.(Optional)Browsetothehierarchyandfolders/subfolderswhereyouwanttoaddthe
device.
Configurehowoftendevicesarepolled.See"SettheDevicePollingInterval"onpage399.
2. ClickAddDevice.ThewebconsoledisplaystheAddDevicewizard.Aredasterisk(*)denotesfieldsthatare
mandatory.
3. SpecifythefollowingConnectionParameters:
l IntheDeploymentStatusdrop-downlist,selectExistingdeviceifthedeviceisalreadyinstalled,or
Unavailable(pre-deployment)ifthedeviceisnotavailableyet.See"AboutPre-DeployedandDeactivated
Devices"onpage96forinformationonpre-deploymentdevices.
l (ifapplicable),IntheDeviceTypedrop-downlist,selectthedevicetype/OS.Enterthefollowing:
l TheIPaddressorhostnameofthedevice.
l Theusernameandpasswordyouusetoauthenticatetothedevice.
65
l Yourenablepasswordforadministratoractions.
l TheSSHport.
l TheManagementStatus.SelectMonitorOnly(noconfigchanges)ifyouwanttodisallowconfiguration
changestothedevice.See"PutDeviceinMonitor-OnlyMode"onpage115formoreinformation.
4. ClickTestConnection.ManagementCenterattemptstoconnecttothedeviceusingtheinformationyouentered.
Iftheconnectiontestfails,youwillreceiveanerror.Makesurethattheinformationyouenterediscorrectand
tryagain.Iftheconnectiontestsucceeds,youreceiveasuccessmessageandthewizardpromptsyouto
continue.
5. ClickNext.ThewizarddisplaystheAddDevice:Namedialog.
6. Enteranametoidentifythedevice;thisnamedisplaysontheStatisticsMonitoringDashboardandotherareasinthe
webconsole.
7. ClickNext.IntheAddDevice:Membershipscreen,selecttheappropriategroupsfromthedrop-downlists.
Bydefault,thesystempopulatesthefieldswiththehierarchy/groupyouwereviewingwhenyoustartedtheAdd
Devicewizard.
66
8. ClickNext.Aredasterisk(*)denotesfieldsthataremandatory.See"AddAttributes"onpage298.
9. ClickCollectstatisticsforthisdevicetohaveManagementCentercollectstatisticsandreportonthedevice.See
"ViewStatisticsMonitoringReports"onpage376.
10. ClickFinish.TheNetworktabdisplaysthedeviceandthewebconsoledisplaysanalertindicatingthatthedevice
wasaddedandactivated.
Ensure that all devices belong to a hierarchy and group. "Ensure Devices Belong to Device Groups" on page105
Check information specific to the selected device. "Monitor Device Health " on page106
Check device metrics. "View System Metrics" on page112
67
AddaDeviceGroup
Adevicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontainsdevicesor
sub-folders.
1. SelecttheNetworktab.Intheleftpane,selectthehierarchyinwhichyouwanttocreatethedevicegroup.
2. (Ifapplicable)Browsetothefolderinwhichyouwanttocreatethedevicegroup.SelectAddGroup.TheAdd
GroupwizarddisplaystheAddGroup:BasicInfodialog.
3. OntheAddGroup:BasicInfodialog,enteranameandadescription.Aredasterisk(*)denotesfieldsthatare
mandatory.
4. SelectaparentgroupfromtheParentGroupdrop-downlist.Aredasterisk(*)denotesfieldsthataremandatory.
ClickNext.
5. OntheAddGroup:Attributesdialog,usetheup/downarrowstospecifyBandwidthCost.BandwidthCostisa
multiplierandisthusnotexpressedinaspecificcurrencyunit.Forexample,youcanenteravaluetorepresenton
averagehowyoupaypergigabitfordatausageonyournetwork."SetBandwidthCostforReports"onpage399.
6. (Optional)SpecifyyourPrimaryContactforthedevicegroup,aswellastheLocationdevicegroup.
7. ClickNext.TheAddGroupwizarddisplaystheAddGroup:Membership.
8. SelectdevicesfromtheAvailableDeviceslistandaddthemtotheAssociatedDeviceslist.
9. ClickFinish.Thenewdevicegroupisdisplayedunderthenetworktab.Ifyoucannotseethenewdevicegroup,
selectUnassignedDevicesand"EnsureDevicesBelongtoDeviceGroups"onpage105or"ConfigureHierarchyfor
DevicesandDeviceGroups"onpage100.
Youcandefineattributesforaparticularadevice,devicegroupspolicyandscriptobjects.See"Manage
Attributes"onpage297.
SettheDevicePollingInterval
YoucanspecifythefrequencywithwhichManagementCenterlooksforupdatesonmanageddevices.Specifyanappro-
priateintervaltoensurethatdevicehealthstatusesdisplayaccurately.Thedefaultintervalis10seconds.
1. Inthewebconsolebanner,selecttheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.Generalfieldsdisplayontheright.
68
3. SelectDevicePollingInterval(sec).
4. Enteravalueinseconds.
5. Dooneofthefollowing:
n ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
n ClickSavetostorethesettingsontheserver.
n ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textatthetop
leftofthedialogasanexample.
69
AddMultipleDevicesatOnce
ToaddmultipledevicesusingaCSVfile,youcanuseManagementCenter'stemplateCSVfile,oryoucancreateyour
own.Youcanimportmultipledevicesofvarioustypes,including:
l ProxySGappliances
l ContentAnalysisappliances
l MalwareAnalysisappliances
l PacketShaperappliances
l SSLVisibilityappliances
l Reporter
ImportDevicesUsingaCSVFile
1. Fromthewebconsole,clickNetwork.
3. SelecttheImportdevicesfrommanuallycreatedCSVfile.
4. ClickLaunchImportWizard.ThewebconsoledisplaystheImportDeviceswizard.
5. FromtheSelectDeviceTypedialog,selectthedevicetypethatyouwanttoimport.ClickNext.
6. YoucaneitherDownloadCSVTemplateorSelectFileandbrowsetothelocationoftheimportfilecontainingallof
thedevices.ClickNext.
IfyoudownloadtheCSVtemplate,openitandaddyourdevicestoit.Refertothefollowingtablefor
descriptionsoftheCSVfilecolumns.
7. Afterthedevicesaredownloaded,theyaredisplayedintheImportDevices:AssignGroupsdialog.
8. Selectthefromtheimporteddeviceswhichdevicestoassigntoadevicegroup.
9. Afterthedeviceshavebeenselected,fromDeviceGroup,selecttheobjectselector.Fromtheavailabledevice
groupsorhierarchies,selectdevicegroup.Theselecteddevicegroupisdisplayedwhenyouselectit.ClickOK.To
applytheimporteddevicestothedevicegroup,clickApply.
10. (Optional)RepeatStep9untilallimporteddevicesbelongtoadevicegrouporhierarchy.
11. Whenyouarefinishedassigningtheimporteddevicestodevicegroups,clickFinish.
70
name deploymentStatus host port userName password enablePass- col-

word lectPdmStats

Enter Specify the deploy-Enter Enter Enter the Enter the Enter the enable Specify
the ment status: the IP the admin- admin- password to whether to col-
device addres- port istrator istrator pass- enter privileged lect statistics
DEPLOYED|UNDEPLOY- from the
name. s. num- account for word for the mode on the
ED device for
Each ber. the device. device. device.
device reporting:
name
TRUE|FALSE
must
be
uniqu-
e.
View information about an imported device. "Verify Device Details" on page110
Edit device information. "Edit a Device" on the next page
Check device metrics. "View System Metrics" on page112
71
EditaDevice
Youcaneditdevicemetadata,connectionparameters,andthemembershipwithinahierarchyanddevicegroup,andview
theeffectivepolicyforeachslot.
Procedure
1. SelecttheNetworktab.(Optional)Browsetothehierarchyandfolders/subfolderswherethedeviceyouwanttoedit
belongs.Aredasterisk(*)denotesfieldsthataremandatory.
2. SelectaDevice.
3. ClickEdit.FivetabswithintheEditDevicewizarddisplayeditablefields:
l BasicInfo
l ConnectionParameters
l Membership
l Attributes
l Policies
4. ClicktheBasicInfotab.Editthedevicenameanddescriptionandviewthedeploymentstatus,modelnumber,serial
number,andOSversion.See"AboutPre-DeployedandDeactivatedDevices"onpage96.
5. ClicktheConnectionParameterstab.Thefollowingfieldsareallrequired:
l TheIPaddressorhostnameofthedevice
l Theusernameandpasswordyouusetoauthenticatetothedevice
l Theenablepasswordforadministratoractions.
l TheSSHport.
6. ClickTestConnection.ManagementCenterattemptstoconnecttothedeviceusingtheinformationyouedited.
7. ClicktheMembershiptab.(Optional)Editmembershipwiththedrop-downlistsassignedtoHierarchyandthe
following:
l DeviceGroups
l Location
l Organization
8. ClicktheAttributestab.Mandatoryattributesforthedevicearemarkedwitharedasterisk(*).Youcanchangethe
valueonmandatoryattributes,butyoucannotdelete"MandatoryAttributes"onpage300.
9. SelectthePoliciestab.TheEditDevicedisplaystheeffectivepolicyforeachslot.ThePolicyNamemappedto
eachslotisdisplayedandthefollowingassignmentsaredisplayed:
l Directassignment-Thepolicywasinstalleddirectlytotheslot.
l Inheritedfrom[DeviceGroupName]-Thepolicywasinheritedfromdevicegroupthatthedevicemembership
isfrom.
TheLocal,Central,andForwardslotsdisplayCPLpolicyonly.See"CreateaCPLPolicyObject"on
page167orsee"CreateaCPLPolicyFragment"onpage188
10. Afteryouhavecompletededitingthetabsforeachdevice,clickSave.
ViewEffectivePolicyforEachSlotontheDevice
YoucanviewtheeffectivepolicyforeachslotonthedevicefromthePoliciestab.
72
View information about the device. "Verify Device Details" on page110
Choose Operations for a Device or Device Group. "Perform an Operation on a Managed Device" on page104
Edit device attributes. "Edit Attributes" on page301
Edit policy attributes. "Edit Attributes" on page301
73
EditaDeviceGroup
Youcaneditanydevicegroup,includingthesystem'spredefinedparentgroups(thetop-levelfoldersintheLocationand
Organizationhierarchies).
2. IneitherTilesvieworDetailsview,browsetotheparentfolderofthegroupyouwanttomodify.
3. SelectthegroupandclickEdit.ThewebconsoledisplaystheEditGroupwizard.
4. Edittheinformationoneachtabasrequired:
l BasicInfo-Changethedevicegroupnameanddescription.
l Attributes-UnderSystem,changethestatisticscollectionoptionandbandwidthcost.Forinformationonthe
User-definedattributes,see"FilterDevicesorDeviceGroupsinaPermission"onpage294.
l Membership-Addorremovedevices.
5. ClickSave.
74
LaunchaDeviceConsole
ManagementCenteroffersacentrallocationfromwhichyoucanopentheconsoleofanymanagedBlueCoatdeviceso
thatyoucanlogintothedevice.
2. Intheleftpane,selectthedevicegroup,andthenselectthedeviceintherightpane.
3. Selectoneofthefollowing:
l FromtheOperationsdrop-downlist,clickLaunchConsole.
or
l Atthebottomofthewebconsole,makesuretheOverviewtabisselectedandclickLaunchConsole.
4. Logintothedevice.
UpgradeSystemImagesonManagedDevices
Toinstallsystemimagesonmanageddevices,completethefollowingsteps.
1. EnsurethatthesystemimagehasbeenuploadedtoManagementCenterandthatithasbeenassociatedwiththe
correctdevicetype.See"UploadFilestoManagementCenter"onpage41formoreinformation.
2. SelectJobs>ScheduledJobs>NewJob.ThesystemdisplaystheNewJob:BasicInfowindow.
3. IntheBasicInfodialog,enteranameforyourjob.Aredasterisk(*)denotesfieldsthataremandatory.
4. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.Click
Next.
5. SelectInstallSystemImagefromtheOperationdrop-downlist.
75
6. ClicktheSystemImagefield.ThesystemdisplaystheSelectSystemImagedialog.
7. SelectthesystemimageandclickOK.
8. Choosewhethertodothefollowing:
l Installoversecureconnection
ChoosethisoptiononlyifManagementCenterhasacertificatefromatrustedcertificateauthority(CA).If
ManagementCenterusesaself-signedcertificatethatisnottrusted(acommonscenario),choosingthis
optioncausestheconnectiontofail.
Ifyouchoosetouseaself-signedcertificate,HTTPmustbeenabledonManagementCenter.Toenable
HTTP,enterthefollowingCLIcommands:
#en
#security http enable
l Restartdevice(s)afterinstallation
76
Selectingthisoptionwillrestartthetargetdeviceafterinstallation,loadingtheinstalledimage.
9. ClickNext.
10. Selectthetargetdevice(s)andclickNext.
11. SelectajobscheduleandclickFinish.
Troubleshooting
Iftheupgradeoperationisnotsuccessful,checkthefollowing:
n VerifyHTTP/HTTPSconnectivitybetweenManagementCenterandthetargetdevice(s).
n Verifythattheimagebeinginstalledisassociatedwiththecorrectdevicetype.
n CheckManagementCenterandtargetdevicelogsforerrors.
77
BackUpDeviceConfigurations
ManagementCenterallowsyoutoinitiateandautomatetheconfigurationbackupofsupporteddevices.Youcanselectone
ormoredevicesordevicegroupstobackupimmedatelyorscheduleajobforthebackup.
1. FromtheNetworktab,selectthesupporteddevicesordevicegroupstobackup.
2. FromtheOperationsdrop-downlist,selectBackupDevices.ThedevicesthatyouselectedappearintheSelected
list.
3. ClickNext.ThesystemdisplaystheBackupDevices:ImageSettingsscreen.
4. EntertheBackupNameandBackupDescription.Optionally,youcanusevariables,asshowninthefollowing
graphic.(See"UseDeviceInformationforBackupJobImageMetadata"onpage81.)
5. Toincludeprivatekeydatainthebackup,selectIncludePrivateData.
Currently,onlytheProxySGandSSLVisibilityappliancessupportthisfeature;theoptionisignoredforotherdevice
backups.FortheProxySGappliance,keyringscanonlybebackedupiftheywereconfiguredtoshow(Showkey
pairoption)whencreated.Keysthatwerenotconfiguredtoshowarenotincludedinbackups,evenifInclude
PrivateDataisselected.
Note:Completedbackupsthatincludeprivatekeydataincludepkiinthecontentdetails.ProxySGexample:
l Toimmediatelybeginthebackupoftheselecteddevices,selectRunNow.
79
l Toexecutethebackupoftheselecteddevicesatalatertime,selectCreateJob...
a. IntheNewJob:BasicInfodialog,enterauniquenameandclickNext.
b. IntheNewJob:Operationdialog,usethedefaultnameorenteranewone.
c. VerifythatthedevicesyouselectedappearintheDevicestabandclickNext.
d. Definewhenyouwanttoschedulethedevicebackuptooccur.See"JobSchedulingOptions"
onpage328fordescriptionsofeachoption.
e. ClickFinish.
NextSteps
Task Topic
List the configuration backups for a device and view the content of a "View Device Backups " on
backup file page83
Restore a device configuration "Restore Device Backups" on
page87
Export a device backup "Export Device Backups" on
page85
Import a device backup Import Device Backups
80
UseDeviceInformationforBackupJobImageMetadata
Administratorscancontrolthenameanddescriptionofthebackupcreatedbyajob(basedonthespecificdevicethatis
backedup).Tousethedeviceinformationinabackupjob,administratorsneedtostartabackupjobfromtheNetworktab
ratherthantheJobstab.
1. SelectadevicefromtheNetworktab.Aredasterisk(*)denotesfieldsthataremandatory.
2. FromtheOperationsdrop-downlist,selectBackupDevices.Selectthedevice(s)tobackup.
3. ClickNext.ThewebconsoledisplaysBackupDevices:ImageSettingsdialog'ManualBackup(04/04/15)'inthe
BackupNamefield.
Althoughthebackupnameisshownasmandatory,use"UseSubstitutionVariablesinPoliciesandScripts"on
page176toreplacethewords'ManualBackup'.Intheexampleshown,thedevicenamevariablewillbereplaced
whenthejobisrun.
Use${today}intheDescriptionfieldofthebackuptodisplaythedatethatthebackupisrun.Ifyourunthe
backupnow,today'sdatedisplaysinthebackupdescription.
4. ClickRunNow.TheJobProgressdialogdisplaysthebackupwhileitruns.YoucanselectContinuein
BackgroundorclickClosewhenthebackupStatusisComplete.ViewallbackupsperformedfromtheBackuptab
81
ofthedevice.
82
ViewDeviceBackups
Foranydevicewhoseconfigurationyouhavebackedup,youcanviewalistofbackupfilesaswellasviewthecontentof
thebackupfiles.Oncethelistisdisplayed,youcandeleteorrestorethebackups.
2. Selectadevicegroupintheleftpane,andthenselectthedevicenameintherightpane.
Toconfigurethemaximumnumberofbackupsstoredperdevice,see"SettheNumberofBackupSlots"on
page399.
3. SelecttheBackuptabdisplayedatthebottomofthescreen.Thewebconsoledisplaysallofthesuccessful
backups,includingeachbackup'sname,description,date/timeofthebackup,devicetype,OSversion,date/timeit
waslastexported,anddate/timeitwaslastrestored.
4. Selectabackupfromthelist.
5. ClickView.TheManualBackupViewerdisplaysthebackupinatexteditor.
6. Ifthebackupexceedsthetexteditorlimit,awarningdisplays:
ClickDownload.ThefilewilldownloadtoyourlocalDownloadsfolder.Whenthefileisfinisheddownloading,you
canopenitinNotepadorothertexteditor.
7. Topinorunpinabackup,clickinthePinnedcolumn.Athumbtackiconappearsonpinnedbackups.Apinned
backupcannotbemanuallydeletedorautomaticallypruned(replacedwithanotherbackup).
8. Todeleteanunpinnedbackup,selectitandclickDelete.
9. Toapplyaparticularbackupconfigurationtothedevice,selectitandclickRestore.See"RestoreDeviceBackups"
onpage87formoreinformation.
83
RestoreDeviceBackups
Whenyourestoreadevicebackup,ManagementCenterreplacesthedevice'scurrentconfigurationwiththebackedup
configuration.Youcanrestoreaconfigurationimmediately,orscheduletherestoreforalatedate.
2. Selectadevicegroupintheleftpane,andthenselectthedeviceintherightpane.
3. SelecttheBackuptabatthebottomofyourscreen.
4. Inthelistofbackups,choosethebackupversionyouwanttorestore.
Ifthebackupyouwanttorestoreisn'tlisted,it'spossiblethatitwasexportedandprunedfromtheappliance.
Inthiscase,youwouldneedtoimportthebackupbeforeyoucanrestore.SeeImportDeviceBackups.
5. ClickRestoreThewebconsoledisplaystheRestoreConfigurationdialogthatdisplaysthefollowinginformation:
l Device-Thedevicename
l BackupImage-Thenameofthebackup
l Description-Thedescriptiongivenatthetimethatthebackupwasmade
l Created-Thedateandtimeofthebackup
l LastRestored-Thedateandtimethatthebackupwaslastrestored
6. (Optional)Toviewthecontentsofthebackup(configuration),clickViewContents.
7. Torestorethebackuplater,gotoStep9.
Torestoretheconfigurationimmediately,clickRestore.ThewebconsoledisplaystheJobProgressdialog.The
Statuscolumndisplaystherunningandcompletedjobandmoredetailsaboutthejob.
8. (Optional)Toviewthedeviceoutputfromtherestoredbackup:
a. Selectmoredetails.TheDeviceOutputdialogdisplaysthenumberandtypeofwarnings.
b. Youcannavigateinbetweentheerrorsandwarnings.
c. SelectDownloadasTextorClose.
9. Torestorethebackuplater,clickCreateJobandfollowthestepstoconfigurethejob.See"AddaJob"on
page324forjoboptions.
84
ExportDeviceBackups
TheExportBackupoperationallowsyoutocopyormoveconfigurationbackupstoanexternalserver.Copyingbackupsto
anotherserverprovidesextrainsurancebyessentiallycreatingabackupofabackup.Or,ifyoumovethebackupsoffMan-
agementCenterandputthemonanexternalserver,youcanmakeroomformorebackupsontheManagementCenterappli-
ance.
1. FromtheNetworktab,selectadeviceoradevicegroupwhoseconfigurationbackupyouwanttoexport.
2. FromtheOperationsdrop-downlist,clickExportbackups.Ifyouhaveconfiguredalocationforthebackup
already,ManagementCenterimmediatelyexportsthebackuptotheconfiguredlocation.However,ifyouhavenot
configuredalocationforthebackup,theNewJobwizardbegins,displayingtheNewJob:BasicInfodialog.
3. EnterauniquenameandadescriptionfortheExport.ClickNext.
4. TheNewJobwizarddisplaystheNewJob:Operationdialog.TheOperationisalreadydisplayedasExport
Backups.
l Operation(*)-ExportBackups
l ExporttoServer(*)-EntertheserverlocationusingFTP,HTTP,HTTPS,orSCP
l Username-Entertheserverusername.
l Password-Enterthepasswordforthisuser.
l PruneBackups-Selectthisoptiontoremovethebackupsfromthebackupslotsafterexportingthe
backups.Youareessentiallymovingthebackupsifyouselectthisoption.Ifyouleavethisoptioncleared,
youarecopyingthebackupstoanexternalserver.
l RetentionCount(*)-Enterthenumberofbackupstokeepforeachdevice.Thisoverridesthedefaultnumber
ofbackupslotsconfiguredperdevice.(See"SettheNumberofBackupSlots"onpage399.)
l PrunePinned-Selectthisoptiontoremovebackups,eveniftheyhavebeenpinned(locked).ClickNext.
5. IntheNewJob:Targetsdialog,selectadditionaldevicesorgroupswhoseconfigurationsyouwanttoexport.
SelecteddevicesandgroupsdisplayinSelectedpane.ClickNext.
85
6. DefinewhenyouwanttoscheduletheexporttooccurorselectRunNowtoexporttheconfigurationsimmediately.
See"JobSchedulingOptions"onpage328.
7. ClickFinish.
86
RestoreDeviceBackups
Whenyourestoreadevicebackup,ManagementCenterreplacesthedevice'scurrentconfigurationwiththebackedupcon-
figuration.Youcanrestoreaconfigurationimmediately,orscheduletherestoreforalatedate.
2. Selectadevicegroupintheleftpane,andthenselectthedeviceintherightpane.
3. SelecttheBackuptabatthebottomofyourscreen.
4. Inthelistofbackups,choosethebackupversionyouwanttorestore.
Ifthebackupyouwanttorestoreisn'tlisted,it'spossiblethatitwasexportedandprunedfromtheappliance.
Inthiscase,youwouldneedtoimportthebackupbeforeyoucanrestore.SeeImportDeviceBackups.
5. ClickRestoreThewebconsoledisplaystheRestoreConfigurationdialogthatdisplaysthefollowinginformation:
l Device-Thedevicename
l BackupImage-Thenameofthebackup
l Description-Thedescriptiongivenatthetimethatthebackupwasmade
l Created-Thedateandtimeofthebackup
l LastRestored-Thedateandtimethatthebackupwaslastrestored
6. (Optional)Toviewthecontentsofthebackup(configuration),clickViewContents.
7. Torestorethebackuplater,gotoStep9.
Torestoretheconfigurationimmediately,clickRestore.ThewebconsoledisplaystheJobProgressdialog.The
Statuscolumndisplaystherunningandcompletedjobandmoredetailsaboutthejob.
8. (Optional)Toviewthedeviceoutputfromtherestoredbackup:
a. Selectmoredetails.TheDeviceOutputdialogdisplaysthenumberandtypeofwarnings.
b. Youcannavigateinbetweentheerrorsandwarnings.
c. SelectDownloadasTextorClose.
9. Torestorethebackuplater,clickCreateJobandfollowthestepstoconfigurethejob.See"AddaJob"onpage324
forjoboptions.
87
SettheNumberofBackupSlots
Bydefault,ManagementCenterstoresuptofivebackupsperdevice,witheachbackupplacedinaslot.Afterfive
backups,ManagementCenterprunes(deletes)anunpinnedbackuptomakeroomforthenewbackup.(Backupsthatare
pinnedarepreservedandcannotbemanuallydeletedorautomaticallypruned.)IfyouwantManagementCentertostore
moreorfewerbackupsperdevice,youcanadjustthenumberofbackupslots.
1. ClicktheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.
3. IntheNumberofbackupslotsenteranewvalue.
4. ClickSave.
YoucanoverridethedefaultnumberofbackupsthatareretainedforadevicebyenteringaRetentionCountwhen
exportingbackups.See"ExportDeviceBackups"onpage85.
SSLVisibilityAppliance-WhatisBackedupandSynchronized?
ThispagedescribestheSSLVisibilityapplianceconfigurationitemsthatarebackeduporsynchronized.
Policy
l FIPSconfigurationandversion
l Policyversions
l Systemoptions
l Rulesets
l Lists(IPaddress,ciphersuites,certificates,etc.)
PKI
l RSAandECDHdata
l Certificateauthoritydata
l Trustedandknowncertificatedata
l HSMdata
Users
l Usernames
l Passwords
l Roles
l UserIDs
Platform
l Versioninformation
l Networksettings
l NTPsettings
l Remoteloggingsettings
88
l SNMPsettings
l Loginbannersettings
Alerts
l Mailconfigurationandroles
Remoteauthentication
l TACACSsettings
89
MonitorDeviceHealthandStatistics
Devicescanbeactivatedordeactivated.ManagementCenteractivelymonitorsthehealthstatusofactivateddevices.
Deactivateddevicesarenotmonitored.Whetheryouchoosetoactivateordeactivateadevicedependsonyourbusiness
requirements.Forexample,youmighthavealreadysetupapre-deployeddevicethatisnowreadytobeactivated,orwant
todeactivateadevicethatmustbetakenofflineformaintenance.
AnyoftheChangeMonitoringStatusactionscanbesavedtoajobandscheduled.See"AddaJob"onpage324
formoreinformation.
ChangeHealthMonitoringStatus
DeactivatingadeviceisNOTthesameasdeletingadevice.See"StopManagingaDevice"onpage95.
2. Locatethedeviceyouwanttoactivateordeactivate.See"FilterDevicesorDeviceGroupsinaPermission"on
page294.
3. Selectthedeviceorgroup,andclicktheOperationsdrop-downlist.
4. SelectChangeMonitoringStatus...
ThesystemdisplaystheChangeMonitoringState:Devicesdialog.
90
5. SelectoneormoredevicesandclickNext.
ThesystemdisplaystheChangeMonitoringStatus:OperationStatesdialog.ThedevicesselectedinStep3are
preselectedinthisview.
6. VerifythatChangeHealthMonitoringstateisselectedanddooneofthefollowing:
a. Toactivateadeactivateddevice,selectActivateDevice.
91
b. Todeactivateanactivateddevice,selectDeactivateDevice.
Deactivatingadevicedisablesallstatisticsmonitoring.
Ifyoutrytoactivatethedevicewhentheconnectionparametersarenotspecified,youreceiveanerror.Tospecify
connectionsparameters,see"EditaDevice"onpage72.
7. ClickRunNow.ThesystemdisplaystheActivateDevices-JobResultswindow.
(ThisistheDrop-downtext)
Thedevicestatuscantakeupto30secondstochange.
EnableorDisableStatisticsMonitoring
Usetheseoptionstoenableordisablestatisticsmonitoring.Youcandisablestatisticsmonitoringwithoutdeactivatingthe
device.However,ManagementCentercanonlycollectstatisticsfromactivateddevices.
2. Locatethedeviceyouwanttoactivateordeactivate.See"FilterDevicesorDeviceGroupsinaPermission"on
page294.
3. Selectthedevice,andclicktheOperationsdrop-downlist.
4. SelectChangeMonitoringStatus...
ThesystemdisplaystheChangeMonitoringState:Devicesdialog.
92
5. SelectoneormoredevicesandclickNext.
ThesystemdisplaystheChangeMonitoringStatus:OperationStatesdialog.
6. VerifythatChangeStatisticsMonitoringstateisselectedanddooneofthefollowing:.
a. Toenablestatisticsmonitoring,selectEnableStatisticsMonitoringcollections.
Youcanonlyenablestatisticsmonitoringforactivateddevices.
b. Todisablestatisticsmonitoring,selectDisableStatisticsMonitoringcollections.
7. ClickRunNow.ThesystemdisplaystheActivateDevices-JobResultswindow.
93
Thedevicestatuscantakeupto30secondstochange.
94
StopManagingaDevice
TostopmanagingadeviceinManagementCenter,youdeleteit.Youshouldonlydeleteadevicefromyournetworkifyou
arecertainthatyouwillnotneedtomanageanditinthefuture.
Whenyoudeleteadevice,youremoveitpermanentlyfromManagementCenter,andtheonlywaytorestoreitisto
additagain.Ifyouwanttostopmonitoringadevicetemporarily,deactivateitinsteadofdeletingit.
2. Locatethedeviceyouwanttodelete.See"SearchforManagedDevices"onpage103.
3. (Recommended)Verifythatthedeviceistheoneyouwanttodelete.See"VerifyDeviceDetails"onpage110.
4. Selectthedevice,andthenclickDelete.Thedeviceandallrelatedinformation,includingreportsispermanently
removedfromthesystem.
Deletioncannotbeundone.Onceremovedfromthenetwork,thedeviceneedstoberegisteredagain.
5. Confirmthatthedevicewasdeleted.Deletingadeviceconfigurationcantakeupto60secondstocomplete.
95
AboutPre-DeployedandDeactivatedDevices
YoucanmanagedevicesinManagementCenterevenifyoudonothavetheabilitytomonitortheiractivityandstatistics.
ThesedeviceshaveanInactivestatusinthesystem;whenyouselectthem,theSystemMetricsandHealthChecks
tabsatthebottomofthescreendisplaynodata.
Tolookforinactivedevicesinthesystem,clicktheNetworktabandclearallthestatusesbesideFilterbyexceptInact-
ive:
TheNetworktabdisplaysonlytheInactivedevices.
Inactivedevicesconsistoftwotypes:pre-deployeddevicesanddeactivateddevices.Thefollowingareexamplesofwhy
youmightneedtomanageinactivedevices:
l Youaddadevicethathasnotarrivedinyourorganizationyetorisnotsetup.Inthisscenario,intheAddDevice
wizard,youselectUnavailable(pre-deployment)forthedeploymentstatus.Connectionparametersarenot
requiredwhenyouselectthepre-deploymentstatus,soyoumustspecifythembeforeyouactivatethedevicelater.
l Toallowforscheduledmaintenanceorotherscenarioswheredevicesmustbepoweredoff.Inthisscenario,to
preventerroralertmessages,youcoulddeactivatetheaffecteddevicesbyselectingthemandclicking
Deactivate.Then,reactivatethedeviceswhenmaintenanceiscomplete.
Formoreinformationaboutdevicestatusandtheuseofcolorinthewebconsole,see"AboutColor-CodedStatus
Indicators"onpage28.
RestartaDevice
Ifyouneedtorebootamanageddevice,youcanrestartitfromManagementCenter'swebconsole.
2. Intheleftpane,selectthedevicegroup,andthenselectthedeviceintherightpane.
3. FromtheOperationsdrop-downlist,clickRestart.
4. ClickOKtoconfirmthereboot.
96
SynchronizeDevices
ManagementCentersupportssynchronizationofthefollowingdevicetypes:SSLVisibility,ContentAnalysis,andMalware
Analysis.
Whendeviceshavesimilarorexactconfigurations,youcancopytheconfigurationofonedevice(thesource)tooneormore
similardevicesrunningthesameorlaterOSversions.Asanexample,youcan'tsynchfromanon-FIPSimagetoaFIPS
image.
Prerequisites
n Determinewhichdevicehastheconfigurationsettingsyouwanttosynchronizetootherdevices.Thisdevicewillbe
yoursourcedevice.
n UnderDevicesontheNetworktab,identifythetargetdevicesandverifythattheirOSversionisthesameorlater
thanthesourcedevice.TheOSversionisdisplayedinthedevice'sOverviewtab.See"ViewSystemMetrics"on
page112.
DeviceSyncDetails
Differentsettingsmaybesynchedforeachdevice.
SupportforSSLVisibilityAppliance
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderversion.
Forexample.youcannotsynchronizea3.8.3operatingsystemversiontoa3.8.2operatingsystem.
Whattosynchronize:
n Alerts-alertingandnotificationsusedonthedevice
n Users-namesandpasswordsonthedevice
n PKI-certificate(orthedatabasestore)
n Policy-rulesfordecryptingtraffic
n Remoteauthentication-controlsthewaythedeviceauthenticates,asforTACACS
SSLVisibilityappliancesdonotreportplatforminformationinthedeviceoverview.PlatformisdisplayedasN/Aas
shownintheexample.
SupportforContentAnalysis
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderversion.
WhattoSynchronize:
l SelectConfiguration.NotallelementsofyourContentAnalysisapplianceconfigurationcanbesaved/restored.
Administrationdetailsandnetworkinformationdefinedintheinitialdeploymentofyourappliancemustbemanually
assigned.Thefollowingcomponentsareincluded:
97
o GlobalAnti-VirusPolicy
o KasperskyPolicy
o SophosPolicy
o AlertSettings
o AlertTemplates
o SMTPSettings
o ConsentBanner
o CustomLogo
o NTPSettings
o TimezoneConfiguration
o HTTPSettings
o SNMPSettings
o SandboxingSettings
o StaticAnalysisSettings
SupportforMalwareAnalysisAppliance(MA)
ManagementCenterdoesnotallowsynchronizationfromanewerversionofanoperatingsystemtoanolderver-
sion.
WhattoSynchronize:
l Settings-Allsettingswithinthesegroupsaresynced:
o Filereputation(enabled/disabled)
o Cleanupdaemon
o ProxyServer
o YARAstate(enabled/disabled)
o VirusTotalkey
o TaskDefaults
o Updates(enabled/disabled)
o WebPulse
l Patterngroupscreatedbyusers
PerformDeviceSynchronization
Followthisbasicprocedure.
1. ClicktheJobstab.
2. SelectNewJob.ThewebconsolerunstheNewJobwizard.Aredasterisk(*)denotesfieldsthataremandatory.
3. EnteraName(*)andDescription.
4. ClickNext.
5. FromtheOperation(*)drop-downlist,selectSynchronizeDevices.
6. SelectaSourceDevice(*)fromthelistofavailabledevices.Afterselectingasourcedevice,clickOK.
7. SelectthecheckboxestodefineWhattosynchronize(*).Availablechoicesarespecifictothedeviceandarenot
98
platformspecific.
8. ClickNext.Selecttargetdevicesordevicegroupsthatyouwanttokeepinsyncwiththesourcedevice.Ifyou
selectadevicegroupthatincludesdevicesthatarenotsupported,thesynchronizationjobautomaticallyfiltersout
anydevicesthatarenotthecorrectdevicetype.
9. ClickNext.DefineascheduletoruntheSynchronizeDevicesjob.See"JobSchedulingOptions"onpage328.
99
ConfigureHierarchyforDevicesandDeviceGroups
TheHierarchyisthehighestlevelinthedevicestructureinManagementCenter.Anyhierarchiesthatyoucreateareatthe
samelevelasthepredefinedLocationandOrganizationhierarchies.Becauseyoucanmanage500devices,creatinghier-
archiesiscriticalinmanagingdevicehealth,status,deployingpolicyandhandlinglargejobs.
TheHierarchicalstructureofManagementCenterenablesuserstomanagepolicyacrossalargenumberofdatacentersin
awaythatuserscansegregatetheadministrationofpolicy.
HierarchicalConfigurations
ManagementCenterorganizesitsmanymanageddevicesintohierarchieswithparentandchildconfigurations.Thekeyto
understandingManagementCenterhierarchicalconfigurationsistorememberthebasicrulesofmanagingdevicegroups,
devices,andmanagingpoliciesthatcanbedeployedtoallthedevicesinyourorganization.
Usingthehierarchicalstructure,multipledevicescanmergetheirpolicyattributes,devicescaninheritpolicyattributes
fromaparentdevicegroup,orchilddevicescanbedirectlyassignedpolicy.
DeviceGroupscanbelongtootherDeviceGroups,butcannotbelongtomultipleHierarchies(forexample,youcan-
nothavethesameDeviceGroupinbothLocationandOrganization).
Createhierarchiestorepresentgeographicalregions,organizationalordepartmentalstructure,deploymenttype,orany-
thingelseappropriateforyournetwork.Youcanthenadddevicegroupstoasmanyhierarchiesasneeded.
1. ClicktheNetworktab.Intheleftpane,totherightoftheGroupBydrop-downlistbox,clicktheManage
Hierarchiesicon .ThewebconsoledisplaystheManageHierarchiesdialog.
100
2. ClickAddHierarchy.IntheHierarchyNamefield,enterauniquename.
3. IntheCommentsfield,enterusefulcommentstodifferentiatethishierarchyfromothers.Fieldsmarkedwithared
asterisk(*)arerequiredsettings.
4. Thenameyouenteredinstep2automaticallypopulatestheRootFolderNamefield.Acceptthenameifyoudonot
wanttocreatearootfolderwithinthehierarchy.
5. Tocreateanewrootfolder,enteranameforitintheRootFolderNamefield.ClickSave.
Therootfolderistheparentfolderforallsubfolders.Forexample,intheBeachNameshierarchy,BeachNamesis
theparentfolderforthesubfolders(WestCoastBeaches,EastCoastBeachesandGulfCoastBeaches).
101
EditaHierarchy
1. Toeditahierarchy,fromGroupsselectadevicegroupname,clickEdit.TheEditHierarchydialogdisplays.
2. Editthename,comments,androotfoldernameasneeded.Fieldsmarkedwitharedasterisk(*)arerequired
settings.
3. ClickSavetosaveyourhierarchychangesorclickCanceltoreturntotheManageHierarchiesdialog.
YoucandeleteanyhierarchyexceptfortheLocationhierarchy.
DeleteaHierarchy
1. Todeleteahierarchy,fromGroupsselectahierarchy,clickDelete.ADeleteConfirmationdisplays.
2. Confirmthedeletion;clickDelete.
Ifyoudeleteahierarchythatcontainsdevices,thedevicesarestillmembersofanyotherhierarchiestowhichthey
belong.Ifyoudeletethelasthierarchytowhichadevicebelongs,youcanclickUnassignedDevicestoseethe
device.
ToaddadevicegrouptotheHierarchy,see"AddaDeviceGroup"onpage68.
102
SearchforManagedDevices
Youcansearchfordevicesinyournetworkusingseveralmethods.
SearchbyNameorIPAddress
Inmostcases,searchingbythenameorIPaddressisthemostefficientwaytolocateadevice.
2. Inthesearchfieldatthetopofthetab,enteroneofthefollowing:
l Devicename
l Stringinthedevicename
l IPaddressofthedevice
l OctetorpartofanoctetinthedeviceIPaddress
3. PressEnterorclickthesearchicon(magnifyingglass).
ThesystemreturnsalistofalldevicesthatmatchthesearchcriteriainaSearchwindow.
Selectadevicetoviewit,orclicktheXinthetoprightcornerofthewindowtocloseit.
BrowsetheHierarchy
SelecttheNetworktabandbrowsethehierarchyandfoldersforthedevice.Thismethodisconvenientifyouknowwhere
thedeviceislocatedinthefolderstructure,orifthefolderstructureisnottoodeeporcomplex.
103
PerformanOperationonaManagedDevice
Thestatusofamanageddevicecancontrolwhichoperationsareallowedonadevice.See"MonitorDeviceHealth"on
page106.
OperationsthatarenotavailablefortheselecteddeviceordevicegrouparegrayedoutintheOperationsdrop-
downlist.
2. Selectthedevicegroupintheleftpane,andthedeviceintherightpane.
3. ClickOperationstodisplaythedrop-downlistofoptions.
4. Selectthedesiredoption:
n LaunchConsole
n Restart
n Delete
n ChangeMonitoringStatus
n BackupDevices
n ExportBackups
n ImportBackups
n ImportfromFile(AddMultipleDevices)
n RMADevice
n PurgeStatsMonitoring
n RemoveUnusedTenantPolicy
104
EnsureDevicesBelongtoDeviceGroups
BlueCoatrecommendsthatyouperiodicallyverifythatalldevicesareassignedtogroups.Adevicemightbecomeunas-
signedifnogroupswereselectedwhenthedevicewasaddedtoManagementCenter,orifthegroupstowhichthedevice
wasassignedweredeleted.See"EditaDeviceGroup"onpage74.
Becauseunassigneddevicesdonotdisplayinanygroups,usersmightnotmanagethemorevenbeawareofthemifthey
workonlyindevicegroupsoronlyhaveaccesstospecificdevicegroupsintheirrolefilters.
Adevicegroupcanbeinsideanotherdevicegroup,butadevicegroupcannotbeinmultiplehierarchies.
1. ClicktheNetworktab.Fromtheleftpane,clickUnassignedDevices.Unassigneddevicesdisplayintheright
pane.
2. SelectadeviceyouwanttoassigntogroupsandclickEdit.Thewebconsoledisplaysawizardwiththefollowing
tabs:
l BasicInfo
l ConnectionParameters
l Membership
l Attributes
l Policies
Anerrormessagedisplaysatthebottom,citingthereasonwhythedeviceisnotassignedtoadevicegroup.
3. ClickMembership.Enteralocationforthedevice.
4. ClickSave.Amessagestating:[devicename]wassavedsuccessfully.
5. (Optional)Toassignbydragginganddroppingthedevicetoadevicegroup,selectthedeviceanddragitintothe
devicegroupintothetreeontheleft.Dropthedevice.Confirmthemove.ClickOK.
105
MonitorDeviceHealth
ManagementCentercollectshealthstatusinformationondevicecomponentsincludingsystemresources,licensevalid-
ity,anduser-definedhealthchecks,anddisplaystheaggregatehealthstatusinseveralareas.
Devicehealthisalwaysrepresentedbystatuscolors:Error(red),Warning(yellow),andOK(green).Adevice'shealth
statusisdeterminedbysystem-definedthresholdsonthedevice:ifaserviceorothermonitoredcomponentexceedsa
threshold,thedevicegoesintoaWarningorErrorstate.
IfyoucannotgetthedeviceoutoftheErrorstate,regardlessofwhatyoutry,youmayneedtoRMAthedevice.See"Per-
formanOperationonaManagedDevice"onpage104.
AgraystatuscolorindicatesanabsenceofhealthstatusandrepresentsanInactivedevice.Somejobsandoperations
cannotoccuroninactiveorpre-deployeddevices.
See"AboutColor-CodedStatusIndicators"onpage28formoreinformationonstatuscolorsinvariousareasoftheweb
console.
FormoreinformationonmonitoringhealthstatusontheProxySGappliance,refertotheSGOSAdministration
Guide.
ViewDeviceHealthStatusontheDashboard
TheDashboarddisplaysoverallhealthstatusinformationinwidgets.Twowidgetsdisplaybydefault,butyoucanclose
thembyclickingtheXinthetoprightcorner.
TheDeviceHealthwidgetgivesanoverallpictureofthehealthofmonitoreddevicesinacirclegraph.
Clickastatusiconbelowthecharttoseethedevicesthathavethatstatus.
TheTopProblemDeviceswidgetliststhedevicesthatareconsistentlydisplayingwitherrorsorwarnings.
106
Forexample,IfyouclickonSanClemente,theDeviceOverviewdisplaysYellowwiththespecificwarningsforeach
devicevalue.
IfyouhaveremovedawidgetfromtheDashboard,youcandisplayitagain.See"ChangetheDashboardLayout"on
page396forinstructions.
ViewHealthStatusintheBanner
Inthewebconsolebanner,lookforthedevicestatusicons.
Clickastatusicontoseethedevicesthathavethatstatus.Thesetotalsarethesameasthedevicestatustotalsthatdis-
playundertheDeviceHealthwidgetontheDashboard;becausetheseareinthebanner,theyarevisibletoyounomatter
whichtabyouareworkingon.
ViewDeviceHealthStatus
3. ClickHealthChecks.Thewebconsoledisplaysinformationaboutthesystemresources.Scrolltothebottomofthe
screentoviewthefollowing:
ViewDeviceDashboards
Adynamicallygenerateddashboardisavailablefordevicemonitoring.CASandMAarecurrentlysupported.
107
3. ClickDashboard.Thewebconsoledisplayssystemstatusmetrics.Thecontentavailablewillvarywiththe
device:
ProxySG/AdvancedSecureGatewayDashboard
MADashboard
CASDashboard
Themetricsmaybedisplayedinoneofseveraldifferentways:
n Counters:Displaysacountforaspecifictimeperiod.
Examples:ObjectCount,TotalScan.
108
n State:Displaysatextvalue.
Examples:Condition-Green/Yellow/Redconditionindicator.
n Series:Displaysvaluesoveraperiod;thispresentationmaybeinanareadisplay,abar,acolumn,apiechart,ora
donutchart.
Examples:CPU,ICAPScan.
ResolveDeviceErrors
Toresolvedeviceerrors,seeResolveDeviceErrors.
109
VerifyDeviceDetails
Toverifyadevice'sinformationafteryouhaveaddedit,ortohelpidentifyadevice,dothefollowing:
1. ClicktheNetworktabandselectadevicetoview.Selectthedevicewhosedetailsthatyouwanttoview.
2. Atthebottomofthescreen,clicktheuparrow .Themonitorwindowexpandsfromthebottomofthescreen.
3. Overview,SystemMetrics,andHealthChecksandBackuptabsdisplayatthebottomoftheexpandedwindow.
4. ClickOverview.Thewebconsoledisplaysinformationaboutthesystemresources.
5. InsidetheOverviewtab,clickLaunchConsoletolaunchtheconsoleofthedevice,orclickRefreshtoquerythe
deviceforthelatestvaluestodisplaywithinthesedevicetabs.
Afteryouupgradeordowngradethedevice,usetheRefreshbuttontodisplaythelatestvaluescorrectly.
See"Upgrade/DowngradeSystemImages"onpage406.
6. Toclosethedevicemonitorwindow,clickthedownarrow .
DeviceOverviewTab
Value Description
DeviceIcon The icon used to depict a certain device type, for example a ProxySG appliance is
depicted by the icon.

IPAddress TheIPaddressofthedevice.
Lastupdate Thedateandtimeofthelastupdatestartingwithhowlongagothelastupdatebegan(in
seconds).
Example:
<20sago
6/1/156:02PMGMT-05:00
The example shown is when <6/1/15> equals the date in short format, <6:02 PM>
equals the time on a 12-hour clock and <GMT-05:00> equals the time zone <Green-
wich Mean Time minus 5 hours> which at the time of this documentation equals
Central Daylight Time.
Systemstarted Thedateandtimethatthesystemstarted.
Example:
5/26/1511:42AMGMT-05:00
Theexampleshowniswhen<5/26/15>equalsthedateinshortformat,<11:42AM>equals
thetimeona12-hourclockand<GMT-05:00>equalsthetimezone<GreenwichMeanTime
minus5hours>whichatthetimeofthisdocumentationequalsCentralDaylightTime.
110
Value Description
Model Theappliancemodeloftheappliance.
Example:
VA
Theexampleshowniswhere<VA>equalsavirtualappliance.
Platform TheBlueCoatplatforminformationthatthesoftwareisrunningon.
Example:
BlueCoatSGVASeries
TheexampleshowniswhenBlueCoat<SGVA>SeriesequalsProxySGVirtualAppliance
Series.
Serial Number The serial number assigned to the selected device.
Host The host IP address of the selected device.
OS version Theversionoftheoperatingsystem,includingtheversionnumberandedition.
Example:
SGOS6.5.5.410SWGEdition
Theexampleshowniswhen<SGOS>equalstheProxySGOperatingSystem,<6.5.5.410>
equalstheversionnumberand<SWG>equalsSecureWebGatewayEdition.
Build Thebuildnumberofthesoftwarerunningontheselecteddevice.
Example:
15078864-bit,gbd,optimized
Theexampleshowniswhen<150788>equalsthebuildnumber,<64-bit>equalsthecapa-
cityatwhichbitscanbeprocessedandstoredand<optimized>equalsclockoptimization
forthisparticularbuildnumber.
111
ViewSystemMetrics
InManagementCenter,devicemetricsrefertokeyhardwarecomponentssuchasCPUusage,diskstatus,fanstatus,
andmotherboardtemperature.Refertothesemetricstoverifyavailabilityandperformanceofsystemresources.
1. SelecttheNetworktab.Selectadevicetoviewmetrics.
2. Atthebottomofthescreen,clicktheuparrow .Themonitorwindowexpandsfromthebottomofthescreen.
3. ThewebconsoledisplaystheO verview,SystemMetrics,andDeviceHealthandBackuptabs.
4. (Optional)Ifthedeviceisalwaysisanerrorstate(yelloworred)andyouareunabletoupdatethelicenseorrestore
agoodconfiguration,youmayneedtoperformanRMAforthedevice.See"RMAaDevice"onpage114.
5. ClickSystemMetrics.Thewebconsoledisplaysinformationaboutthesystemresources.Ifavailable,scrolldown
toseeallofthemetricsavailablefortheselecteddevice.Toseedevicedetailsintheoverviewtab,seeVerify
DeviceDetails.
ManagementCentercancollectmetricsonlyfromactivateddevices.Ifyouselectadeactivatedorpre-
deploymentdevice,theOverview,SystemMetrics,HealthChecksandBackuptabsdisplayno
information.
TheSystemMetricsTab
TheSystemsMetricstabprovidesasnapshotglanceofthediskstatusaswellasthepercentagethatboththeCPUand
Memoryarecurrentlybeingused,andthethresholdsettingsforbothWarningandCritical.Toconfigurewarningandcrit-
icalthresholdsdisplayedintheSystemMetricstab,see"ConfigureHardwareMonitorSettings"onpage405Anexample
ofaProxySGapplianceisdisplayedinthetableshownbelow.
MetricDescription Status CurrentValue WarningThreshold CriticalThreshold
CPU Utilization OK 3% 80% 95%

Memory Utilization OK 25% 90% 95%
Disk 1 Status OK present
Disk 2 Status OK present
TheHealthChecksTab
TheHealthCheckstabdisplaysinformationbasedonthetypeofdevicethatyouhaveselected.AnexampleofanSSL
Visibilityapplianceisdisplayedinthetableshownbelow.ThetoprowdisplaysGeneralwiththenumberofhealthchecks
thatareroutinelyperformedonthedevice.Toseeotherplaceswithinthewebconsoletoviewdevicehealth,see"Monitor
DeviceHealth"onpage106.
Name Info State UP/DOWN
- General (4)
License OK Up
Load OK Up
Network OK Up
System OK Up
112
TheBackupTab
TheBackuptabdisplaysallofthedevicebackupsfortheselecteddevice.TheBackuptabalsodisplayswhetheradevice
backuphasbeenexportedtoanexternalserver,andwhetherithasbeenrestored.Perhapsmostimportantly,youcanpina
backuptoensurethatitdoesn'tgetdeletedwhenManagementCenterdeletesoldbackupswhenperformingroutinedisk
maintenance.Whenimportingabackup,ManagementCenterwillnotreplacepinnedbackupsunlessspecifiedwhenyou
"RestoreDeviceBackups"onpage87.YoumustselectabackupfromthelisttoView,Restore,orDeleteabackup.See
"MonitorDeviceHealth"onpage106.AnexampleofaProxySGappliancebackupinformationisdisplayedinthetable
shownbelow.
Name Description Date/Time Device OSVersion Exported Restored Pinned

Type Date Date
Device Name SG in Dallas 7/3/15 8:05 PM ProxySG SGOS

GMT 6.5.5.410
Device Name SG in Tuscon 6/3/15 7:58 PM ProxySG SGOS 7/11/15 7/12/15
GMT 6.5.5.410 1:58 AM 3:30 PM
GMT GMT
Device Name Joe's SG 5/3/15 8:01 PM ProxySG SGOS 5/23/15 5/27/15
GMT 6.5.5.410 6:01 AM 4:12 PM
GMT GMT
Device Name Matt's SG 5/3/15 8:03 PM ProxySG SGOS
GMT 6.5.5.410
Export device backups to an external server. "Export Device Backups" on page85

Verify device details in the Overview tab. Verify Device Details
View device backup in a text editor. "Monitor Device Health " on page106
113
RMAaDevice
IfyouneedtoreturnadevicetoBlueCoatusingReturnMerchandiseAuthorization(RMA),followtheprocedurebelowto
replacethedefectivedevicewiththereplacementdeviceinManagementCenter.Thisprocedureassumesyouhaveini-
tiatedtheRMAprocesswithBlueCoat.
1. Recordtheserialnumberofthedefectivedevice.YouwillneedthisnumberwhenperformingtheRMADevice
operationbelow.
2. (Optional)Deactivatethedefectivedevice.See"MonitorDeviceHealthandStatistics"onpage90.
DeactivateddevicesshowontheNetworktabwithagraystatus.Ifyoudon'tdeactivatethedevice,itwill
showontheNetworktabwitharedstatus.
3. ReturnthedefectivedevicetoBlueCoat.
4. Installthereplacementdeviceinthenetwork.IfyouassignitthesameIPaddressandcredentials,youdonotneed
toaddthedeviceintoManagementCenter;otherwise,youwillneedto"AddaDevice"onpage65.
5. GototheNetworktabandselectthereplacementdevice.
6. FromtheOperationsdrop-downlist,selectRMADevice.Aredasterisk(*)denotesfieldsthataremandatory.
ManagementCenterwillattempttoconnecttothedeviceandretrieveitsserialnumber.Ifitsucceeds,itwill
displayitnexttoSerialNumberdetectedondevice.
7. IntheProvidepreviousSerialNumberfield,entertheserialnumberofthedefectivedevice.
8. (ProxySGsonly)DecidewhetheryouwanttoapplyexistingStatisticsMonitoringdatafromthedefectivedevice
andmigrateittothereplacementdevice.Selectthedesiredoption:
n migrateStatisticsMonitoringdata
n ignoreStatisticsMonitoringdata
9. ClickUpdateDevice.
10. FromtheOperationsdrop-downlist,clickRestart.
114
PutDeviceinMonitor-OnlyMode
Youmightwanttomonitorsomedeviceswhilealsopreventingconfigurationchangesonthem.Thisiscalledmonitor-only
mode.ManagementCenterdisplaysalocknexttodevicesinmonitor-onlymode,asshownbelow.
Monitor-onlydevicescanbeselectedastargetsforjobs,scripts,etc.,butthatjobstepwillfail.
AllowedOperations
Thefollowingtabledescribesthemonitor-only
Operation Allowed?
Edit Metadata Yes
Edit Attributes Yes
RMA Yes
Purge Stats Monitoring Yes
Import from file Yes
Assign Group Membership Yes
Use as a policy target Yes
Install Policy No
Remove unused policy No
Execute script No
Backup Device Yes
Export Backup Yes
Restore Backup No
Launch Console Yes
Activate Device Yes
Deactivate Device Yes
Restart Device Yes
Device sync as a source Yes
Device sync as a Target No
115
AddADeviceinMonitor-OnlyMode
1. SelecttheNetworktab
2. SelectAddDevice.
3. Entertheconnectiondetails.
IfyouaddadevicewiththeDeploymentStatussettoUnavailable(predeployment),changingthe
monitoringstatushasnoeffect.
4. IntheManagementStatusfield,selectMonitorOnly(noconfigchanges).
5. ClickNext.
6. FollowtherestoftheAddDeviceprocedure.
PutanExistingDeviceinMonitor-OnlyMode
2. Locatethedevice,selectit,andclickEdit.
ThesystemdisplaystheEditDevicedialog.
3. ClicktheConnectionParameterstab.
116
4. IntheManagementStatusfield,selectMonitorOnly(noconfigchanges).
5. ClickSave.
117
UseWAFPolicyToProtectServersFromAttacks
Asmoreandmoreorganizationsmovetowebapplications,theyareexposedtonewandsophisticatedthreats.Whiletra-
ditionalfirewallsandIPSsystemsareeffectivefordetectingthreatsinlayers3and4,theycannotinterpretthelogicinside
theapplicationlayer,makingthemineffectiveagainstwebapplicationthreats.WebApplicationFirewalls(WAF)were
designedforjustthispurpose.W AFdevicesprotectwebapplicationsbyinspectingtrafficandcontrollingaccesstoapplic-
ations.
Asthefollowingdiagramshows,theProxySGWAFapplianceistypicallydeployedbehindthefirewallandinfrontofthe
back-endcontentservers.ItistypicallypairedwiththeMalwareAnalysisandContentAnalysisappliances,whileReporter
andManagementCenterprovidereportingandremotemanagementservices.
InManagementCenter1.5.xandlater,youcanuseManagementCentertoconstructWebApplicationFirewall(WAF)
policiesforyourProxySGappliances.TheseWAFpoliciesaredesignedtoprotectback-endwebapplicationsandservers
inareverseproxydeploymentfromexternalsecuritythreats.TheProxySGWAFsolutionprovidesthefollowing:
n OWASPtop10threatsprotection
n ContentNatureDetection
n VirtualPatching
n Cookiesigning
n DenialofService(DoS)protection
n Whitelistingandblacklisting
n Advancedpolicies(CSP,HSTS,HPKP,etc.)
n Analyticsfilter(heuristicsanomalydetection)
n GEOlocationintelligence
n Normalization
n Signatureversionsperapplication
n JSON/XMLsecurity
119
Requirements
TousetheWAFfeatures,youmustpurchasethefollowing:
l WebApplicationProtection(WAP)Subscription(includedwithManagementCenterbutmustbepurchasedforyour
ProxySGappliances).
Ifyouhavepurchasedasubscription,itisautomaticallydownloadedtoManagementCenter.Tomanageyour
subscription,see#subscriptionsintheManagementCenterConfigurationWebGuide.
InManagementCenter1.6.1.1,thesubscriptionscommandcontrolsonlytheWebApplication
Protection(WAP)subscription.TouseWebApplicationFirewall(WAF)features,youmustensurethat
ManagementCentercanconnecttohttps://subscription.es.bluecoat.comtodownloadtheWAP
subscriptionbundle.IftheWAPsubscriptioncannotbedownloaded,theBlacklistandAnalyticsFilterrules
tableintheSecurityProfilewillnotbeavailable.However,allotherWAFfeaturesshouldstillbeavailable
andfunctioning.TheWAPsubscriptioncannotcurrentlybeloadedwhenManagementCenterisinoffline
mode.
l Multi-TenantPolicyLicense.
TheselicensesarepurchasedonaperProxySGappliancebasis.
SoftwareVersionRequirements
l ProxySGappliance:MustrunSGOS6.6.3orlater.
l Reporter:Mustrun10.1.3orlater,whichprovidesthenewWAFdatabase.
l ManagementCenter:Mustrun1.5orlater,whichprovidesthenewWAFinterface.
BeforeusingtheseWAFfeatures,BlueCoatstronglyrecommendsreadingandfamiliarizingyourwiththeWebApplication
FirewallSolutionsGuide.
SolutionSteps
1. LearnaboutWAFpolicy.
2. Selectatenant.
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachtenanthasauniqueinstanceofpolicy
governingitstraffic.Tobegin,firstdeployWAFpolicytothedefaulttenant.Youcanaddadditionaltenantslaterif
yourequireWAFApplicationobjectswithdifferentsecurityprofiles.
3. CreateaTenantDeterminationFile.
Thisobjectcontrolshowrequestsareroutedtothetenantslotsinpolicy.ATenantDeterminationFilealways
referencesthedefaulttenant.Optionaltenantreferencesandrulescontrollingtheirselectioncanbeaddedas
neededwhenadditionaltenantslotsarecreated.
4. DeploytheTenantDeterminationFiletotheappropriateProxySGappliances.
5. CreateandconfigureaWAFSecurityProfile.
AWAFSecurityProfiledefinesthesecurityrulesfortheWebApplicationFirewall.
120
6. CreateandconfigureaWAFApplicationobject,associatingatenantandWAFSecurityProfile.
AWAFApplicationObjectrepresentsawebapplication(orgroupofWebapplications)anditsassociatedWAF
securitysettings.
7. AddtargetsanddeploytheWAFApplicationObjecttothosetargets.
8. RunwebapplicationtrafficthroughtheWAFandreviewyourlogsforfalsepositives.
Thebcreporterwarp_v1accesslogformatisrecommendedforreverseproxyWAFdeployments.Formore
information,refertotheWebApplicationFirewallSolutionsGuide.
9. RefineyourWAFSecurityPolicy:
a. AddexemptionstoyourWAFsecuritypolicy.
b. ChangeWAFprotectionscontrolsfromMonitor-modetoBlock-mode.
c. OptionalConfigureEffectiveDatetointelligentlyhandlesubscriptionupdates.
AboutWAFPolicy
Asdescribedin"UseWAFPolicyToProtectServersFromAttacks"onpage119,WAFpoliciesaredesignedtoprotect
backendwebapplicationsandserversinareverseproxydeploymentfromexternalsecuritythreats.
TheManagementCenterWAFpolicyfeatureusesthefollowingpolicyelements:
Tenants.ManagementCenterWAFpolicyiscenteredaroundtheconceptoftenants.Tenantsareadministrativeentities
definedontheProxySGappliancethatallowpolicytobeappliedtoarequestmatchingspecificpropertiesorconditions.Ten-
antsrepresentoneormorewebapplications.EachWAFapplicationobject(seebelow)isassociatedwithatenant.
TenantDeterminationFile.ATenantDeterminationfileincludespolicyconditionsthatcontrolwhichtenantpolicyslotis
evaluatedforanHTTPrequest.Whenpolicymatchesarequest,thetenantisidentifiedandallpolicyassociatedwiththe
tenantIDisappliedtotherequest.Forexample,atenant'srulescouldindicatethatalltraffictoport80musthavethisten-
ant'spolicyappliedtoit.AftersettingtheserulesonManagementCenter,youdeploythisfiletoyourProxySGappliances.
WAFSecurityProfile.AWAFSecurityProfileisasharedobject(apolicyelementthatcanbereferencedbymultiplepolicy
objects)thatdefinestheWebApplicationFirewallsettingsfortheassociatedWAFapplicationobject.Foritsrulestobe
enforced,aWAFsecurityprofilemustbeassociatewithaWAFapplicationobject.
WAFApplicationObject.WAFpolicyisconfiguredthroughtheuseofaWAFapplicationobject.AWAFapplicationrep-
resentsatenant(awebapplicationorgroupofwebapplications)anditsassociatedWAFsecurityprofilesettings.There-
fore,tocreateaWAFapplication,youmustassociateitwithatenant(webapplication)andaWAFsecurityprofile(security
settings).
AbouttheDefaultTenant
FornewWAFdeployments,youbeginbyassociatingaWAFapplicationwiththedefaulttenant.Thedefaulttenantcontains
thepolicyrulesappliedtoallrequeststhatdonotmatchaspecifictenant.Thisensuresthatallrequestshaveabaselevelof
WAFprotection,andsimplifiesthedeploymentprocess.
Afterdeployingpolicytothedefaulttenant,createadditionaltenantsasneeded.Forexample,youcandefineatenantfor
yourSalesforceapplicationandanothertenantforyourSharePointapplication.Then,youcancreateandapplyspecific
policytoprotectandcontroleachofthosetenants.
121
AboutTenantDetermination
Thecriteriathatdeterminesthecorrecttenantpolicytoapplytoarequestarecalledtenantdeterminationrules.Asshown
below,tenantdeterminationiscontrolledthroughtheuseofa<tenant>layerintheLandlordCPLslotontheProxySG
appliance.
OnManagementCenter,youconfiguretheLandlordslotbycreatingaTenantDeterminationFile.Inotherwords,
theLandlordslotontheProxySGapplianceisreferredtoasaTenantDeterminationFileonManagementCenter.
The<tenant>layerintheLandlordslotspecifiesconditionsandtenant()properties.Withinthislayer,asmallsubset
ofCPLconditionsaresupported.Theseconditionsareusedlikeaswitchstatement(conditionallogicflow)tospecify
whichtenantslotCPLshouldbeevaluatedforagivenrequest.Whentheconditionsonalineevaluatetotrue,thetenant
()propertyissetandevaluationofthecurrentlayerends.
Aftertenantdetermination,therequestisroutedthroughatenant,whosepolicyisevaluatedforthattransaction.Whenno
specifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Tenantdeterminationcriteriagovernswhich
tenant'spolicyappliestoagivenrequest.
Reference:ConditionsandExamples
SupportedConditions
ThefollowingtableshowsthetenantconditionssupportedinManagementCenter.
Condition AvailableQualifiers Example

Client Address matches Client Address matches 10.167.3.25
Client Effective Address matches Client Effective Address matches
10.167.0.87
Proxy Address matches Proxy Address matches 10.140.2.104
Proxy Port = Proxy Port = 8080
122
Condition AvailableQualifiers Example

Port = Port = 80
URL equals URL equals http://www.ex-
contains ample.com/test
matches regex
URLDomain contains URLDomain contains example.com
URLExtension equals URLExtension equals .net
is not present
URLHost equals URLHost equals http://www.ex-
contains ample.com
matches regex
URLPath equals URLPath equals /example
contains
matches regex
URLQuery equals URL Query contains ?name=
contains
matches regex
TenantDeterminationCPLExample
ThefollowingCPLrulesprovideanexampleoftenantdeterminationintheLandlordslot.
<tenant>
url.path.substring="/Webapp/portal" tenant(webapp_portal)
url="http://domain.com/mail" tenant(domain_mail)
tenant(default)
IntheprecedingCPL,theconditiononeachlineisevaluated.Iftheconditionisamatch,thetenant()propertyonthatline
issetappropriatelyandtheevaluationofthe<tenant>layerexits.Ifnotenantisdetermined,thetenant(default)is
used.
Thetenant(default)propertyisimplicitanddoesnotactuallyneedtobeincludedintheCPLrules.Always
deployWAFpolicytothedefaulttenanttoensurethatallrequestsareprocessedbytheWAF.Specificapplications
(orgroupsofapplications)thatrequiredifferentWAFsecuritysettingscanthenbesplitoffintouniquetenantsas
required.
WAFPolicyEvaluationExample
TheexamplebelowdescribesWAFpolicyevaluation:
1. TheProxySGapplianceinterceptsarequest.
2. Theapplianceexaminestheinitialconnectionparameters(source,destination,port,URL).
3. Theapplianceappliespolicytothetraffic.
4. TheLandlordpolicy(TenantDeterminationFile)isexamined.
5. Therequestissettoaspecifictenantslot,ortothedefaulttenantslot.
6. Theappliancere-evaluatestherequestusingaCPLstackthatcontainstheappropriatetenantpolicy.
7. Ifallowedbypolicy,theProxySGappliancesendsthetraffictotheappropriateserver.
123
ManageTenants
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachrequestisroutedthroughatenant,whosepolicy
isevaluatedforthattransaction.Whennospecifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Ten-
antdeterminationcriteriagovernswhichtenant'spolicyappliestoagivenrequest.AddthesetenantstoManagement
Centertocreateanddeploytenant-specificpolicy.
OntheProxySGappliance,therearetwooptionsforcontrollingtenancydetermination:
1. The#(config general) multi-tenant criterioncommandspecifiesasubstitutionexpressionthatis

evaluatedfortenancydetermination.
2. Usingthe<tenant>layerintheLandlordCPLslottospecifyconditionsandtenant()properties.
TheManagementCenterWAFinterfaceleveragesoption#2tocontroltenancydeterminationviatheTenant
Determinationobject.See"AboutWAFPolicy"onpage121formoreinformation.
WhenevaluatinganHTTPrequest,ifthetenantdeterminationrulesproduceamatchagainstaninstalledtenant,thenthat
tenant'spolicywillbeevaluated.Ifthatfailstosetthetenant()property,orthetenant()propertysettingdoesnotcor-
respondtoaninstalledtenantpolicy,thenthedefaulttenantpolicyisappliedtothistraffic.Defaulttenantpolicyappliesto
allrequestswheretenancycouldn'tbedeterminedduringtheinitialconnection.
Obtainthetenantidentifiersbeforeyouwritemulti-tenantpolicyinManagementCenter.Formoreinformationonmulti-ten-
antpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
WAFPolicyUse
Selectingatenantisstep2in"UseWAFPolicyToProtectServersFromAttacks"onpage119.Abase-levelofWAF
policyshouldbeinstalledtothedefaulttenantbeforeanyadditionaltenantsarecreated.Thisensuresthatallrequestsare
processedbytheWAF.
AddaTenant
Aredasterisk(*)denotesfieldsthataremandatory.
1. SelectConfiguration>Tenants.
2. ClickAddTenant.ThewebconsoledisplaystheAddTenantdialog.
124
3. EnteraDisplayName.
4. EntertheTenantID.Thiscontrolsthenameofthetenantslotwherepolicywillbeinstalled.ThisIDisalsousedin
thetenantdeterminationCPLusingthetenant()property.
5. (Optional)EnteraDescription(upto1024characters).
6. ClickSave.
Bydefault,theTenantslistissortedinalphabeticalorderbyDisplayName.YoucanalsosortbyTenantIDorDescription
byclickingthecolumnheadings.Ifthelistislong,usetheKeywordSearchfieldtosearchforanystringinthename,ID,or
description.Thesearchiscase-sensitive.
ModifyaTenant
2. FromtheTenantslist,selectthetenanttomodifyandclickEdit.ThewebconsoledisplaystheEditTenantdialog.
3. EdittheDisplayNameorDescription.Aredasterisk(*)denotesfieldsthataremandatory.
4. ClickSave.
DeleteOneorMoreTenants
125
2. FromtheTenantslist,selectoneormoretenantstoremove.
3. ClickDelete.
4. SelectYestodeletetheselectedtenants.
YoucannotdeletethedefaulttenantoranytenantthatiscurrentlyreferencedinManagementCenterpolicy.
Attemptingtodeletethedefaultorareferencedtenantresultsina"Deletefailed"errormessage.
SpecifyTenantDeterminationRules
ATenantDeterminationfileincludespolicyconditionsthatcontrolwhichtenantpolicyslotisevaluatedforanHTTP
request.Whenpolicymatchesarequest,thetenantisidentifiedandallpolicyassociatedwiththetenantIDisappliedto
therequest.OntheProxySGappliance,thisfileiscalledthe"LandlordPolicy."See"AboutWAFPolicy"onpage121for
moreinformationabouttheLandlordpolicy.
WAFPolicyUse
SpecifyingTenantDeterminationrulesisstep3in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
Step1CreateaTenantDeterminationFile
1. SelectConfiguration>PolicyandclickAddPolicy.
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotesfieldsthat
aremandatory.
126
2. Enteranameforthepolicyobject.
3. SelectTenantDeterminationFileforthePolicyType.
4. (Optional)IntheReferenceIdfield,enteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIDmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
5. (Optional)EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,enteringa
descriptioncanhelpyouunderstandthepurposeofthepolicywhenyoulaterrefertoit.
6. ClickNext.
7. Enterorselectvaluesforthedefinedattributes.
8. ClickFinish.
ThenewtenantdeterminationpolicyobjectappearsinthePolicyObjectseditor.WheninstalledonaProxySG
appliance,thistenantdeterminationfileconfiguresthepolicyintheProxySGLandlordslot.Becausenoothertenants
haveyetbeendefined,thispolicyobjectdirectsrequeststothedefaulttenant.(Thedefaulttenantcontainsthepolicy
rulesappliedtoallrequeststhatdonotmatchaspecifictenant.)Forinitialsetups,WAFpolicyshouldbeinstalledto
thedefaulttenant.Toproceed,deploythetenantdeterminationfiletoyourProxySGappliancesandcontinueto
"ConfigureWAFSecurityRules"onpage130tocreateaSecurityProfile.
9. (Optional)AddTargetDevices.
10. (Optional)InstallPolicy.
Step2Optional:AddTenantDeterminationRulesforOtherTenants
UsethisoptionalproceduretoaddadditionaltenantsafterdeployingWAFpolicytothedefaulttenant.Youwouldonlycom-
pletethesestepsifyourequireWAFApplicationobjectswithdifferentsecurityprofiles.
127
Tenantdeterminationrulesspecifythepropertiesusedtoidentifyatenant.Youspecifythesepropertiesusingasimple,
naturallanguageinterfacethatgeneratesequivalentCPLrules.
1. SelectConfiguration>Policy.
2. ClickthepolicynamehyperlinkorhighlighttherowandclickEdit.
TheselectedfiledisplaysintheEditortab.
3. ClickAddRule.
ThesystemdisplaystheAddRulewindow.
4. ClicktheTenantfieldandselectatenantfromtheSelectTenantwindow.
TheSelectedTenantswindowdisplaysexistingtenantsinManagementCenter.Formoreinformation,see
"ManageTenants"onpage209.
5. ClickOKtoexittheSelectTenantwindow.
128
6. IntheDeterminationRulesfield,usethenaturallanguagefieldstocreatethetenant'sdeterminationrules:
a. SelectAllorAnyofthefollowingrules.
b. Selectarulecondition,forexample,URLExtension.
Thefollowingconditionsareavailable:ClientAddress,ClientEffectiveAddress,Port,ProxyAddress,
ProxyPort,URL,URLDomain,URLExtension,URLHost,URLPath,URLQuery.
c. Selectanoperator,forexample,equals.
Theavailableoperatorsmaychangebasedonthespecifiedrulecondition.
d. Enteravalue,forexample,.pdf.
AddressfieldssupportIPv4andIPv6singleandsubnetaddresses.Forexample:
7. Usethe iconstoaddmorerules.
l Toaddanotherrule,click .
l Todeletearule,click .
l Toaddanestedsetofrules,click .
8. Whenyouarefinishedmakingchanges,clickSave.
Tenantdeterminationrulesareenabledbydefault.Todisablearule,highlighttheruleandclickDisable.
TenantDeterminationRuleExample
129
ConfigureWAFSecurityRules
AWAFSecurityProfileisasharedobject(apolicyelementthatcanbereferencedbymultiplepolicyobjects)thatdefines
theWebApplicationFirewallsettingsfortheassociatedWAFapplicationobject.YouassociatetheWAFSecurityProfile
withaWAFApplicationobjecttodefinethesecurityrulesforthatobject.YoucancreateasmanyWAFSecurityProfiles
asyouneedbutaWAFApplicationobjectcanbeassociatedwithonlyonesecurityprofile.
WAFPolicyUse
ConfiguringaWAFSecurityProfileisstep5in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
Step1CreateaWAFSecurityProfile
1. SelectConfiguration>SharedObjects.
2. ClickAddObject.
ThewebconsoledisplaystheCreateNewSharedObject:BasicInformationwizard.Aredasterisk(*)denotes
fieldsthataremandatory.
130
4. SelectWAFSecurityProfilefortheObjectType.
6. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,enteringadescriptioncan
helpyouunderstandthepurposeofthepolicywhenyoulaterrefertoit.
7. ClickNext.
9. ClickFinish.
ThenewWAFSecurityProfileobjectappearsinthePolicyObjectseditor.
Step2ConfigureWAFSecurityRules
131
3. Reviewthefollowingsettingsandadjusttocreatethedesiredsecuritysettings:
RefertotheWebApplicationFirewallSolutionsGuideforinformationaboutthesesettings.
ControlsgeneralHTTPrequestpropertiessuchassizerestrictions,WAFvalidation
RequestValidation
properties,allowedmethods,andallowedfiletypes.
Enablestherecommendednormalizationsettingsforeachrequestpart,andwhataction
Request
totakewhennormalizationissuesareencountered.Foradvancednormalizationcontrol,
Normalization
refertotheContentPolicyLanguageReference.
Enables/disablestheblacklistengineandsetsblock/monitorbehaviorwhenarequest
Blacklist triggersoneoftheblacklistrules.Thesignature-basedblacklistdiscoverswell-known
attackpatternsquicklyandefficiently.
Enables/disablestheAnalyticsFilterengineandsetsAnalyticsFilterblock/monitor
AnalyticsFilter behavior.AnalyticsFilterisascoringenginethatdetectsattackcharacteristicsand
triggersintelligentlybasedonthesumoftheanomalies.
Specifiessecurityenginesettings(theseareknownasWAFenginesintheProxySG
SecurityEngines documentation).ThecontentnaturedetectionenginesincludeHTMLInjection,
CommandInjection,CodeInjection,SQLInjection,XSS,andDirectoryTraversal.
132
Introducedin1.6.1.1,theseoptionsensuretheXMLisvalidandcheckforpotentially
XMLValidation
maliciousconstructs.
Additionalsecuritycontrolsthatblockcommonwebapplicationattacktechniquesand
AttackPrevention
controlHTTPresponsebehavior.
Exemptions DefineexemptionstoyourWAFpolicytohandlefalsepositives.
Optimizations DisableWAFcontrolsforPOSTrequestsconsistingofbinarydata.
ManyoftheoptionsincludeaBlock/Monitor/Ignoresetting.Thissettingindicatestheactiontakenwhensuspicious
contentisidentified.FornewWAFdeployments,BlueCoatrecommendssettingtheactiontoMonitor.
4. (Optional)Aftermakingoneormorechanges,clickComparetoreviewaside-by-sidecomparisonofthechanges.
5. ClickSave.
TocreateexemptionstoyourWAFpolicy,modifytheBlock/Monitor/Ignorebehavior,orconfiguretheBlacklistorAnalytics
Filtereffectivedate,see"ManageWAFSecurityPolicy"onpage140.
ConfigureWAFApplicationObjects
AWAFApplicationObjectrepresentsawebapplication(orgroupofapplications)anditsassociatedWAFsecuritysettings.
TheWAFapplicationobjectisassociatedwithaspecifictenantandWAFSecurityPolicy.Youinstallthispolicyon
ProxySGappliancestoconfigureWAFsettings.
WAFPolicyUse
ConfiguringaWAFApplicationObjectisstep6in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
CreateaWAFApplicationObject
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotes
133
3. SelectWAFApplicationObjectforthePolicyType.
5. ClicktheTenantfield,selectatenantfromtheSelectTenantwindow,andclickOKtoexittheSelectTenant
window.IfthisisanewWAFdeployment,selectthedefaulttenant.
134
TenantsonlydisplayintheSelectTenantwindowiftheyhavealreadybeencreatedonManagementCenter.For
moreinformation,see"ManageTenants"onpage209.
AWAFApplicationshouldfirstbedeployedtothedefaulttenantslottoensurethatallrequestsareprocessed
bytheWAF.AdditionalWAFApplications,SecurityProfiles,andTenantscanthenbecreatedtohandle
specificwebapplicationrequirements.
6. EnteradescriptionintheDescriptionfield.Althoughenteringadescriptionisoptional,thedescriptionhelps
differentiateversionsofthesamepolicy.
7. ClickNext.
9. ClickFinish.
ThenewWAFSecurityProfileobjectappearsinthePolicyObjectseditor.
ConfiguretheWAFApplicationObject
135
3. SelectaWAFSecurityProfile.
a. ClicktheWAFSecurityProfiletextfieldorpencilicon.
b. IntheWAFSecurityProfiledialog,selectthedesiredWAFSecurityProfile.
c. ClickOKtoclosetheWAFSecurityProfiledialog.
4. SpecifytheWAFSecurityProfileversiontouse.SelectAlwaysUsetheLatestVersionorspecifyaspecific
versionintheUseSpecificVersion:field.
136
5. (Optional)TooverrideallWAFSecurityProfilesettings,selectDisableentireSecurityProfile.
6. (Optional)TogloballychangeallBlock/Monitorverdicts,selectChangeallBlock/Monitorverdictsto:toMonitoror
Block.
TosetthebehaviortoIgnore,disabletheentireWAFSecurityProfile.
7. Specifytheusernotification(exception)pagetouseforblockedrequests.Showscreen.
8. SetthecriteriaforallowingtraffictotheProxySG.Specifytheserulesusingrulesassociatedwithatenant,a
CPLfragment,orbymanuallyenteringthemusingtheCustomRulesoption.
BecausereverseproxydeploymentshaveaglobalDenypolicy,youmustspecifyrulestoallowtraffic.Ifthis
WAFapplicationisassociatedwiththedefaulttenant,youwillreceiveanerror(becausethedefaulttenant
hasnoallowrules)andmustspecifytheallowrulesusingoneoftheothermethods.
9. (Optional)AddaCPLfragment.
AddvalidCPLlayersonly.DonotaddindividualCPLrules.Addingindividualrulescanleadtoerrorsand
unpredictableresults.
137
a. ClickAddCPLFragment.ThesystemdisplaystheAddCPLFragmentdialog.
b. ClicktheCPLFragmenttextfieldorpencilicon.ThesystemdisplaystheSelectPolicydialog.
c. SelecttheCPLFragment.See"CreateaCPLPolicyFragment"onpage188forinformationaboutcreating
CPLfragments.
d. ClickOK.
e. SelectAlwaysUsetheLatestVersionorspecifyaspecificversionintheUseSpecificVersion:field.
IfAlwaysusethelatestversionisselected,ManagementCenterwillalwaysincludethelatestavailable
versionoftheSecurityProfilewheninstallingtheWAFApplicationtoaProxySGappliance.Ifyouare
concernedaboutdeployinguntestedchanges,selectUseSpecificVersion.
10. (Optional)Aftermakingoneormorechanges,clickComparetoreviewaside-by-sidecomparisonofthechanges.
11. Whenyouarefinishedmakingchanges,clickSave.
138
AnalyzeandRefineWAFPolicy(MitigateFalsePositives)
AfterinstallinganinitialversionofWAFpolicyononeormoretargetdevices,youcananalyzetheresultsofthetrafficto
determinewhatattackshavebeendetected.Thereisachancethatthedetectionengineshaveflaggedalegitimaterequest
asanattack.Forexample,ifablogpostincludesanexampleofacross-sitescripting(XSS)attack,theapplianceinterprets
theexampleasanactualattackandblocksthepost.Thismightbeundesirablebehaviorandconsideredafalsepositive.
Addressthisandotherkindsoffalsepositiveswiththefollowingworkflow.RefertotheWebApplicationFirewallSolutions
Guideformoreinformation.
WAFPolicyUse
AnalyzeandRefineWAFPolicydescribessteps8and9in"UseWAFPolicyToProtectServersFromAttacks"on
page119.
AnalyzeandRefineWAFPolicyWorkflow
Step Overview References
1 Check access logs to determine which rules or engines you "View a Reporter Report" on page339
must update to address false positives, false negatives, and
other wanted behavior. "Reference:Report Descriptions" on
page351
A useful search criteria is the transaction ID. For example,
when a user tries to visit a page and receives an exception "Search for Specific Report Data
page, you can use the associated transaction ID to run a (Search and Forensic Report)" on
forensics report. The Full Log Detail report then displays page360
the log line matching that transaction ID.
2 Optional-Perform a policy trace. "Launch a Device Console" on page75
To enable policy tracing on the ProxySG
appliance, select Configuration>
Policy>PolicyOptions . Under Default
PolicyTracing, select Traceallpolicy
execution and click Apply .
3 Based on your analysis of the access logs, create policy "Manage WAFSecurity Policy" on the
exemptions to eliminate false positives and other facing page
unwanted behavior.
4 Run traffic through the appliance and confirm through Repeat steps 1 through 3 in this table
access logs (and optionally, other troubleshooting tasks) as often as required.
that requests match both general rules and exceptions
appropriately.
139
Step Overview References

After confirming that false positives no longer occur, con- Repeat the previous steps as needed.
sider your next step. You can do any of the following accord-
ing to your needs: Configure Monitor/Block actions: "Man-
age WAFSecurity Policy" below
l Update policy actions from monitor to block. Then, move
to a production environment when your WAF policy is
stable and you observe no other issues with how the
appliance handles traffic.
l Continue to test and refine policy, move to production,
and then update policy actions to block.
l Continue to test and refine policy, move to production,
and gradually update each engine or policys actions to
block.
ManageWAFSecurityPolicy
Asdescribedin"AnalyzeandRefineWAFPolicy(MitigateFalsePositives)"onthepreviouspage,youwillneedtorefine
yourWAFsecuritypolicytoensureitisworkingproperly.
WAFPolicyUse
RefiningyourWAFSecurityPolicyisstep9in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
AddExemptions
AfterinstallingtheWAFprotectionpolicyandreviewingtheaccesslogs,youwilllikelyfindseveralsitesthatwereincor-
rectlycharacterizedasthreats.Totroubleshootthis,addexemptionstoyourWAFSecurityPolicy.
2. SelecttheWAFSecurityPolicyandclickEdit.
3. ClickExemptions>AddExemption.ThesystemdisplaystheAddExemptionDialog.
140
4. AddtheURLExemption.
a. EntertheURL.
b. (Optional)Enteradescription.
c. SpecifywhethertoexempttheURLfromtheentireWAFpolicyorfromspecificengines.
d. IfyouselectedSpecificengines,rules,orproperties,selectthedesiredoptions.
a. AllBlacklistorperrule(byspecifyingaCSVlistofruleIDs)
b. AllAnalyticsFilterorperrule(byspecifyingaCSVlistofruleIDs)
c. Perengine(byspecifyingengines)
e. ClickSave.
ThesystemaddstheexemptionfortheURL.Iftheexemptionlistislong,filterforspecificexemptionsusingthesearchbox
abovethetable.Toclearthefilter,deletethetextandpressEnter(orclickthemagnifyingglass).
SetBlock/Monitor/IgnoreActions
WhenfirstimplementingaWAFprotectionpolicy,itisimportanttoobservetheeffectsofrulesbeforeinadvertentlyblocking
traffic.Tobegin,ensurethatnewruleactionsaresettoMonitor.Thenreviewaccesslogstoidentifyfalsepositives,create
policyexemptions(asdescribedabove)toaddressthoseissues,andrepeatuntilfalsepositivesnolongeroccur.Then,
updatepolicyactionsfromMonitortoBlock.
OptionsthatsupporttheBlock/Monitor/Ignoreactionincludeanactiondrop-downmenu.Toset,selecttheappropriate
actionandclickSave.
Forexample,tosettheBlacklistactiontoBlock:
141
2. SelecttheWAFSecurityPolicyandclickEdit.
3. ClickBlacklist.
4. VerifythatEnableBlacklistisselected.
5. SelectBlockandclickSave.
Someoptionsallowyoutobeevenmoregranular,allowingyoutomodifyindividualrules,asshownbelow.
UseEffectiveDatetoManageNewRuleUpdates
WhenApplicationProtectionSubscription(APS)updatesarepublished,theupdatedBlacklistandAnalyticsenginecon-
tentisimmediatelyavailable.BecausetheupdatedenginerulescanpotentiallychangethebehavioroftheexistingWAF
securitypolicy,ManagementCenterenablesyoutousethisactivationdateasadecisionpoint.TheEffectiveDateoption
isthatdecisionpoint,enablingyoutocontrolruleselectionbasedonthedatetheruleswereadded.
Forexample,rulesqualifiedinapre-productionenvironmentcanbesettoblock-mode,andnewrulescanbesettomonitor
mode.Thisfunctionalityenablesanorganizationtotakeadvantageofnewrulesimmediately,butinamannerthatwillnot
introducenewfalsepositivesthatcauserequeststobeblocked.Afterthenewrulesaresufficientlyqualified,theeffective
datecanbemigratedforward,therebysettingthenewrulesintoblockmode.
Additionally,byusingmulti-tenancythiscanbecontrolledonaper-tenantbasis.Thisfacilitatesdifferentupdatestrategies
andatenant-configurableupdatecadence.Forexample,sometenantsmaychoosetoalwaysusethelatestrules,
142
whereassomerisk-adversetenantsmayemployaverydeliberateAPSupdatequalificationprocess.Multi-tenancy
providesflexibilityfordiverseinfrastructureswhereaone-size-fits-allapproachmaynotbeideal.
OnlyBlacklistandAnalyticsFilterusetheEffectiveDateoption.
143
DistributeConfigurationstoDevices
TheBlueCoatManagementCenterenablesyoutodistributecommonconfigurationsandpoliciesthatyoucreatedand
wantenactedacrossothermanagedProxySGappliances.Yourenterprisemighthavedisperseddatacentersthatcontain
hundredsofhierarchies,devicegroupsanddevices.Groupsofdevicesmighthavedifferentfunctions,thusrequiringdif-
ferentsetsofconfigurationsorpolicies.
Twomethodsprovidethisability.
n ScriptMethodCreatescriptsthatcontaincommondeviceconfigurationsforspecificmanageddevices.Give
varioususers(withthecorrectpermissions)theabilitytocreateandmodifyscriptobjects.
ExecuteaProxySGConfigurationScriptonMultipleDevices
n PolicyMethodUseBlueCoatContentPolicyLanguage(CPL)ortheVisualPolicyManager(VPM)todefinepolicy
andvalidateitbeforedistributingtoothermanageddevices.
DistributeProxySGPolicytoMultipleDevices
144
CreateandDistributeConfigurationsUsingScripts
Onemethodfordistributingconfigurationsiscreatingandmodifyingexistingscriptstoexecuteoncommandacrossdis-
perseddatacentersthatcontainhundredsofhierarchies(manageddevicegroupsanddevices).
CreateaScript.
1. SelectConfiguration>Scripts.
2. FromtheScriptObjectspage,clickAddScript.ThewebconsoledisplaystheAddScriptdialog.
Enterthefollowinginformation(aredasterisk(*)denotesafieldthatismandatory).
a. Namethescript.
b. SelectadeviceTypefromthedrop-downlist
c. (Optional)ADescriptionhelpstodifferentiatebetweensimilarlynamedscripts.
d. (Optional)SelectSubstitutionVariables.TheManagementCenterattemptstoreplacevariableswiththe
valuesassociatedwiththedevicewherethepolicyisinstalledorthescriptisexecuted.Formoreinformation,
see"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
3. ClickSave.ThenewscriptdisplaysintheScriptObjectslist.
4. SelectthescriptandclickEdit.TheManagementCenterdisplaysthescriptEditor.
5. Createthescript.
6. ClickSave.
ExecuteaScriptonaDevice.
TheManagementCenterprovidestwoplaceswhereyoucanrunascriptonadevicenow.
2. SelectascriptfromtheScriptObjectlist.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. ClickExecuteonDevice.SelectthedeviceTargetandclickExecute.
OR
4. SelectEditandclicktheEditortab.Attimes,administratorswiththecorrectprivilegeswanttoexecuteascript
immediatelyafterupdatingascript.Whileintherichtexteditorensuresthatalleditshavebeensavedandclick
ExecuteonDevice.SelectthedeviceTargetandclickExecute.
Eachtimeyoustartajobmanually,theManagementCenterdisplaysaJobProgressdialog.Torunthescript
inthebackground(nowindow)whileyouperformothertasks,clickContinueinBackground.
PreviewaScriptWithVariablesReplaced
ManagementCenterenablesyoutocheckthevalidityofascriptbeforeyouexecutethescripttoadevice.BlueCoatrecom-
mendsthatyoupreviewscriptsbeforeexecutingascript.Devicesthatareinyournetworkdeploymentshouldnotbeused
totestconfigurations.Previewingascriptavoidsinadvertentlychangingadeviceconfiguration.
Forscriptsthatusecommandsnotinconfiguremode,youmustexitconfiguremodebeforeexecutingthescript.Mostcom-
mandsareexecutedinconfiguremode.Licensingcommandsaretheexception,andcannotexecuteinconfiguremode.
145
2. Selectascriptobject.
3. FromtheEditortab,clickPreview.
4. SelectadevicetopreviewthescriptandclickOK.
5. ThePreviewScriptwindowdisplaystheentirescript.
146
6. ClickClose.
(Optional)CreateaJobtoExecuteaScriptonaSchedule.
ManagementCentermakesiteasytocreateajobtoExecuteascriptwithoutthehassleofgoingthroughtheentirejobwiz-
ard.
2. SelectascriptfromtheScriptObjectlist.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. ClickExecuteonDevice.SelectthedeviceTargetandclickCreateJob.ThewebconsoledisplaystheNewJob
dialog.
a. Namethejob;clickNext.
b. SelectanOperation;forthisexample:ExecuteScript;clickNext
c. SelecttheDevicestoreceivethisconfiguration;clickNext
d. OntheSchedulescreen,selectatimingoption:Periodic,Daily,Weekly,orMonthly.Eachoptionpresents
moregranularoptions.
e. ClickFinish.
ManageScripts
Navigatetothefollowingsectionsformoreinformation.
n "CustomizeObjectFilters"onpage149Limitviewofscriptobjects.
n "ViewScriptInformation"onpage157Viewversionsandattributes.
n "ManageAttributes"onpage297Viewcurrentandaddnewattributes.
n "FilterbyAttributesandKeywordSearch"onpage151Findascriptbytheattributesassignedtothescript.
n "ImportScriptfromaDevice"onpage153Importaconfigurationfromaselecteddevice.
n "RestoreaVersionofScript"onpage156Rollbacktoapreviousconfigurationwhileyouperformmodificationsto
thecurrentversion.
n "CompareVersionsoftheScript"onthefacingpageUsefulfortroubleshooting.
147
CompareVersionsoftheScript
Asatroubleshootingsteporaspartofperformanceevaluation,youmightwanttoidentifythechangesbetweenanearlier
versionandalaterversionofascript.ManagementCentershowsthechangesmade.
1. SelectConfiguration>Scripts.FromtheScriptObjectslist,selectthescriptname.Ifneeded,searchforthe
object;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Afteryouselectthescript,clickEdit.ClicktheVersionstab.
3. Selectanearlierversionofthescripttocomparewiththecurrentversion.
4. PressandholdtheCTRLkeywhileselectingthelaterversionofthescripttocompare.
5. ClickCompare.ThewebconsoledisplaystheCompareScriptsdialog.
Thetwoscriptsaredisplayedside-by-side;thewebconsoledisplaystheversionyouselectedfirst(earlierversion)
ontheleftandyoursecondselection(laterversion)ontheright.
n Ascripthighlightedinredexistsintheformerversionandwasremovedinthelaterversion.
n Ascripthighlightedinyellowindicatesthatalineexistsinbothversionsofscript,buttherearedifferencesin
theline.
n Ascriptmarkedingreendoesnotexistintheformerversionandwasaddedinthelaterversion.
See"RestoreaVersionofScript"onpage156.
148
CustomizeObjectFilters
Filterscontrolthespecificobjectsthataresearchable.
1. SelectConfiguration>PolicyorScripts.
2. TheFilterpanelcontainsthefollowingfields.
l NameFiltersbytheObjectName.
l ReferenceIdFiltersbytheOperationtype.
l TypeFiltersbytheObjectType.
l DescriptionFiltersbytheObjectDescription.
l AuthorFiltersbytheuserwholastchangedtheObject.
Tosubstitutevariablesinpolicies,policyfragmentsorscripts,see"UseSubstitutionVariablesin
PoliciesandScripts"onpage176.
3. TheFilterpanelalsoincludesmandatoryattributes.See"ManageAttributes"onpage297.
4. Tocustomizefilters,clickCustomize.
a. SelectthefilterstobevisibleontheFilterpanel.
b. ClickSave.
149
ExecuteaScript
YoucanexecuteanyscriptthatissavedinManagementCenterintheScriptObjectlist.However,beforeyouexecutea
script,previewthescriptwithsubstitutionvariables.Thisisimportantbecauseyoucanseethescriptvariableswithout
committingthemtoadeviceandinadvertentlycausingadeviceconfigurationtochange.Scriptsareautomatically
assumedtoexecuteinconfiguremodeontheProxySGappliance.Forscriptsthatusecommandsnotinconfiguremode,
youmustexitconfiguremodebeforeexecutingthescript.Mostcommandsareexecutedinconfiguremode.Licensing
commandsaretheexception,andcannotexecuteinconfiguremode.
WhenexecutingscriptsontheProxySGappliance,thescriptisinitiallyexecutedinconfiguremode.Ifthefirstcommand
shouldnotbeexecutedinconfiguremode,youmustexitconfiguremode,priortoexecutingthecommands.Seeexample
below.
Example
;;exit configure mode
exit
user-license queue
;;re-enter configure mode
configure terminal
ToExecuteaScript
1. (Optional)Beforeexecutingascript,"PreviewaScriptWithVariablesReplaced"onpage145.FromConfiguration
>Scripts,selectascriptobject.ClickEdit.
2. (Optional)FromtheScriptEditor,clickPreview.Becauseascriptisspecifictoadevice,variablesubstitution
requiresthatyouselectaspecificdevice.ClickOK.Ratherthanexecutingthescriptonthatdevice,thescriptis
displayedinthePreviewScriptdialogexactlyasitwillbeexecutedonthatdevice.ClickClose.
3. Toexecutethescript,clickExecuteonDevice.
4. Selectatargetdeviceordevicegroup.ClickExecute.
5. (Optional)WhiletheJobProgressdialogdisplaysthescriptexecuting,clickmoredetailstoviewtheOutput.
DownloadasTextorClosethedialog.
6. Ortoexecutethescriptatalatertime(onaschedule),clickCreateJob...
150
FilterbyAttributesandKeywordSearch
Youcansearchforexistingobjectsbyfilteringonattributesandthenusingthekeywordsearch.Whenyouaremanaging
hundredsorpoliciesandscriptsacrossmultipledevices,itisimportanttobeabletofindaparticularaparticularobject
quickly.
YouarenotlimitedtothedisplayedFilterfields.See"CustomizeObjectFilters"onpage149.
1. ClicktheConfigurationtabandselectPolicyorScripts.FromtheFilterslistontherightpane,thefollowingfields
areavailablebydefault.
l NameFiltersbytheObjectName
l ReferenceIdFiltersbytheObjectReferenceId
l TypeFiltersbytheObjectType
l DescriptionFiltersbytheObjectDescription
l AuthorFiltersbywhouserwholastchangedtheObject
Additionalfieldsarecreatedwhenyoucreateanewattribute.See"ManageAttributes"onpage297.
l TenantFiltersbytenantID.
2. Tofilterbyaparticulartypeofpolicy,clicktheTypedrop-downlistandselectapolicytype.
3. Twooptions:
o ClickApplyFilters.ThePolicyObjectsandScriptObjectslistsonlythoseobjectsyoudefinedbyType.
~or~
o Filterbyparticulardevicetypeforwhichyoucreatedascript;selectthedevicetypefromtheTypedrop-down
list.
5. ClickApplyFilters.TheScriptObjectslistdisplaysonlythosescriptsyoudefinedbytype.
SearchbyKeyword
Whensearching,ManagementCenterbreakstextintokeywordsandthensearchesforkeywordsentered.Management
Center'sindexsystemhasaspecialcasefordot.AlthoughManagementCenterseesdotsasseparatingletterswithina
word(forexample,ManagementCenterconsidersdotsasapartofaword).
Thewildcardsymbolis*.ManagementCenterautomaticallyappendsan*attheendofyoursearchtermbutifyou
wanttostartwithawildcardsearch,youhavetoenterityourself.
Colonsaretreatedlikeothernon-lettersbysplittingkeywordsapart.IPv4andIPv6addressesworkdifferentlybecauseof
colons.
Youcannotsearchonspecialcharacters,suchas^%|~.
151
Procedure
1. FromtheKeywordSearchfield,enteryoursearchterm.
2. PressEnterorclickthemagnifyingglassicon.
Canquotesbeusedinasearch?
Usequoteswhennonlettersarepartofthesearchterm.Forexample,yoursearchtermincludesacolon.
Theexceptiontothissearchruleistheuseofadotbecauseadotthatisnotfollowedbywhitespaceisconsidered
partofthekeyword.
Howdoyousearchforwholewords?
Enterthewholeword.Ifthereismorethanoneword,separateeachwordwithaspace.Ifusingspecialcharacters,
encloseeachwordindoublequotes.
Howdoyousearchforpartialwords?
Enterthepartialterm,andManagementCenterattemptstocompletethesearch.Forexample,enterhiandManagement
Centermatchesthattobothhighlightandhigh.
ExampleSearches
IPv4127.0.0.1
l 127.0.0MatchesanyIPv4startingwith127.0.0.
l *.0.0.1MatchesanyIPv4endingin0.0.1.
IPv60:0:0:0:0:1
UsequotesforIPv6addressesbecauseIPv6usescolonsinsteadofdotsastheseparator.
l 0:0:0MatchesanyIPv6startwith0:0:0.
l *0:0:1MatchesanyIPv6endingwith0:0:1.
Hostnames
l abc.comMatchesahostnamedabc.com.
l *.comMatchesahostnameendingin.com.
l *:8080Matchesahostnamewith:8080astheport.
Whatifthesearchfindsnomatch?
Ifthesearchfindsnomatch,therightpanedisplaysamessageindicatingthatnoobjectsmatchthekeywordfilter.You
cansearchagainusingadifferentkeyword.
Whatifthesearchsucceedsinfindingmatches?
Ifthesearchfindsmatches,theresultsdisplayinalphabeticalorderintheObjectslist.
Howdoyouclearthesearchresults?
Toclearsearchresultsanddisplayallobjectsinthesystem,clicktheXinthesearchfield.
152
ImportScriptfromaDevice
Scriptsaresequentially-runningCLIcommandsforadeviceconfiguration.Itmakessensetoimportdeviceconfigurations
thatarecurrentlyonadevicebecauseyouknowthattheconfigurationiscorrect.Importinganentiredeviceconfigurationis
essentiallybackingupadeviceintoManagementCenterandmaynotexistasawholesuchasinthefollowingsituations:
l Youwanttorestoreapreviousversionofscriptthatexistsonlyonadevice.Forexample,youstartededitingscriptin
ManagementCenter,butrealizethatthescriptonthedeviceiscorrectandcomplete.
l Adevicehasafullconfigurationthatyouwanttouseasascript(template)toexecuteonanotherlikedevice.Ared
2. Scriptscanonlybeimportedintoanexistingscriptobject.Selectascriptname.ClickEdit.
3. ClickImport.
4. Selectadevicetoimportthescript.ClickOK.ThewebconsoledisplaystheImportScriptdialog.
5. FromWhattoImport,selectEntireConfigurationorOnlyselectedsub-sections.
6. ClickImport.
Thecommentyouenterissavedasscriptmetadata.
153
Whatdoyouwanttoaccomplish? Refertothistopic
View existing script information. "View Script Information" on page157

Restore a version of the script. "Restore a Version of Script " on page156
Execute the script, as is, to devices. "Execute a Script" on page150
154
ManageAttributes
Youcandefineattributesthatapplytothedevices,devicegroups,policyanddevicescriptsthatyoumanageinyournet-
work.Becauseyouhavedifferentdevicesandappliancestomanage,thosedevicesrequireandareoftenrestrictedtocer-
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Attributes
canbeusedtofilteronspecificdevices,devicegroupsorobjects.
1. SelectAdministration>Attributes.
2. FromtheManageAttributeslist,selectonethefollowing:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onpage298.
4. Toeditanattribute,selecttheattributenameandclickEdit.See"EditAttributes"onpage301.
ViewandSorttheFollowingAttributesLists
n Name
n DisplayNameTheattributename(withnospaces).
n TypeTheformatthatusersmustenterorselectvalues.
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedbyother
variables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
n MandatoryThevalueofattributesthataremarkedasmandatoryisrequiredwhenyoucreateaneworadda
device,devicegroup,createapolicy,andcreateascript.
n InheritableAppliesspecificallytodevicesanddevicegroups.Whenthisisselected,thedeviceordevicegroup
inheritsattributesfromitsparentdevicegroup.
n DescriptionDescribestheattributeandmustbespecifictothedevice,devicegroup,policy,orscripttowhichyou
areapplyingtheattribute.
Youareabletosearchforspecificobjectsbasedontheattributesyoudefine.See"FilterbyAttributesand
KeywordSearch"onpage151.
155
RestoreaVersionofScript
Aftertime,youmightfindthatthescriptexecutedondevicesneedsimprovementormustchangebecauseofchangesin
businessrequirementsorpractices.Insuchsituations,youcanmodifyscriptsasneeded,orreverttoanearlierversionof
ascriptthatisappropriate.Whenyouhavedeterminedwhichversionofscripttorestore,youcanrestoreitusingthever-
sionhistory.
1. ClicktheConfigurationtabandselectScripts.FromtheScriptObjectslist,selectthescriptname.Ifrequired,
searchfortheobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.ClicktheVersionstab.Versionsofthescriptarelistedindescendingnumericalorder.
3. FromtheVersionControlpage,verifythattheversionyouwanttorestoreisthecorrectone.Performoneorboth
ofthefollowingasrequired.
l Checktheversionmetadata.See"ViewScriptInformation"onthenextpage.
l Previewascriptwiththevariablesreplaced.
4. Afteryouhaveidentifytheversiontorestore,selectitandclickRestore.ThewebconsoledisplaystheRestore
dialog.
5. IntheCommentfield,specifythereasonfortherestore.
6. ClickRestore.
TherestoredversionofthescriptisincrementedtothelatestversionintheScriptObjectslist,andthecomment
youenteredinstep6isdisplayedintheCommentscolumn.
156
ViewScriptInformation
Wheneveryoucreateascript,ManagementCenterautomaticallysavesinformationaboutit.Thisinformationiscalled
metadata.
2. FromtheScriptObjectslist,selectascriptandclickEdit.Aredasterisk(*)denotesfieldsthataremandatory.
ViewScriptObjectInformation
1. ClicktheInfotab.
2. UnderGeneralInformation,theOverviewdisplaystheinformationyouenteredwhencreatingthescriptobject:
l Name(*)Thenameofthescriptthatyougaveitwhenyoucreatedit
l Type(*)Thedevicetypethatthescriptappliesto
l DescriptionThisdescribesthescript,butisnotarequiredfield
l Replacesubstitutionvariables
3. MetadatadisplaysunderLatestRevision.ClickSave.
IfyoueditedanyofthefieldsinOverview,fieldsmarkedwitharedasterisk(*)arerequiredandcannotbeleft
blank.
ViewScriptVersions
1. ClicktheVersionstab.TheVersionControlpagelistsallversionsoftheselectedscript.Whenascriptobjectis
createditisassignedtheversionnumber1.0.Everytimethatthescriptattributeschangeorthescriptisedited,the
versionincreasesbyincrementsof0.1.
2. Selectanearlyversionofscripttocompare.
3. PressandholdtheCtrlkeywhileselectingthenewerversionofthescript.
l VersionNumberWhenascriptobjectisfirstcreated,itsversionis1.0.Eachsubsequenttimetheobjectis
modifiedforexample,iftheobjectpropertiesareeditedtheversionnumberincrementsby0.1.Forexample,when
youaddscripttexttotheobjectandsaveit,theversionbecomes1.1.
l DateThetimeanddatestampindicateswhenthescriptwaslastupdated.
l AuthorTheauthoristheuserwhosavedthecurrentversionofthescriptdisplayed.
l CommentsIftheauthorenteredcommentsoradescriptionaboutthescript,theyaredisplayedhere.Metadata
displaysautomatically-generatedcommentsasfollows:
o "ScriptObjectcreated"Whenthescriptcontainerisinitiallyiscreatedandscripthasnotbeenaddedyet.
o "Namechanged"Whenthescriptnameisedited.
o "Descriptionchanged-formerscripthasbeenoverridden"Whenthescriptdescriptionisedited.
o "Nameanddescriptionchanged-formerscripthasbeenoverridden"Whenboththenameand
descriptionareedited.
Ofthesemetadata,thecommentsareusuallythemostimportantinhelpingyouandotherusersunderstandthepur-
poseandintentofcreatingthespecificscriptversion.BlueCoatrecommendsthatyoualwaysenterclear,helpful
commentswhencreatingscripts.
ViewScriptAttributes
157
ClicktheAttributestab.TheAttributespagedisplaysallattributescurrentlyassignedtoselectedscript.Theattributesare
customattributesthatyoucreated.See"ManageAttributes"onpage297.
ViewDeviceScriptOutput
Whenyouexecuteascriptonadevice,theJobProgressdialogdisplaysthestatusoftheexecutingscript.Youcanview
thedeviceoutputofcurrentlyexecutingscriptsandscriptsthathavealreadyexecutedonadevicebyclickingMore
Details.Anyoutputlinethatstartswith"%"isconsideredawarning(andisstandardforProxySGappliances).Navigation
buttonsenableyoutojumpbetweenwarningsandareusefulwhenviewingthedeviceoutputforlongscripts.Youcan
viewtherawoutputinatexteditorbyselectingDownloadasText.
SettheMaximumNumberofScriptRevisionstoStoreinManagementCenter
Afteryoucreateorimportascript,youcaneditthescripttoexecuteondevicesofthesametype.Youcanspecifythenum-
berofrevisionsofscriptstostorebeforeManagementCenterbeginstoprune.Youcanspecifyupto999scriptrevisions.
1. SelecttheAdministration>Settings.ClickGeneral.Generalfieldsdisplayontheright.Aredasterisk(*)denotes
2. SelectMaximumnumberofscriptrevisionstostore.
3. Enteranumber(limit)from0to999.
l ClickResettoremoveyourcurrentchangesandreverttothedefaultorlastsavedsettings.
l ClickSavetostorethesettingsontheserver.
l ClickActivatetocausetheservertoloadandapplythecurrentlysavedconfiguration.
UseSubstitutionVariablesinPoliciesandScripts
Substitutionvariablesaregenerictermsthatyoucanincludeinpoliciesandscripts.WhenManagementCenterinstalls
policyorexecutesascriptthatincludessubstitutionvariables,itattemptstoreplacethemwithvaluesspecifictothecur-
renttransactionthatis,thecurrentdevice,policy,orscript.Forexample,ifyouinstallpolicythatincludesthesubstitution
variable${device.name},thevariableisreplacedwiththedevicenamesetinManagementCenter.
Toincludeandprocesssubstitutionvariables:
1. EnableReplacesubstitutionvariablesinthepolicyobject(seeCreateaCPLPolicyObject)orscript(seeCreate
andDistributeConfigurationsUsingScripts).
2. IncludesubstitutionvariablesintheCPLorscript.See"SupportedVariables"onthenextpagebelow.
3. Installthepolicyorexecutethescript.Asthetargetdeviceprocessesthepolicyorscript,itattemptstoreplacethe
variableswiththeappropriatevalues.
Ifthepolicyorscriptisassociatedwithadevicegroup,ManagementCenterinspectseverydeviceinthegroup
structureforthevariableandattemptstoreplaceallinstanceswithspecificvalues.
Syntax
Substitutionshavethefollowingform:
${name}
wherenameisanexpressionthatexpandstoastringorblockoftextatruntime.
158
Forexample,thesubstitution${device.description}expandstothedescriptionenteredinthecurrentdevice'sprop-
ertiesinManagementCenter.
Ifthedevicedoesnothaveadescription(becauseDescriptionisanoptionalfield),thesubstitutionexpandstoanempty
stringunlessyoualsospecifyadefaultvalue.See"SpecifyaDefaultSubstitutionValue"onthefacingpagebelowfor
details.
Examples
Substitutethedevice'sserialnumber.
${device.serialNumber}
Substitutethevalueofthedevice'sRackattribute.
${device.attributes.Rack}
Substitutionvariablesarecase-sensitive.Toensurethatyouhaveenteredthemwithcorrectspellingandcase,use
thePreviewoptionbeforeinstallingpoliciesorexecutingscripts.Thepreviewwarnsyouifasubstitutionvariableis
invalid.
SupportedVariables
Device-${device.field}
Thefollowingvariablesareavailableforpoliciesandscripts.
Variable Description
${device.uuid} Internal ID of device
${device.modelNumber} Device model number
${device.description} Text in the Description field in device properties in Management
Center
${device.name} Text in the Device Name field in device properties in Management
Center
${device.serialNumber} Device's serial number
${device.osVersion} Operating system version running on the device
${device.attributes.name} System or user-defined device attribute value, including any values
inherited from the device group
where name is the attribute name
Policy-${policy.field}
Thefollowingvariablesareavailableforpoliciesonly(notscripts).
${policy.author} Last user who edited and saved the policy
${policy.description} Text in the Description field in policy properties
${policy.name} Text in the Name field in policy properties
159
${policy.referenceId} Text in the Reference Id field in policy properties

${policy.revision} Policy's current Version number
${policy.revisionDescription} Comments entered for the last revision
${policy.attributes.name} User-defined policy attribute value
PolicyFragment-${fragment.field}
Thefollowingvariablesareavailableforpolicyfragments.
${fragment.author} Last user who edited and saved the policy fragment
${fragment.description} Text in the Description field in policy fragment properties
${fragment.name} Text in the Name field in policy fragment properties

${fragment.referenceId} Text in the Reference Id field in policy fragment properties
${fragment.revision} Policy fragment's current Version number
${fragment.revisionDescription} Comments entered for the last revision
${fragment.attributes.name} User-defined policy fragment attribute value
Script-${script.field}
Thefollowingvariablesareavailableforscriptsonly(notpolicies).
${script.author} Last user who edited and saved the script
${script.description} Text in the Description field in script properties
${script.versionDate} Date of last update
${script.name} Text in the Name field in script properties
${script.type} Selected Type in script properties
${script.revision} Script's current Version number
${script.revisionDescription} Comments entered for the last revision
${script.attributes.name} User-defined script attribute value
SpecifyaDefaultSubstitutionValue
Unlessyouspecifyadefaultvalue,sometransactionscanproduceunsubstitutedvariables,resultinginemptystrings.
Thefollowingareexamplesofsuchtransactions:
160
l AnoptionalfieldsuchasDescriptionisempty
l Anattributethatisnotmarkedasmandatoryhasnovalue
l Afieldisnotapplicable,suchaswhenascriptorpolicyhasnotbeenrevised
Syntax
Adefaultsubstitutionhasthefollowingform:
${name(default_name)}
where:
l nameisanexpressionthatexpandstoastringorblockoftextatruntime
l default_nameisthevaluethatwillbeusedinsteadofanunsubstitutedvariable
Example
Ifapolicyfragmentwasedited,usethecommentsenteredforthelastrevision.Ifthefragmentwasneveredited,usethe
specifiedtext"Norevision".
${fragment.revisionDescription(No revision)}
161
CreateandDistributePolicy
WhenyoufirstconfigureManagementCenter,youcancreatenewpoliciesorimportexistingpoliciesfrommanaged
devices.WhenyouhavebeenmanagingdevicesfromManagementCenterforalongerperiodoftime,youmightalsowant
toeditpoliciestochangecurrentdeviceconfigurations.OneofManagementCenter'smostpowerfulfeaturesistheability
tocreateandmodifypolicyobjectsbeforedeployingmultiplepoliciesacrossdatacenterscontaininghundredsofhier-
archies,devicegroupsanddevices.
PolicyLocking
StartingwithManagementCenter1.6,apolicyfileisautomatically"locked"assoonasauserstartseditingpolicy.If
anotherusertriestoeditthesamepolicy,thatuserwillreceivethefollowingmessage.
Thepolicylockisreleasedaftertheusersavesorcancelsthechanges.Whenapolicylockisactive,anotherusermay
forcethatpolicytounlockbyclickingUnlockonthepolicygrid.
Policylockingaffectsthecontentofpolicyonly.Otherattributes(Targets,Info,etc.)canbechangedevenwhilethepolicy
isbeingeditedbyanotheruser.
CreateandEditCPLPolicies
ContentPolicyLanguageisalanguageforspecifyingthepolicyrulesfortheProxySGappliance.
ForcompleteinformationabouttheContentPolicyLanguage,refertotheContentPolicyLanguageReference.
AnotherwaytocreateCPLpolicyistocreateCPLfragments(orbuildingblocks).See"CreateaCPLPolicyFrag-
ment"onpage188.
ManagementCentergivesyougreatflexibilityforcreatingandmodifyingCPLpolicies,aswellasthepowertodeploymul-
tiplepoliciestoarangeofdevicesordevicegroups.UseCPLtoaccomplishthefollowing:
l CreateandmodifytheCPLdirectlyfromthepolicyeditor(Configuration>Policy>PolicyName >Edit).See
"UseContentPolicyLanguage(CPL)toCreatePolicy"onpage165.
l Createpolicywithoutassigningittodevicesimmediately.See"CreateaCPLPolicyObject"onpage167
l Findandeditsectionsofthepolicy.See"FindaPolicySection"onpage173and"EditaPolicySection"on
page169
l Modifyandtestpolicyandgrouprelatedrulestogether.See"RefineExistingCPLPolicy"onpage171.
l Correctandmodifythebehaviorofexistingpolicybyre-orderingpolicysections.See"ChangetheOrderinwhich
PolicyRulesareEvaluated"onpage175
162
l Createversionsofpolicy,andrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242
l Vieworcomparepolicyversions.
l Enablesubstitutionvariablestobeused,foranyvariable,sothatyoudon'thavetomodifyeachattributeineach
policyifaconfigurationhaschanged.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298.
l Addtargetdevicesandinstallpolicytothem.
l DeploymultiplepoliciestoagroupofdevicesbyusingManagementCenter'sjobfeature.See"InstallMultiple
Policies"onpage231.
l Importexistingpolicyfromamanageddevice.See"ImportPolicyorSharedObjects"onpage232
l Checktheconsistencyofinstalledpolicy.
l Viewthedeployedpolicyonadevice.
l Viewexistingpolicyinformation.See"ViewExistingPolicyInformation"onpage243.
CreateVPMPolicies
TheVisualPolicyManagerenablesyoutospecifythepolicyrulesusingaGUIeditorfortheProxySGapplianceandinstall
thepolicytotheVPMslot.ForcompleteinformationabouttheVisualPolicyManager,refertotheVisualPolicyManager
ReferenceandAdvancedPolicyTasks.
Youcan:
l CreateandeditVPMpolicies:
l SelectareferencedevicetoeditVPMpolicy.See"SelectReferenceDeviceforVPMPolicy"onpage185.
l UsetheVisualPolicyManagerforbothcreatingandeditingVPMpolicies.See"LaunchVisualPolicy
Manager"onpage183.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242.
l ViewtheCPLorXMLsource.
l Vieworcomparepolicyversions.
l Createor"EditAttributes"onpage301andapplythemtopolicyobjects.
Policies"onpage231.
l Importexistingpolicyfromamanageddevice.See"ImportPolicyorSharedObjects"onpage232.
CreateTenantDeterminationPolicies
ATenantDeterminationFilecontainsrulesforroutingrequesttraffictothepropertenant.Thisdeterminationcriteriacontrols
whichsetoftenantpolicywillbeevaluatedforagivenrequest.Ifatenantdeterminationcannotbemade,the"default"ten-
antpolicyisused.Youcan:
l Createandedittenantdeterminationpoliciesdirectlyfromthepolicyeditor(Configuration>Policy>PolicyName >
Edit)(withoutassigningthepolicytodevicesimmediately).
l Usetenantdeterminationrulestoproperlyroutetraffictothecorrectwebapplication(orgroupofwebapplications).
See"SpecifyTenantDeterminationRules"onpage126and"UseWAFPolicyToProtectServersFromAttacks"on
page119.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"on
page242.
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298
163
Policies"onpage231.
CreateWAFApplicationPolicies
AWAFApplicationObjectrepresentsawebapplication(orgroupofapplications)andtheassociatedWAFsecurityset-
tings.TheWAFapplicationobjectisassociatedwithaspecifictenantandWAFSecurityProfile.Youcan:
l UseWAFApplicationpoliciestoassociateaSecurityProfiletoatenant,manageoptionalCPLfragments,and
controlWAFApplicationsettings.See"ConfigureWAFSecurityRules"onpage130and"UseWAFPolicyTo
ProtectServersFromAttacks"onpage119.
l Createversionsofpolicy,backupandrestorepreviousversionswhenneeded.See"RestoreaVersionofPolicy"
onpage242.
l Createpolicyattributesandapplythemtopolicyobjects.See"AddAttributes"onpage298.
Policies"onpage231.
164
UseContentPolicyLanguage(CPL)toCreatePolicy
BeforewritingpoliciesinCPL,BlueCoatstronglyrecommendsthatyouunderstandthefundamentalconceptsunder-
lyingpolicyenforcementinProxySGappliances,aswellashowtowritecorrectCPL.Forcomprehensiveinform-
ationonCPL,refertotheContentPolicyLanguageReference.
YoucancomposeCPLdirectlyinthewebconsoleeditor.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyobjecttoedit.Ensurethatthepolicy's
objecttypeisCPL.Selectthepolicy.Ifyouhavealotofpoliciesnarrowyoursearchusing"FilterandKeyword
Search"onpage303.
2. SelectEditandtheEditortab.Theothertabsavailableforviewingandeditingpurposesarethefollowing:
l Targets
l Versions
l Attributes
l Info
3. Themiddlepanedisplaysthesectionsinthepolicy,andtheQuickNavigationpaneontherightdisplaysasummary
ofthesectionsintheobject.
4. IneitherthemiddlepaneorinQuickNavigation,selectthesectionyouwanttoedit.Ifneeded,expandthesub-
section(default,override,ormandatory)toedit.
Apolicyobjectisorganizedintosections.Eachsectionhasanameandapurpose,andcancontainupto
threesub-sectionsofCPLthatyoucanusetoorganizepolicy:Default,Override,andMandatory.See"Edita
PolicySection"onpage169.
5. EntertheCPLintheappropriatesub-section(s).
6. Repeatsteps3and4asneeded.Aredasterisk(*)denotesfieldsthataremandatory.
7. ClickSave.ManagementCenterpromptsyoutoenteracommentforthesaveoperation.
8. (Optional)ClickComparetoseethedifferencesbetweenthepreviousversionandtheversionyouareaboutto
commit.Forinformationoncomparingversions,see"CompareDifferentVersionsoftheSamePolicy"onpage224
and"ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225.
9. EnteradescriptionofyourchangesandclickSave.
Thecommentyouenterissavedaspolicymetadata.Forinformationonmetadata,see"ViewExistingPolicy
Information"onpage243.
WorkingwithCPLPolicyFragments
AfragmentispieceofCPLthatyoucanincludeinaCPLpolicy.Fragmentsaremeanttobereusable.Forexample,youcan
createalibraryofpolicyfragments,andthenincludethemintolargerCPLpolicieslater.Forinstance,youcandefineahost
blacklistusingjustafragment,andthenincludethathostblacklistfragmentintoalargerpolicyfilelater.See"Createa
CPLPolicyFragment"onpage188and"IncludeaPolicyFragment"onpage204.
IfyoudoNOTenablevariablesubstitutionintheCPL,variablesubstitutionisnotenabledforCPLFragmentsas
well.
165
Enable variable substitution for CPL Policy and CPL Policy Fragments. "Use Substitution Vari-
ables in Policies and
Scripts" on page176
Add new attributes that can be made available to the CPL Policy. "Add Attributes" on
page298
Add or edit sections of a CPL Policy. "Add or Edit CPL Policy
Sections" on page169
Import a policy from a device to Management Center. "Import Policy or Shared
Objects" on page232
Modify/test policy and group related rules together. "Refine Existing CPL
Policy" on page171
166
CreateaCPLPolicyObject
YoucancreatepolicyinCPLtospecifythebehaviorsthatyouwantfordevices.ThefirststeptocreatepolicyinMan-
agementCenteristocreatethecontainerfortheCPL,orthepolicyobject.
BeforewritingpoliciesinCPL,BlueCoatstronglyrecommendsthatyouunderstandthefundamentalconceptsunder-
lyingpolicyenforcementinProxySGappliances,aswellashowtowritecorrectCPL.Forcomprehensiveinform-
ationonCPL,refertotheContentPolicyLanguageReference.
2. ClickAddPolicy.FromtheCreateNewPolicy:BasicInformationdialog,fillinthefollowingfields:Aredasterisk(*)
denotesfieldsthataremandatory.
3. EnterthePolicyname(*)-ThenamethatdisplaysinthePolicyObjectlist.
4. EnterthePolicytype(*)-Thedrop-downlistofpolicytypedisplaysthefollowingchoices:
l CPL
l TenantDeterminationFile
l VPM
l VPMTenant
l WAFApplication
l
YoucanwriteVPMTenantpolicyinCPLaswellasVPM.Fordetails,refertotheMulti-TenantPolicy
DeploymentGuide.
5. SelectCPLfromthedrop-downlist.
6. EntertheReferenceId-EnteraReferenceIdthatyoucanfilteronwhenbuildingpolicy.
TheReferenceIdmustbeginwithaletter,andmustcontainonlyletters,numbersand"_".
7. SelecttheTenanttowhichthispolicyobjectwillbeapplied.
8. EnteraDescription.Althoughenteringadescriptionisoptional,thedescriptionhelpsdifferentiateversionsofthe
samepolicy.Formoreinformation,see"ViewExistingPolicyInformation"onpage243.
9. Toenablevariablesubstitution,selectthecheckboxReplacesubstitutionvariables.See"UseSubstitution
VariablesinPoliciesandScripts"onpage176ClickNext.
IfyoudoNOTenablevariablesubstitutionintheCPL,variablesubstitutionisnotenabledforCPLFragments
aswell.See"CreateaCPLPolicyFragment"onpage188.
10. FromtheAttributespage,selecttheattributestoapplytotheCPLPolicy.Allattributesthataremarkedas
mandatorywitharedasteriskarerequired.Youcanchangethevalueoftherequiredattributebeforecontinuing.
ClickNext.
11. SelectthedevicestoinstalltheCPL.Youcanassociatedeviceswiththepolicyatanytime.See"AddorRemove
DevicesAssociatedwithPolicy"onpage220
12. ChoosetheslotwhereyourPolicywillbeinstalled.WithCPLasthePolicytype,thefollowingslotsareavailable:
n Local-Usethisfiletostorepolicyspecifictoyourorganization,suchasdepartmentalpoliciesandcompany-
widepolicies.Thisoptionisselectedbydefault.
n Forward-Thisfilecontainsforwardingrules.
n Central-Thisslotcontainspolicycommontoyourentireorganization.
167
13. ClickFinish.ThenewlycreatedpolicyobjectdisplaysinthePolicyObjectslist.
Afteryoucreateapolicyobject,youcanrefineitorleaveitasanemptyobjectwhileyouperformothertasks(forexample,
associatedeviceswithitoreditpolicydetails).Refertothefollowingtabletodeterminethenextsteptotake.
Whatdoyouwanttoaccomplish? Referto
Refine an existing CPL policy. "Refine Existing CPL Policy" on page171
Enable variable substitution for CPL Policy and CPL Policy "Use Substitution Variables in Policies and
Fragments. Scripts" on page176
Validate existing policy. Preview Policy Before Installing It
Import an external CPL policy. "Import External Policy " on page238
Create a new CPL policy section. "Add or Edit CPL Policy Sections" on the
next page
Manage your CPL policies. "Manage CPL Policies" on page239
168
AddorEditCPLPolicySections
Youcanaddapolicysectionusingoneoftwomethods:youcanusepartofexistingpolicytocreatethesection,oradda
newsectionandthenaddpolicytoit.
AddaSectionBasedonanExistingPolicySection
WhilecomposingtheCPLorafterimportingpolicyfromadevice,youmightfindsomepolicyrulesthatshouldbeextracted
fromtheirrespectivesectionsandputintoanewsection.Youcanselectsomeorallofthetextinasectionandconvertthe
selectiontoanewsection.Whenyouconvertaselection,thePolicyEditorpreservestheorderoftheCPLalreadywritten.
2. InthePolicyObjectslist,selecttheCPLpolicytowhichyouwanttoaddasection.ClickEdit.
3. FromtheEditortab,locatethepolicysectionthatcontainsthetextyouwanttoconverttoanewsection.
4. SelectthetextandclickConverttoSection.ThePolicyEditordisplaysthenewsection.
5. EnterormodifytheCPLasneeded.ClickOK.
6. ClickSave.
AddaNewSection
Youcanaddmoresectionstoaneworexistingpolicyobject.Anewpolicyobjecthasanemptysectionbydefault.
2. InthePolicyObjectslist,selecttheCPLpolicythatyouwanttoaddasection.Selectthepolicyname.ClickEdit.
3. ClicktheEditortab.Locatethepolicysectionthatcontainsthetextyouwanttoconverttoanewsection.
4. IntheSectionnamefield,enteranameforthesection.
5. FromthePurposedrop-downlist,selectfromthelistofdefinedpolicypurposesoryoucancreateyourownCustom
Solution.
6. ClickOK.ThenewsectionisaddedatthetopoftheEditor.ContinuetoedittheCPLasneeded.
Ifyoudonotnamethesection,andonlygiveitapurpose,thesectionappearsasUntitled.
7. Tocommityourchanges,clickSave.
EditaPolicySection
WhilecreatingaCPLpolicyorafterimportingapolicyfromadevice,youmightitusefultoeditthepolicyruleswithinasec-
tion.Becausepolicyisappliedtodevicesandcancontainmanytypesofrules,youcaneditthoseruleswithinasection
makingpolicyeasiertonavigate,organizeanddeploy.
169
2. InthePolicyObjectslist,selecttheCPLpolicythatyouwanttoeditandclickEdit.
3. ClicktheEditortab.Locatethepolicysectionthatyouwanttoedit.YoucansearchforasectionintheQuick
Navigationpane.ClickEdit.ThePolicyEditordisplaystheEditSectiondialog.Althoughyoucannamethesection
whatbestsuitsyourneeds,fromthePurposedrop-downlist,selectfromadefinedlistofrulesthatcanbeapplied
toyourpolicysection:
n Connection-AccessControl
n Connection-Termination
n Authorization
n Threatprotection-OutboundPolicy-ForwardProxy
n Threatprotection-OutboundPolicy-ReverseProxy
n Threatprotection-InboundPolicy
n DLPPolicy
n Privacy
n ContentFiltering
n QualityofService
n Caching
n BandwidthManagement
n CustomSolution
4. ClickOK.TheeditedsectionisaddedatthetopoftheEditor.
Ifyoudonotnamethesection,andonlygiveitapurpose,thesectionappearsasUntitled.
5. Tocommityourchanges,enteracommentforthecommitoperationandclickSave.Thecommentyouenteris
savedaspolicymetadata.
6. (Optional)Toexitwithoutsavingyouredits,clickCancel.
7. (Optional)ClickComparetoseethedifferencesbetweentheexistingpolicyversionandtheversionyouareabout
tocommit.
170
RefineExistingCPLPolicy
ThepolicythatyouwriteisdeployedtodevicesasitdisplaysinthePolicyEditor;ManagementCenterdoesnot
attempttocompileorotherwisevalidatetheCPL.Ifthepolicydoesnotcompile,thePolicyEditordisplaysa"Policy
InstallFailed"errormessageafteryouattempttoinstallit.
MuchoftheflexibilityofmanagingpolicyinManagementCenterderivesfromtheabilitytoorganizepolicyrulesinoneor
morepolicysections,whichyoucanusetogroupsimilarorrelatedrulestogether.
CPLPolicyobjectsandsections
PolicyinManagementCenterisstructuredthus:
l PolicyobjectThecontainerforallpolicythatcanbeinstalledtoaspecificslotonadevice.Ithasmetadataandcan
beversioned.Deviceassociationisdoneatthislevel.
l PolicysectionAcontainerforahigh-levelcategoryofpolicy.
l Sub-sectionAcontainerfortheCPL;itspecifiesthedefault,override,andmandatorybehavior
effectedbythepolicy.
AfteryouhavewrittenCPLdirectlyinthePolicyEditororimportedpolicyfromadevice,youshouldattempttorefineitas
muchaspossibleusingthesesections.Writingpolicyinsections,orbreakingdownanimportedpolicyintosections,
makespolicyeasiertoreadandedit.
Configuringpolicyforspecificdevicesormultipledevicesatonceinvolvesseveralmethodsofcreating,testing,andupdat-
ingpolicy.
1. SearchforpolicyobjectsthatcontaintheCPLyouwanttoedit;see"FilterbyAttributesandKeywordSearch"on
page151.
Onceyouhavefoundthepolicyobject,youcandeterminethepolicysectiontoedit;see"FindaPolicySection"on
page173.
2. (Optional)Makesurethatthepolicyyouareeditingistheoneyouwant.See"ViewExistingPolicyInformation"on
page243.
3. (Ifapplicable)EdittheCPLdirectlyinthePolicyEditor.See"UseContentPolicyLanguage(CPL)toCreatePolicy"
onpage165.
RefertotheContentPolicyLanguageReferenceforinformationonCPLsyntax.
4. (Ifapplicable)Ifpolicydoesnotbehaveasintendedormustbeimproved,modifyitbymovingsectionswithinpolicy.
See"ChangetheOrderinwhichPolicyRulesareEvaluated"onpage175.
5. Ifthepolicyisn'tworkingproperly,youmaywanttocomparetheOSversionontheassociateddevicewiththepolicy
version.See"CheckConsistencybetweenPolicyandDevices"onpage222.
6. (Ifapplicable)Addsectionstocontainpolicyforotherpurposes.See"AddorEditCPLPolicySections"onpage169.
7. (Ifapplicable)Editasection'snameorpurpose.See"EditaPolicySection"onpage169.
8. ClickDeletePolicy,ifyouwanttoDeleteaselectedpolicy.Amessagedisplays"Areyousureyouwanttodelete
thepolicy?"ClickYesorNo.
171
WorkwithCPLPolicySections
Ifyourpolicycontainsnumeroussectionsorsub-sections,youcanusefeaturesinthePolicyEditortomakewritingand
reviewingpolicymoremanageable.
Navigatesections
TheQuickNavigationpanedisplaysanoverviewofallthesectionsinthepolicyobjectyouareviewing.Eachsectionis
representedthus:
Name
(Purpose)
default
override
mandatory
whereName isthesectionnameandPurposeisthepurposeyouselectedwhenyoucreatedoreditedthesection.
Whenyouchangetheorderofpolicysectionsorchangeasectionnameorpurpose,theQuickNavigationpanedisplays
theupdateimmediately.
Collapseasection
Policysectionsareexpandedbydefault.
Tocollapseapolicysection,click inthesectiontitlebar.
Toexpandacollapsedsection,click inthetitlebar.
Collapseallsections
Tocollapseallpolicysections,click .
Toexpandallsections,click .
Movesections
Youcanmovepolicysections:
n Clickthe inasectiontitlebartomovethesectionup.
n Clickthe inasectiontitlebartomovethesectiondown.
n Hoveroverthetitlebarofthesectionyouwanttomoveuntilthepointerchangestoa .Dragthesectiontoits
newlocation.
Movingpolicysectionsaffectshowpolicyisevaluated.See"ChangetheOrderinwhichPolicyRulesareEvaluated"on
page175forinformation.
172
FindaPolicySection
Youcansearchforanexistingpolicysectionusingkeywords.Whenyouperformthekeywordsearch,thesystemsearches
policysectionsandmatchespartialandfullstrings.Thesearchdoesnotincludepreviousversionsofpolicy.
1. SelectConfiguration>Policy.FromPolicyObjects,findtheCPLPolicyyouwantunderType.OrfromtheFilters
dialogontheright,gototheTypedrop-downlistandselectCPL.ClickApplyFilters.FromthedisplayedCPL
policies,selectthepolicyyouwant.ClickEdit.
2. ClicktheEditortab.AbovetheQuickNavigationpane,inthesearchfield,enteryoursearchterm.
Youcanperformthissearchwithallsectionscollapsed;anymatcheswillcausesectionstoexpand.
Ifthesearchfindsnomatch
Ifthesearchdoesnotfindamatch,thedisplaydoesnotchange.Youcansearchagainusingadifferentkeyword.
Ifthesearchfindsmatches
Ifthesearchfindsmatches:
n Totherightofthesearchfield, andthenumberofresultsdisplay,asinthefollowingexample:
n InthemainPolicyEditorpane,thefirstmatchishighlighted.
n IntheQuickNavigationpane,thesectionthatcontainsthefirstmatchishighlighted.
Togotothenextsearchresult,click .Theresultnumbershowsthenextmatch(forexample,"2of3")andtheselec-
tionsinthemainpaneandQuickNavigationupdatetoreflectthematch.
Clearthesearchresults
Toclearsearchresults,clicktheXinthesearchfield.
173
ManageAttributes
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.
Attributescanbeusedtofilteronspecificdevices,devicegroupsorobjects.
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onpage298.
n Name
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedby
othervariables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
174
ChangetheOrderinwhichPolicyRulesareEvaluated
Youcanchangetheorderofthesectionsinpolicy,whichinturnchangespolicybehavior.TheCPLisevaluatedfromtopto
bottomlowerlayersoverridehigherlayers;thus,theorderofsectionsaffectstheorderinwhichpolicyrulesineachsection
areevaluated.Changingtheorderofpolicysectionscanaltertheeffectivenessofpolicy,resultinaruleoverridingother
rules,orcauseunintendedbehaviors.Seethefollowingexamples.
2. InthePolicyObjectslist,selectthepolicy.Ifneeded,searchfortheobject;see"FilterbyAttributesandKeyword
Search"onpage151.
3. (Recommended)Tocollapseasection,clickthe attheleftofthetitlebar.Youcanclickthe onthe
titlebarofacollapsedsectiontoexpandit.
4. Hoveroverthetitlebarofthesectionyouwanttomove.Thepointerchangestoa .
Dragthesectiontoitsnewlocation.
Alternatively,youcanusethe inthetitlebartomovethesectionupordown,respectively.
5. Movesectionsaroundinthepolicyobjectuntilyouaresatisfiedthatthepolicywillevaluateasyouintend.
Ifthepolicyhasmanysections,youcanusetheQuickNavigationpaneontherighttoquicklygotothesectionyou
want.See"WorkwithCPLPolicySections"onpage172forinstructions.
Aredasterisk(*)besidethepolicyobjectnamedenotespendingchanges.
6. ClickSave.
Example
Thefollowingisabasicexampleofhowchangingtheorderofsectionscanchangethebehaviorofpolicy.
ConsiderapolicysectionwiththepurposeThreatprotection-InboundPolicy.ItcontainsthefollowingCPL:
; Deny EXE downloads
url.extension=.exe DENY
AnotherpolicysectionhasthepurposeAccessControl.ItcontainsthefollowingCPL:
; Users in specified subnet are allowed transactions
client.address=192.0.2.0/24 ALLOW
Refertothefollowingtabletoseehowtheorderofpolicysectionscanaffectthebehaviorofpolicy.
Orderofpolicysec- Howpolicyisevaluated Resultingbehavior

tions
1. Threat protection The Access Control section overrides the Threat pro- Everyone in the net-
- Inbound Policy tection section. work is denied EXE
downloads except for
users in the specified
2. Access Control
subnet.
175
Orderofpolicysec- Howpolicyisevaluated Resultingbehavior

tions
1. AccessControl The Threat protection section overrides the Access Con- Users in the specified
trol section. subnet are allowed
transactions with the
2. Threat protection
exception of EXE down-
- Inbound Policy
loads; everyone in the
network is also denied
EXE downloads.
UseSubstitutionVariablesinPoliciesandScripts
Substitutionvariablesaregenerictermsthatyoucanincludeinpoliciesandscripts.WhenManagementCenterinstalls
policyorexecutesascriptthatincludessubstitutionvariables,itattemptstoreplacethemwithvaluesspecifictothecur-
renttransactionthatis,thecurrentdevice,policy,orscript.Forexample,ifyouinstallpolicythatincludesthesubstitution
variable${device.name},thevariableisreplacedwiththedevicenamesetinManagementCenter.
Toincludeandprocesssubstitutionvariables:
1. EnableReplacesubstitutionvariablesinthepolicyobject(seeCreateaCPLPolicyObject)orscript(seeCreate
andDistributeConfigurationsUsingScripts).
2. IncludesubstitutionvariablesintheCPLorscript.See"SupportedVariables"onthenextpagebelow.
3. Installthepolicyorexecutethescript.Asthetargetdeviceprocessesthepolicyorscript,itattemptstoreplacethe
variableswiththeappropriatevalues.
Ifthepolicyorscriptisassociatedwithadevicegroup,ManagementCenterinspectseverydeviceinthegroup
structureforthevariableandattemptstoreplaceallinstanceswithspecificvalues.
Syntax
Substitutionshavethefollowingform:
${name}
wherenameisanexpressionthatexpandstoastringorblockoftextatruntime.
Forexample,thesubstitution${device.description}expandstothedescriptionenteredinthecurrentdevice'sprop-
ertiesinManagementCenter.
Ifthedevicedoesnothaveadescription(becauseDescriptionisanoptionalfield),thesubstitutionexpandstoanempty
stringunlessyoualsospecifyadefaultvalue.See"SpecifyaDefaultSubstitutionValue"onpage178belowfordetails.
Examples
Substitutethedevice'sserialnumber.
${device.serialNumber}
Substitutethevalueofthedevice'sRackattribute.
${device.attributes.Rack}
176
Substitutionvariablesarecase-sensitive.Toensurethatyouhaveenteredthemwithcorrectspellingandcase,use
thePreviewoptionbeforeinstallingpoliciesorexecutingscripts.Thepreviewwarnsyouifasubstitutionvariableis
invalid.
SupportedVariables
Device-${device.field}
Thefollowingvariablesareavailableforpoliciesandscripts.
${device.uuid} Internal ID of device
${device.modelNumber} Device model number
${device.description} Text in the Description field in device properties in Management
Center
${device.name} Text in the Device Name field in device properties in Management
Center
${device.serialNumber} Device's serial number
${device.osVersion} Operating system version running on the device
${device.attributes.name} System or user-defined device attribute value, including any values
inherited from the device group
Policy-${policy.field}
Thefollowingvariablesareavailableforpoliciesonly(notscripts).
${policy.author} Last user who edited and saved the policy
${policy.description} Text in the Description field in policy properties
${policy.name} Text in the Name field in policy properties

${policy.referenceId} Text in the Reference Id field in policy properties
${policy.revision} Policy's current Version number
${policy.revisionDescription} Comments entered for the last revision
${policy.attributes.name} User-defined policy attribute value
PolicyFragment-${fragment.field}
Thefollowingvariablesareavailableforpolicyfragments.
${fragment.author} Last user who edited and saved the policy fragment
177
${fragment.description} Text in the Description field in policy fragment properties
${fragment.name} Text in the Name field in policy fragment properties

${fragment.referenceId} Text in the Reference Id field in policy fragment properties
${fragment.revision} Policy fragment's current Version number
${fragment.revisionDescription} Comments entered for the last revision
${fragment.attributes.name} User-defined policy fragment attribute value
Script-${script.field}
Thefollowingvariablesareavailableforscriptsonly(notpolicies).
${script.author} Last user who edited and saved the script
${script.description} Text in the Description field in script properties
${script.versionDate} Date of last update
${script.name} Text in the Name field in script properties
${script.type} Selected Type in script properties
${script.revision} Script's current Version number
${script.revisionDescription} Comments entered for the last revision
${script.attributes.name} User-defined script attribute value
SpecifyaDefaultSubstitutionValue
Unlessyouspecifyadefaultvalue,sometransactionscanproduceunsubstitutedvariables,resultinginemptystrings.
Thefollowingareexamplesofsuchtransactions:
l AnoptionalfieldsuchasDescriptionisempty
l Anattributethatisnotmarkedasmandatoryhasnovalue
l Afieldisnotapplicable,suchaswhenascriptorpolicyhasnotbeenrevised
Syntax
Adefaultsubstitutionhasthefollowingform:
${name(default_name)}
where:
l nameisanexpressionthatexpandstoastringorblockoftextatruntime
l default_nameisthevaluethatwillbeusedinsteadofanunsubstitutedvariable
178
Example
Ifapolicyfragmentwasedited,usethecommentsenteredforthelastrevision.Ifthefragmentwasneveredited,usethe
specifiedtext"Norevision".
${fragment.revisionDescription(No revision)}
179
LaunchVisualPolicyManager
BeforelaunchingtheVisualPolicyManagerinManagementCenter,BlueCoatstronglyrecommendsthatyou
understandhowtheVPMEditorworksandunderlyingpolicyenforcementinProxySGappliances.Forcom-
prehensiveinformationoncreatingpoliciesusingVPM,refertotheBlueCoatSystemsProxySGApplianceVisual
PolicyManagerReferenceandAdvancedPolicyTasks.
TolaunchtheVPMeditor,clientsusingJava7mustenableTLS1.1andTLS1.2.IntheJavaControlPanel,select
Advanced.ThenselectUseTLS1.1andUseTLS1.2.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicyobject.TofindeitheraVPMora
CPLpolicytype,youcandoa"FilterbyAttributesandKeywordSearch"onpage151.
2. SelectthePolicyname.SelectEditandtheEditortab.
3. (Optional)Toimportpolicyfromthereferencedevice,clickImport.See"SelectReferenceDeviceforVPMPolicy"
onpage185.
4. ClickLaunchVPMEditor.Whenthefollowingmessagedisplays,clickRun.
5. YoumayseeaSecurityWarning.Ifyoudo,checktheIPaddressandclickContinue.
6. ThewebconsoledisplaystheBlueCoatVisualPolicyManager.
7. Addlayersandrules,asrequiredbyyourpolicy.
8. ClickSavepolicywhenfinished.TheeditedpolicydisplaysinthePolicyObjectslistwithanupdatedrevision
number.
180
IfJavaisnotenabledonyourbrowser,theVPMEditorcannotlaunch.See"SetUpandEnableJavainYourBrowser
"onthefacingpage.
181
SetUpandEnableJavainYourBrowser
ThefollowingisrequiredtolaunchtheVisualPolicyManager(VPM).
1. Fromyourbrowser,installJava(theJavaminimumrequiredisJava1.7.0_51).EnableJavainyourbrowser.
Becauseeverybrowserbehavesdifferently,confirmthatthecorrectJavaversionisinstalledandenabledby(using
theirbrowser)togoto:https://www.java.com/verify
YoumayneedtorestartyourbrowserafterupdatingJava.
2. AfteryouhaveverifiedthatyourJavaversioniscorrectandareferencedeviceisavailable,theLaunchVPM
Editorbuttonisenabled.
3. ClickLaunchVPMEditortoopentheVisualPolicyManagerEditor.However,thefollowingerrorcanoccur:
IfyouseethiserrorafterrelaunchingtheVPMEditoritmeansthatyouneedtoallowjavatoruninyourbrowserand
acceptthecertificatesthatJavarequires.
182
LaunchVisualPolicyManager
BeforelaunchingtheVisualPolicyManagerinManagementCenter,BlueCoatstronglyrecommendsthatyouunder-
standhowtheVPMEditorworksandunderlyingpolicyenforcementinProxySGappliances.Forcomprehensive
informationoncreatingpoliciesusingVPM,refertotheBlueCoatSystemsProxySGApplianceVisualPolicyMan-
agerReferenceandAdvancedPolicyTasks.
TolaunchtheVPMeditor,clientsusingJava7mustenableTLS1.1andTLS1.2.IntheJavaControlPanel,select
Advanced.ThenselectUseTLS1.1andUseTLS1.2.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicyobject.TofindeitheraVPMora
CPLpolicytype,youcandoa"FilterbyAttributesandKeywordSearch"onpage151.
2. SelectthePolicyname.SelectEditandtheEditortab.
3. (Optional)Toimportpolicyfromthereferencedevice,clickImport.See"SelectReferenceDeviceforVPMPolicy"
onpage185.
4. ClickLaunchVPMEditor.Whenthefollowingmessagedisplays,clickRun.
5. YoumayseeaSecurityWarning.Ifyoudo,checktheIPaddressandclickContinue.
6. ThewebconsoledisplaystheBlueCoatVisualPolicyManager.
7. Addlayersandrules,asrequiredbyyourpolicy.
8. ClickSavepolicywhenfinished.TheeditedpolicydisplaysinthePolicyObjectslistwithanupdatedrevision
number.
183
IfJavaisnotenabledonyourbrowser,theVPMEditorcannotlaunch.See"SetUpandEnableJavainYour
Browser"onpage182.
184
SelectReferenceDeviceforVPMPolicy
ThereferencedeviceisthedeviceyoudesignateasthesourcedeviceforVPMpolicyconfigurations.Youmustselectaref-
erencedevicetolaunchtheVPMeditor.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectaVPMpolicy.ClickEdit.
Adefaultreferencedeviceisnotautomaticallypopulated.Associatealeastonedeployeddevicewiththe
policyormanuallyconfigureareferencedevicetoenableediting.
2. WhiletheEditortabisselected,selectaReferenceDevice,usingtheobjectselector .
ResolvedisplayedwarningsbeforelaunchingtheVPMeditor.TheLaunchVPMEditorbuttonisgrayedoutif
warnings arepresent.
3. Toassociateareferencedevice,fromtheSelectDevicedialog,selectthecheckboxbythedevicethatyouwantto
useasareference.TheselecteddeviceautomaticallydisplaysintheSelectedview.ClickOK.
185
4. (Optional)YoucancreateandeditaVPMpolicyassoonasyouhaveselectedareferencedeviceandnowarnings
aredisplayed.ClickLaunchVPMEditor.
Add or remove devices associated with the policy. "Add or Remove Devices Associated with Policy" on page220
Restore a version of the policy. "Restore a Version of Policy " on page242
Create and edit a VPM policy using the VPM Editor. "Launch Visual Policy Manager" on page183
Import a policy configuration from a device. "Import Policy or Shared Objects" on page232
ViewVPMPolicySource
ManagementCenterenablesyoutoviewtheCPLorXMLpolicysourceofaVPMpolicy.
2. FromthePolicyObjectslist,selecttheVPMpolicyname.
Ifneeded,searchforthepolicyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
3. Withthepolicyselected,clickEditor.Thesystemdisplaystheeditor.
4. Viewthepolicy:
l ClickGeneratedCPLtoviewtheCPLsource.
l ClickXML(UIMarkup)toviewtheXMLsource.
5. (Optional)Editthepolicy.
186
CreateSharedObjects
Sharedobjectsarepolicyelementsthatcanbereferencedbymultiplepolicyobjects.Asharedobjectcannotbedeployed
byitself;itmustbeincludedinanotherpolicytype,suchasCPLoraWAFApplication.
CreateCPLFragments
CPLpolicyfragmentsarereusablebuildingblocksofCPLpolicy.BecausefragmentsarenotcompleteCPLpolicy,youdo
notdeploythemtodevicesbutincludethemwithinpolicythatyoudeploytodevices.
"CreateaCPLPolicyFragment"onthefacingpage
"IncludeaPolicyFragment"onpage204
CreateaCategoryList
AcategorylistisanamedsetofURLcategoriesthatcanbeeasilyreferencedinpolicy,allowingyoutoassignanallowor
denyconditiontoallthecategoriesinonesimplerule,orreusethelistinmultiplepolicyrules.
"CreateCategoryLists"onpage193
"CategoryListExample"onpage196
CreateaCategoryListTemplate
Acategorylisttemplateprovidesastartingpointfordefiningwhichcategoriestoincludeinacategorylist.Thetemplatecon-
tainsasubsetofthecompletelistofWebPulsecategories,typicallyusedtorestrictthecategoriesaless-priviledgeduser
canselectwhencreatingacategorylist.
"UseCategoryListTemplates"onpage200
CreateaURLList
URLlistsallowyoutoeasilycreateURLexceptionstoyourpolicy.TheURLlistcanbeeasilyincludedinyourexisting
policy.
"CreateURLList(URLPolicyExceptions)"onpage189
"URLListExample"onpage191
CreateWAFSecurityProfile
AWAFSecurityProfileisasharedobjectthatdefinestheWebApplicationFirewallsettingsfortheassociatedWAFapplic-
ationobject.TheWAFSecurityProfileisassignedtooneormoreWAFapplicationsthatcanbeinstalledonProxySGappli-
ancestosetWAFpolicy.
"ConfigureWAFSecurityRules"onpage130
CreatingaWAFSecurityProfileisstep3in"UseWAFPolicyToProtectServersFromAttacks"onpage119.
187
CreateaCPLPolicyFragment
CreateaCPLPolicyFragmentinthesamewaythatyoucreateCPLPolicy.Policyfragmentsarereusablebuildingblocks
ofCPLpolicy.BecausefragmentsarenotcompleteCPLpolicy,youdonotdeploythemtodevicesbutincludethemwithin
policythatyoudeploytodevices.
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.Fillinrequiredfields.Ared
n Objectname(*)-Requiredname
n Objecttype(*)-Fromthedrop-downlist,chooseCPLFragment.
n ReferenceID(*)-EnteraReferenceIDthatyoucanfilteronwhenbuildingpolicy.
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthisfragment.
n Replacesubstitutionvariables-selectthisifyouwanttoreplacespecificvalueswithinthepolicy
fragment.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
IfReplacesubstitutionvariablesisNOTselectedwhencreatingaCPLPolicy,theCPLPolicy
FragmentswillnotbeincludedintheCPL.
188
3. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedapolicyattributeas
mandatory,youcanchoosetheattribute'svalueforthispolicyfragment.See"AddAttributes"onpage298.
4. ClickFinish.ThefragmentdisplaysinthePolicyObjectslist.
5. Toaddthefragmenttopolicy,seeIncludeaPolicyFragment.
CreateURLList(URLPolicyExceptions)
URLlistsallowyoutoeasilycreateURLlistsforuseinpolicy.Theselistscanthenbeincludedinyourexistingpolicy.An
exampleimplementationisdescribedhere.
Step1-CreatetheURLListObject
2. ClickAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Fillinrequiredfields.Aredasterisk(*)denotesfieldsthataremandatory.
n Objecttype(*)-Fromthedrop-downlist,chooseURLList.
n ReferenceID(*)-EnteraReferenceIDthatyoucanfilterforwhenbuildingpolicy.
TheReferenceIdmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthisfragment.
mandatory,youcanchoosetheattribute'svalueforthispolicyfragment.See"AddAttributes"onpage298.
5. ClickFinish.TheURLlistdisplaysintheeditor.
Step2-AddURLs
189
2. SelectoreditthedesiredURLlist.ThesystemdisplaystheURLlisteditor.
3. EntertheURLintheURLfieldandclickAdd.
4. Alternatively,pasteinmultipleURLs:
a. CreateaURLlistandcopytheURLs.
b. ClickPasteURLs.ThesystemopensthePasteURLs:EnterURLsdialog.
c. CopytheURLsintothePasteURLs:EnterURLsdialog.PressCTRL+Vorright-clickandclickPaste.The
URLsareaddedtothelist.
d. ClickNext.ThesystemopensthePasteURLs:Validatedialog.
e. ClickFinish.
5. ClickSave.
EnablingandDisablingURLs
YoucandisableanindividualURLbyselectingitandclickingDisable.
YoucanenableaURLbyselectingitandclickingEnable.
190
Step3-IncludetheURLListinPolicy
Whenyouhavecompletedyourchanges,youcanincludetheURLlistinCPL,asdescribedin"IncludeaPolicyFragment"
onpage204.TheURLlistwillbeincludedintheCPLasanamedconditionthatcanthenbereferencedusing
condition=referenceId.Seetheexamplebelowfordetails.
Youcantheninstallyourpolicyasdescribedin"InstallPolicy"onpage227.
WhitelistScenarioExample
URLListExample
Inthisexample,theadministratorhascreatedasimpleacceptableusepolicyandwouldliketoallowsomeURLsthatwould
otherwisebeblocked.
ThisCPLisstoredinapolicyobjectcalledASUP.TheASUPpolicyobjecthasReplacesubstitutionvariablesenabled.
ThoughtheURLfilteringblocksallnewssites,shewouldliketoallowcnn.com,yahoo.com,andnytimes.com.Toallow
thesesites,theadministratordoesthefollowing.
StepOne-CreatetheURLListObject
1. SelectsConfiguration>SharedObjects.
2. ClicksAddObject.ThewebconsoledisplaystheCreateNewSharedObjectwizard.
3. Entersthefollowingdata:
a. Objectname:whitelist
b. Objecttype:URLList
c. ReferenceID:autofill
d. Description:ListofallowedURLs
4. ClicksNext.
5. ClicksFinish.
StepTwo-AddAllowedURLs
1. Inthewhitelistpolicyeditor,theadministratorenterscnn.comintheURLfieldandclicksAdd.
2. Addsyahoo.comandnytimes.com,asdescribedintheprecedingstep.
191
3. ClicksSaveandentersabriefdescriptionofthechange.Thewhitelistobjectnowlookslikethis.
StepThree-AddtheURLListtotheASUPPolicy
1. SelectsConfiguration>Policy>ASUP.TheASUPpolicyopensintheeditor.Rememberthattheadministrator
haspreviouslyenabledReplacesubstitutionvariables.
2. ClicksInsertInclude.
3. IntheInsertPolicyIncludewindow,selectswhitelistandclicksOK.
TheASUPCPLnowlookslikethis:
Whentheadministratorpreviewsthepolicy,itlookslikethis:
192
Thenameoftheconditioncorrespondstothesharedobject'sreferenceID,notitsname.Youcanpreviewthe
policybygoingtotheTargetstab,addingatarget,selectingthetarget,andclickingPreview.
ThoughtheURLshavebeendefined,theyhavenotbeenaddedasarule.
4. Tocreatetherule,theadministratoraddsthefollowingruletotheCPLtoimplementthewhitelist:
condition=whitelist ALLOW
Seeexamplebelow.
5. ClicksSave.
TheASUPCPLisnowreadytobepushedtotargetdevices.
CreateCategoryLists
AcategorylistisanamedsetofURLcategoriesthatcanbeeasilyreferencedinpolicy,allowingyoutoassignanallowor
193
denyconditiontoallthecategoriesinonesimplerule,orreusethelistinmultiplepolicyrules.Categorylistsareshared
objects,andaresimilartoURLlists.
Gotositereview.bluecoat.comandclickDescriptionstoseealistofcurrentcategoriesrecognizedbyBlueCoat
WebPulse.NotethatthelistofcategoriesinManagementCentermaynotexactlymatchthelistonthewebsite,
butwillbeupdatedinafutureManagementCenterreleaseasnecessary.Formoreinformationaboutcontentfil-
teringbycategory,refertotheSGOSAdministrationGuide.
Step1-CreatetheCategoryListSharedObject
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryList.
n ReferenceID(*)-EnteraReferenceID(oracceptthedefaultname)willbeusedwhenbuildingpolicy.The
IDcanbespecifiedastheconditionnameinCPL.
TheReferenceIDmustbeginwithaletterandmustcontainonlyletters,numbers,and"_".
194
n TemplateIfyou(orsomeoneelse)haspreviouslycreatedacategorylisttemplate,click andselectthe
template.Thetemplatewillrestrictwhatcategoriescanbedefinedinthelist.See"UseCategoryList
Templates"onpage200formoreinformation.
n Description-Enterameaningfuldescriptiontohelpyouidentifythiscategorylistwhenincludinginpolicy.
4. ClickNext.TheCreateNewSharedObjectwizarddisplaystheAttributesdialog.Ifyoudefinedanypolicy
attributes,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.AtreeofcategoriesdisplaysintheEditortab.Notethatthecategoriesaregroupedintofolders
(BusinessRelated,LegalLiability,Non-Productive,andsoforth)fororganizationalpurposesthesefoldernamesare
notpartofthepolicy.
Ifyouselectedatemplate,youmaynotseeallfoldersandcategories.
Step2-SelectCategories
Afteryouhavecreatedthecategorylistobject,youcanselectthecategoriesassociatedwiththelist.Thelistshouldinclude
allcategoriesthatyouwanttotreatthesamewayinpolicy.Forexample,thecategoriesinthelistshouldallbeonesthat
youwouldwanttodenyaccesstoorallowaccessto;theactualpolicyaction(deny/allow)willbedefinedinthepolicy.
195
1. ThetreeofcategoryfoldersshouldbedisplayedintheEditor.Ifthelistisn'tcurrentlydisplayed,select
Configuration>SharedObjectsandclickthedefinedlistnametobringitupintheEditor.
2. Selectthecategoriesyouwanttoincludeinyourlist.Followthesegeneralguidelines:
n Toseewhatcategoriesareinafolder,clickthe+toexpand.
n Selectingafolder'scheckboxselectsallcategoriesinthatfolder.
n Youcanunselectanycategorywithinaselectedfolderbyclickingitscheckbox.
n Whenafolderisexpandedtodisplayitscategories,ManagementCenterdisplaysthecategorydescriptions
andexamplesaswell.
3. Toviewthecategorynamesassignedtothislist,lookattheSelectedCategoriespanelatthebottomofthe
window.
4. ClickSaveandenterabriefdescriptionofthechange.
Step3-IncludetheCategoryListinPolicy
Whenyouhavedefinedthecategorylist,youcanincludetheobjectinCPL,asdescribedin"IncludeaPolicyFragment"
onpage204.Inaddition,youmustcreateanallow/denyconditionusingcondition=referenceId.Seethe"CategoryList
Example"belowfordetails.
Youcantheninstallyourpolicyasdescribedin"InstallPolicy"onpage227.
IfyouwanttocheckintowhichcategoryBlueCoatWebPulsecategorizesaURL,gotositereview.bluecoat.com
andentertheURL.
CategoryListExample
Inthisexample,theadministratorhascreatedasimpleacceptableusepolicyandwouldliketodenyaccesstoalistofcat-
egoriesthatshouldnotbeallowedonthecorporatenetwork.
196
ThisCPLisstoredinapolicyobjectcalledASUP.TheASUPpolicyobjecthasReplacesubstitutionvariablesenabled.
StepOne-CreatetheCategoryListObject
3. Enterthefollowingdata:
a. Objectname:blacklisted_categories
b. Objecttype:CategoryList
c. ReferenceID:blacklisted_categories
d. Template:(leaveblank)
e. Description:alistofcategoriesthatshouldbedeniedinpolicy
4. ClickNext.
5. ClickFinish.
StepTwo-SelectCategoriesthatShouldbeDenied
Theadministratorwouldliketodenyaccesstoalllegalliabilitycategoriesandsecuritythreats,soshewillselectallthecat-
egoriesintheLegalLiabilityfolderandSecurityThreatssubfolder.
1. WithatreeofavailablecategoriesdisplayedintheEditor,clicktheLegalLiabilitycheckbox.TheAdultRelatedand
LiabilityConcernsfoldersarealsochecked.
2. Clickthe+nexttotheAdultRelatedandLiabilityConcernsfolderstodisplaythecategorynames,descriptions,and
examplesinthesefolders.
197
3. ExpandtheSecurityThreatsfoldertodisplaythecategorynames,descriptions,andexamplesinthisfolder.
4. ClicktheSecurityThreatscheckboxtoselectallofitscategories.
StepThree-AddtheCategoryListtotheASUPPolicy
1. SelectConfiguration>Policy>ASUP.TheASUPpolicyopensintheeditor.Rememberthattheadministrator
haspreviouslyenabledReplacesubstitutionvariables.
198
2. PlacethetextcursorintothepolicysectionwhereyouwanttoincludethecategorylistandclickInsertInclude.
3. IntheInsertPolicyIncludewindow,selectblacklisted_categoriesandclickOK.
TheinsertedCPLnowlookslikethis:
Thoughthecategorylisthasbeendefined,theconditionstillneedstobedefinedtodenyaccess.
4. Tocreatetheconditiontodenyaccesstothecategorylistnamedblacklisted_categories,theadministratoraddsthe
followinglinetotheCPL:
condition=blacklisted_categories DENY
5. ClickSave.
6. Topreviewthecodethatisgeneratedforthispolicy,gototheTargetstab,selectadevice,andclickPreview.
199
Youcanseeinthepreviewthattwoconditionsarecreated.Thefirstcondition(blacklisted_categories/url_category)
justlooksuptheURLinWebPulsetofindthecategory.Thesecondcondition(blacklisted_categories/cert_cat-
egory)isusedforSSLconnectionsitcansometimesgleanextrainformationbylookingupthehostnameinthe
SSLcertificate.
TheASUPCPLcanbepushedtotargetdevicesattheappropriatetime.
UseCategoryListTemplates
Acategorylisttemplateprovidesastartingpointfordefiningwhichcategoriestoincludeinacategorylist.Thetemplate
containsasubsetofthecompletelistofWebPulsecategories,typicallyusedtorestrictthecategoriesaless-priviledged
usercanselectwhencreatingacategorylist.Forexample,ifyouhaveauserwithrestrictedpermissions,youmaynot
wanthimtocontrolpolicyforanycategoryjustparticularonesthatareappropriateforhisrole.
CreateaCategoryTemplate
200
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryListTemplate.
n ReferenceID-EnteraReferenceID(oracceptthedefaultname).
n Description-Enterameaningfuldescriptiontohelpyouwhenapplyingthiscategorylisttemplate.
mandatory,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.Atreeofcategoriesisdisplayed.
6. Selectthecategoriesyouwanttoincludeinthetemplate.Followthesegeneralguidelines:
n Toseewhatcategoriesareinafolder,clickthe+toexpand.
n Selectingafolder'scheckboxselectsallcategoriesinthatfolder.
n Youcanunselectanycategorywithinaselectedfolderbyclickingitscheckbox.
n Whenafolderisexpandedtodisplayitscategories,ManagementCenterdisplaysthecategorydescriptions
andexamplesaswell.
201
Example

7. Toviewthecategorynamesassignedtothistemplate,lookattheSelectedCategoriespanelatthebottomofthe
screen.
UseaCategoryListTemplate
Tousethecategorylisttemplate,selectitwhencreatingacategorylist.Theusercanonlyselectcategoriesfromthis
restrictedlist.
n Objecttype(*)-Fromthedrop-downlist,chooseCategoryList.
202
n ReferenceID(*)-EnteraReferenceID(oracceptthedefaultname)thatyoucanusewhenbuildingpolicy.
TheIDcanbespecifiedastheconditionnameinCPL.
n TemplateClick andselectthetemplate.Thetemplatewillrestrictwhatcategoriescanbedefinedin
thelist.
n Description-Enterameaningfuldescriptiontohelpyouwhenreusingthiscategorylist.
mandatory,youcanchoosetheattribute'svalueforthiscategorylist.See"AddAttributes"onpage298.
5. ClickFinish.TheEditordisplaysjustthecategoriesinthetemplate,andtheusercancreateacategorylistby
choosingfromthecategoriesinthetemplate.
203
6. Selectthecategoriesyouwanttoincludeinthelist.
7. Toviewthecategorynamesassignedtothislist,lookattheSelectedCategoriespanelatthebottomofthe
window.
Thiscategorylistcannowbeusedinpolicy.See"IncludeaPolicyFragment"below.
Toapplyacategorylisttemplatetoanexistingcategorylist,editthecategorylist,gototheInfotab,selectthetem-
plate,andthensavethelist.
WhentheCPLforacategorylistisgeneratedandthelistcontainscategoriesnotpresentinthetemplate(most
likelybecausethetemplatehadbeenchangedsincelastsavingthelist),thosecategoriesarenotincludedinthe
conditiondefinitionCPL.Ifthisoccurs,awarningisincludedasacommentabovetheconditionCPL,indicating
whichcategorieswereremoved.
IncludeaPolicyFragment
IncludeaCPLfragment,URLlist,orcategorylistasabuildingblockofCPLPolicy.Becausefragmentsarenotcomplete
CPLpolicyconfigurations,youcannotassociateorinstallfragmentstoanydevice.TheymustbeincludedinCPLpolicy.
2. InthePolicyObjectslist,selecttheCPLpolicytowhichyouwanttoaddpolicyfragment.Thepolicyisdisplayed
intheEditor.
3. ClicktheInfotab.
4. EnsureReplacesubstitutionvariablesisselected.
204
IfyoudoNOTenablevariablesubstitutionintheCPL,theCPLFragmentswillnotbeincluded.
5. PlacethetextcursorintothepolicysectionwhereyouwanttoincludethepolicyfragmentandselectInsertInclude.
Youcanonlyaincludeafragmentintoanexistingpolicysection.ThewebconsoledisplaystheSelectPolicies
dialog.
Ifyouhavenotplacedyourcursorwhereyouwanttoinsertthepolicyfragment,ManagementCenterdisplaysthefol-
lowingerror:
6. Fromtheavailablepolicyfragments,selecttheCPLfragment,URLlist,orcategorylisttoinclude.
7. ClickOK.Theincludedpolicyfragmentisdisplayedinthesectionwhereyouplacedyourcursor.Youcancontinue
editingtheCPLpolicy.
205
8. Tocommityourchanges,clickSaveandenteracommentforthecommitoperation.Thecommentyouenteris
savedaspolicymetadata.
9. (Optional)Toexitwithoutsavingyouredits,clickCancel.
10. (Optional)ClickComparetoseethedifferencesbetweentheexistingpolicyversionandtheversionyouareabout
tocommit.
FormoreinformationaboutaddingoreditingCPLPolicysections,see"AddorEditCPLPolicySections"on
page169.
"FilterbyAttributesandKeywordSearch"onpage151
l "EditaPolicySection"onpage169
l "AddorEditCPLPolicySections"onpage169
l "ViewExistingPolicyInformation"onpage243
206
DeployTenantPolicy
Tenantpolicydescribesaframeworkthatprovideslargeorganizationswithhighserviceavailability,flexibilityformultiple
tiersofadministration,andensuresthatallappliancesinthenetworkareusedefficiently.
n TenantPolicy-Aninfrastructurethatsegregatesthepolicyelementsthateffectusersofeachusernetworkdefined
withindomains.EventhoughtheyusethesameProxySGappliance,twogroupsofuserscouldhavevastlydifferent
policysets.
n Role-BasedAdministration-AsetofManagementCentercontrolsthatallowsatiered-basedapproachto
managingProxySGappliancesandtheirassociatedpolicy.Thetop-tieradministratorscanviewandmanageall
levelsofpolicy,second-tier(orbranch)administratorscanmanageonlytheirownlevelofpolicyandthosebeneath
them,andbottom-tierortenant-leveladministratorscanonlyviewthepolicyfortheirownusers.
Alladministratorscontrolpolicyappropriatetotheirroles.Policycanbewrittenspecificallytoroutetrafficfromwhereusers
aretooneofseveralProxySGappliancesinyournetwork,dependingonloadandavailability.
Refertothefollowingdeploymentsteps:
Step1:PlanNetworkConfiguration
Whoperformsthisstep:ProxySGadministrator
Beforeproceeding,itisimportanttoplanhowyourorganizationisstructured.Forexample,determinethefollowing:
l Howusernetworksaregroupedorseparated(forexample,bygeographiclocation)
l Whatinterfacesreceivetrafficfromthoseusers
l Whytypesofpolicycanbedeployedtothetenantslot
Step2:ConfigureManagementCenter
Whoperformsthisstep:ManagementCenteradmin/SuperAdmin
Afterconfiguringtheappliance(s),addthemtoManagementCenteranddefinerolesandadministrators.Then,configure
default,group,andtenantpolicytotheappliances.Userroleswilldictatewhichuserscanseeandmanagepolicyforeach
applianceorgroupofappliances.
1. AddaconfiguredappliancetoManagementCenter.
FromtheManagementCenterwebconsole,accesstheonlinehelpandsearchforthetopicentitledAddaDevice
forthestepstoaddeachProxySGappliancetoManagementCenter.Repeatthisprocessforeachconfigured
ProxySGinyournetwork.Toimportmanydevicesatonetime,fromtheonlinehelpsearchforAddMultipleDevices
atOnce.
2. Tokeepyourdevicesorganized,seetheinstructionsforhowtocreatehierarchies,devicegroupsandsub-groups.A
devicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontains
devicesorsub-folders.Arrangedevicegroupsanddevicesinawaythatmakessense.
l ConfigureHierarchyforDevicesandDeviceGroups
l AddaDeviceGroup
l DragandDropDeviceGroups
3. Createdeviceattributestohelpmanageyourorganization'snetworkofappliancesandgroupsofappliances.Device
attributescanbeusedtoidentifythelocationofagivenappliance,theregionorbranchofficeit'sassociatedwithor
evenwhichtenantsareassociatedwitheachappliance.Formoreinformation,seethefollowingtopicsintheonline
help:
207
l ManageAttributes
l AddDeviceAttributes
l AddDeviceGroupAttributes
3. Assignattributestoyourconfiguredappliances.Forinstructions,see"EditaDevice"onpage72.
4. Createadministratorroleswithdifferentsetsofpermissions.Afteryou"DefineRoles"onpage288seethetypes
ofthepermissionsthataremostvaluableperrolethatyouhavecreated.Thisguidecontainsareferencetopic
"Reference:PermissionsInterdependencies"onpage250thatisinvaluablewhencreatingtherolesinyour
organization.
Thefollowingexampleshowshowtocreatearoleformanagingadevicegroupthatyoucreated("AddaDevice
Group"onpage68).
5. Createadministratorgroups.FromtheAdministrationtab,clickGroups>AddGroup.
6. Addadminusers.Forinstructionsonhowtocreateadministratoraccounts,see"GrantPermissions"onpage291.
7. Createpolicyattributes.Forinstructionsonhowpolicyattributescanbeusedtoorganizeandrefinepolicy,seethe
followingonlinehelptopics:
l ManageAttributes
l AddPolicyAttributes
l MandatoryAttributes
8. Definetenants.See"ManageTenants"onthenextpageforinstructions.
9. CreatetenantpolicyinVPM("CreateaVPMTenantPolicyObject"onpage212orCPL(seeCreatetheContent
PolicyLanguage).
10. Confirmthatthecorrectpoliciesaredeployedtoeachdeviceslot.See"ViewDeployedPolicyforeachDevice
Slot"onpage246.
208
ManageTenants
TenantsareadministrativeentitiesdefinedonProxySGappliances.Eachrequestisroutedthroughatenant,whosepolicy
isevaluatedforthattransaction.Whennospecifictenantisdeterminedforarequest,thedefaulttenantpolicyisused.Ten-
antdeterminationcriteriagovernswhichtenant'spolicyappliestoagivenrequest.AddthesetenantstoManagement
Centertocreateanddeploytenant-specificpolicy.
OntheProxySGappliance,therearetwooptionsforcontrollingtenancydetermination:
1. The#(config general) multi-tenant criterioncommandspecifiesasubstitutionexpressionthatis

evaluatedfortenancydetermination.
2. Usingthe<tenant>layerintheLandlordCPLslottospecifyconditionsandtenant()properties.
TheManagementCenterWAFinterfaceleveragesoption#2tocontroltenancydeterminationviatheTenant
Determinationobject.See"AboutWAFPolicy"onpage121formoreinformation.
WhenevaluatinganHTTPrequest,ifthetenantdeterminationrulesproduceamatchagainstaninstalledtenant,thenthat
tenant'spolicywillbeevaluated.Ifthatfailstosetthetenant()property,orthetenant()propertysettingdoesnotcor-
respondtoaninstalledtenantpolicy,thenthedefaulttenantpolicyisappliedtothistraffic.Defaulttenantpolicyappliesto
allrequestswheretenancycouldn'tbedeterminedduringtheinitialconnection.
Obtainthetenantidentifiersbeforeyouwritemulti-tenantpolicyinManagementCenter.Formoreinformationonmulti-ten-
antpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
WAFPolicyUse
Selectingatenantisstep2in"UseWAFPolicyToProtectServersFromAttacks"onpage119.Abase-levelofWAFpolicy
shouldbeinstalledtothedefaulttenantbeforeanyadditionaltenantsarecreated.Thisensuresthatallrequestsarepro-
cessedbytheWAF.
AddaTenant
Aredasterisk(*)denotesfieldsthataremandatory.
2. ClickAddTenant.ThewebconsoledisplaystheAddTenantdialog.
209
3. EnteraDisplayName.
4. EntertheTenantID.Thiscontrolsthenameofthetenantslotwherepolicywillbeinstalled.ThisIDisalsousedin
thetenantdeterminationCPLusingthetenant()property.
5. (Optional)EnteraDescription(upto1024characters).
6. ClickSave.
Bydefault,theTenantslistissortedinalphabeticalorderbyDisplayName.YoucanalsosortbyTenantIDorDescription
byclickingthecolumnheadings.Ifthelistislong,usetheKeywordSearchfieldtosearchforanystringinthename,ID,or
description.Thesearchiscase-sensitive.
ModifyaTenant
2. FromtheTenantslist,selectthetenanttomodifyandclickEdit.ThewebconsoledisplaystheEditTenantdialog.
3. EdittheDisplayNameorDescription.Aredasterisk(*)denotesfieldsthataremandatory.
4. ClickSave.
DeleteOneorMoreTenants
210
2. FromtheTenantslist,selectoneormoretenantstoremove.
3. ClickDelete.
4. SelectYestodeletetheselectedtenants.
YoucannotdeletethedefaulttenantoranytenantthatiscurrentlyreferencedinManagementCenterpolicy.Attempt-
ingtodeletethedefaultorareferencedtenantresultsina"Deletefailed"errormessage.
211
CreateaVPMTenantPolicyObject
AVPMTenantpolicyobjectdefinesthepolicyforaVPMTenant.WhencreatingaVPMTenantpolicyobject,youselect
theattributevaluesthatapplytothepolicy(ifattributeshavebeendefined).Then,selectthedevicesorgroupstowhich
youdeploythepolicy;alternatively,youcandefinethesedevice/grouptargetslater.
TowritetenantpolicyinCPLinsteadofusingtheVPM,seeCreatetheContentPolicyLanguage.
TowritetenantpolicyinCPLinsteadofusingtheVPM,seeCreatetheContentPolicyLanguage.
ThewebconsoledisplaystheCreateNewPolicy:BasicInformationwizard.Aredasterisk(*)denotesfieldsthat
aremandatory.
3. SelectVPMTenantforthePolicyType.
5. SelecttheTenanttowhichthispolicyobjectwillbeapplied.
8. IndicatewhethertoReplaceSubstitutionVariables.See"UseSubstitutionVariablesinPoliciesandScripts"on
page176formoreinformation.
9. ClickNext.
11. ClickFinish.
ThenewVPMTenantpolicyobjectdisplaysinthePolicyObjectseditor.
Afteryoucreateatenantpolicyobject,youcaneitheraddpolicytoitimmediatelyorleaveitasanemptyobjectwhileyou
performothertasks(forexample,associatemoredeviceswithitoreditpolicydetails).Refertothefollowingtableto
determinethenextsteptotake.
Add policy. "Launch Visual Policy Manager" on
page183
Import policy. "Launch Visual Policy Manager" on
page183
Learn about deploying multi-tenancy policy on ProxySG Multi-Tenant Policy Deployment
appliances. Guide
212
Create and manage tenants from Management Center. "Manage Tenants" on page209
View policies deployed to each slot on a device. "View Deployed Policy for each
Device Slot" on page246
ImportVPMTenantPolicyfromSourceDevice
AVPMTenantpolicyobjectcanbeusedtodefinethepolicyusedinatenantslot.AftercreatingtheVPMTenant(as
describedin"CreateaVPMTenantPolicyObject"onthepreviouspage),youmustaddpolicytoit.Youcanaddpolicyby
launchingtheVPMorbyimportingexistingVPMpolicyfromasourcedevice.
CertainfeaturesavailableinnormalVPMpolicyarenotavailableinVPMTenantpolicy.TheseincludetheAdminAccess
andAdminAuthenticationlayers.AnyexistingAdminAccessorAuthenticationlayerswillnotbepresentintheimported
contents.
TowritetenantpolicyinCPL,seeCreatetheContentPolicyLanguage.
2. SelecttheVPMTenantobjectandclickEdit.
3. ClickImportPolicy.
ThesystemdisplaystheImportPolicy:SourceDevicedialog.
4. SelectthesourcedeviceandclickNext.
213
ThesystemdisplaystheImportPolicy:SelectPolicydialog.
5. ClickImport.
214
Thedialogclosesandthefollowingmessageisdisplayedintheeditor:
TheCPLforthisVPMpolicyisoutofdateandneedstoberegeneratedbeforeitcanbedeployed.Please
launchtheVPMeditorandsaveanewrevisiontoupdatetheCPL.
ThisisbecauseonlytheVPMcontentsareimported,notthegeneratedCPL.
6. ToregeneratetheCPL,clickLaunchVPMEditor.
7. ClickSavePolicy.
8. EnteracommentforyoursaveandclickOK.
9. ClickClose.
TheCPLnowdisplaysintheeditor.
Refertothefollowingtabletodeterminethenextsteptotake.
215
Learn about deploying multi-tenancy policy on ProxySG Multi-Tenant Policy Deployment
appliances. Guide
Create and manage tenants from Management Center. "Manage Tenants" on page209
View policies deployed to each slot on a device. "View Deployed Policy for each
Device Slot" on page246
216
DeployTenantPolicy
Tenantpolicydescribesaframeworkthatprovideslargeorganizationswithhighserviceavailability,flexibilityformultiple
tiersofadministration,andensuresthatallappliancesinthenetworkareusedefficiently.
n TenantPolicy-Aninfrastructurethatsegregatesthepolicyelementsthateffectusersofeachusernetworkdefined
withindomains.EventhoughtheyusethesameProxySGappliance,twogroupsofuserscouldhavevastlydifferent
policysets.
n Role-BasedAdministration-AsetofManagementCentercontrolsthatallowsatiered-basedapproachto
managingProxySGappliancesandtheirassociatedpolicy.Thetop-tieradministratorscanviewandmanageall
levelsofpolicy,second-tier(orbranch)administratorscanmanageonlytheirownlevelofpolicyandthosebeneath
them,andbottom-tierortenant-leveladministratorscanonlyviewthepolicyfortheirownusers.
Alladministratorscontrolpolicyappropriatetotheirroles.Policycanbewrittenspecificallytoroutetrafficfromwhereusers
aretooneofseveralProxySGappliancesinyournetwork,dependingonloadandavailability.
Refertothefollowingdeploymentsteps:
Step1:PlanNetworkConfiguration
Whoperformsthisstep:ProxySGadministrator
Beforeproceeding,itisimportanttoplanhowyourorganizationisstructured.Forexample,determinethefollowing:
l Howusernetworksaregroupedorseparated(forexample,bygeographiclocation)
l Whatinterfacesreceivetrafficfromthoseusers
l Whytypesofpolicycanbedeployedtothetenantslot
Step2:ConfigureManagementCenter
Whoperformsthisstep:ManagementCenteradmin/SuperAdmin
Afterconfiguringtheappliance(s),addthemtoManagementCenteranddefinerolesandadministrators.Then,configure
default,group,andtenantpolicytotheappliances.Userroleswilldictatewhichuserscanseeandmanagepolicyforeach
applianceorgroupofappliances.
1. AddaconfiguredappliancetoManagementCenter.
FromtheManagementCenterwebconsole,accesstheonlinehelpandsearchforthetopicentitledAddaDevice
forthestepstoaddeachProxySGappliancetoManagementCenter.Repeatthisprocessforeachconfigured
ProxySGinyournetwork.Toimportmanydevicesatonetime,fromtheonlinehelpsearchforAddMultipleDevices
atOnce.
2. Tokeepyourdevicesorganized,seetheinstructionsforhowtocreatehierarchies,devicegroupsandsub-groups.A
devicegroupisafolderinthedeviceorganizationalstructurethatexistsbelowthehierarchylevelandcontains
devicesorsub-folders.Arrangedevicegroupsanddevicesinawaythatmakessense.
l ConfigureHierarchyforDevicesandDeviceGroups
l AddaDeviceGroup
l DragandDropDeviceGroups
3. Createdeviceattributestohelpmanageyourorganization'snetworkofappliancesandgroupsofappliances.Device
attributescanbeusedtoidentifythelocationofagivenappliance,theregionorbranchofficeit'sassociatedwithor
evenwhichtenantsareassociatedwitheachappliance.Formoreinformation,seethefollowingtopicsintheonline
help:
217
l ManageAttributes
l AddDeviceAttributes
l AddDeviceGroupAttributes
3. Assignattributestoyourconfiguredappliances.Forinstructions,see"EditaDevice"onpage72.
4. Createadministratorroleswithdifferentsetsofpermissions.Afteryou"DefineRoles"onpage288seethetypes
ofthepermissionsthataremostvaluableperrolethatyouhavecreated.Thisguidecontainsareferencetopic
"Reference:PermissionsInterdependencies"onpage250thatisinvaluablewhencreatingtherolesinyour
organization.
Thefollowingexampleshowshowtocreatearoleformanagingadevicegroupthatyoucreated("AddaDevice
Group"onpage68).
5. Createadministratorgroups.FromtheAdministrationtab,clickGroups>AddGroup.
6. Addadminusers.Forinstructionsonhowtocreateadministratoraccounts,see"GrantPermissions"onpage291.
7. Createpolicyattributes.Forinstructionsonhowpolicyattributescanbeusedtoorganizeandrefinepolicy,seethe
followingonlinehelptopics:
l ManageAttributes
l AddPolicyAttributes
l MandatoryAttributes
8. Definetenants.See"ManageTenants"onpage209forinstructions.
9. CreatetenantpolicyinVPM("CreateaVPMTenantPolicyObject"onpage212orCPL(seeCreatetheContent
PolicyLanguage).
10. Confirmthatthecorrectpoliciesaredeployedtoeachdeviceslot.See"ViewDeployedPolicyforeachDevice
Slot"onpage246.
218
ConfigurePolicy
Configuringpolicyforspecificdevicesormultipledevicesatonceinvolvesseveralmethodsofcreating,testing,andupdat-
ingpolicy.
Whatdoyouwanttoaccomplish? Whatyoucando Refertothistopic

Write new policy; the behavior that you Create policy, which "Create a CPL Policy Object" on
want is not yet expressed in policy in involves first creating a page167
Management Center. policy object.
Create a policy using the Visual Policy Man- Create a VPM Policy Object. "Launch Visual Policy Manager" on
ager. page183
Create rules to route traffic to the proper Create tenant determ- "Specify Tenant Determination Rules
tenant. ination rules. " on page126
Specify rules to protect your Create a WAFApplication "Configure WAF Application Objects"
WAFapplications. object. on page133
Remove devices from policy or add devices Associate devices with, or "Add or Remove Devices Associated
to policy; you want to keep the policy but disassociate devices from, a with Policy" on the facing page
change the devices that use it. specific policy.
Modify existing CPL policy because it does Refine the existing policy. "Refine Existing CPL Policy" on
not behave as intended or has to be page171
improved. Change the order of policy "Change the Order in which Policy
rules so that the device Rules are Evaluated" on page175
evaluates correctly.
Verify information about existing policy. Check information about an "View Existing Policy Information"
existing policy. on page243
219
AddorRemoveDevicesAssociatedwithPolicy
Ifyournetworkisre-organizedandpoliciesmustbeaddedtoorremovedfromcertaindevicesordevicegroups,youcan
modifytheassociations.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyyouwanttoaddtodevices.If
needed,searchfortheobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Selectthepolicyname.ClickEdit.
3. ClicktheTargetstab.Toaddtargetstoassociatewiththeselectedpolicy,clickAddTargets.
4. (Optional)Toremovedevicesassociatedwithapolicy,selectthedevicenameandclickRemoveTargets.You
areaskedtoconfirmthatyouwanttoremovetheassociateddevice(s).ClickYesorNo.
5. FromtheAddTargetswizard,selecttheDevicestab.Selectthecheckboxbythedevice(s)name.Thisaction
immediatelypopulatestheSelectedlist.
Onlythosetargetsthatcansupportthepolicyselectedareshown.Thishelpstoknowwhichpoliciescanbe
installedonwhichtargets(devices).
220
6. (Optional)Toassociatedevicegroupswiththepolicy,clicktheGroupstabandselectDevices.Thisaction
immediatelypopulatestheSelectedlist.
7. Toremovetheselecteddevices,clickUnselectorUnselectAll.ClickNext.TheAddTargetswizarddisplaysthe
AddTargets:ConfigureDeploymentdialog.
8. FromtheDeploymentTypedrop-downlist,selectoneofthefollowing:
l PolicySlot-TheProxySGappliance'sLocal,Central,orForwardpolicyfile.
l LandlordSlot-Policyrulesfortenantdetermination.
l TenantSlot-Policyspecificallyfortenants.
IfyouselectTenantSlotandatenantisnotconfigured,a"Tenantnotconfigured"warningappearsinthe
DeploymentcolumnontheTargetstab.
9. (IfyouselectedPolicySlot)FromtheSlotdrop-downlist,selectLocal,CentralorForward.
10. ClickFinish.Awebconsolemessagedisplaysthefollowing:
View associated devices (targets) "View Devices Associated with Policy" on page247
Compare policy versions "Compare Different Versions of the Same Policy" on page224
Install a policy "Install Policy" on page227
Compare the policy version installed on "Compare the Device Policy Version with Current Policy Version" on
the device, with the most current version page225
saved in Management Center
Schedule a policy installation "Add a Job" on page324
Install multiple policies to multiple "Install Multiple Policies" on page231
devices
221
CheckConsistencybetweenPolicyandDevices
YoucancheckifthepolicysavedinManagementCenterisdifferentfromthepolicyinstalledondevices.
1. Tochecktheconsistencyoftheinstalledpolicywiththedevices,selectConfiguration>Policyandselecta
policyobject.
2. Selecttheoptionbythepolicyname.ClickEdit,andthenclicktheTargetstab.
3. SelectthedevicethatyouwanttocheckforconsistencyagainstthepolicystoredinManagementCenter.Click
CheckConsistency.SelectthebasepolicyversionbyselectingtheThelatestpolicyversionortheVersion
checkbox.
Ifyoudon'tselectanydevices,oryouselectafewandclickCheckConsistency,aconsistencycheckis
doneonthosedevices,notjustone.Noselectionofadeviceisrequired.
4. ClickCheckConsistency.
IfyoureceiveaMismatcherrorforadevice,thepolicyisinconsistent:eitherthepolicywaschangedin
ManagementCenterandnotinstalledtothedevicewiththeerror,orthepolicyonthedevicewaschanged
outsideofManagementCenter.
5. YoucanclickComparePolicytodeterminewhathaschanged.
222
6. (Optional)Foreachdevicelisted,verifythefollowing:
TheManagementCenterlicensecontainsallofthefeaturesforwhichyouhavepurchasedasubscription.
Thedocumentationcoversallfeatures,includingonesthatyoumaynothavepurchased.
n Policyisenabled(ifEnabledisselected).
n DeviceNameThenamethatwasenteredinManagementCenterduringdeviceregistration.
n DeviceCountThenumberofmanageddevicesisshowninthebanner.
n DeviceModelThedevicehardwaremodel.
n InstalledVersionTheversionofpolicyinstalledonthedevice.Ifnoversionislisted,thedeviceisstill
associatedwithpolicy,butpolicyhasnotbeeninstalled.
n OSTypeTheoperatingsystemonthedevice.
n StateThestatusofthedevice.See"AboutColor-CodedStatusIndicators"onpage28.
Addorremoveassociateddevices. "AddorRemoveDevicesAssociatedwithPolicy"on
page220
Comparedifferentversionsofthesamepolicy. "CompareDifferentVersionsoftheSamePolicy"on
thefacingpage
Installapolicyorpolicies. "InstallPolicy"onpage227or"InstallMultiplePolicies"
onpage231
Viewpolicyinformation. "ViewExistingPolicyInformation"onpage243
223
CompareDifferentVersionsoftheSamePolicy
Asatroubleshootingsteporaspartofperformanceevaluation,youmightwanttoidentifythechangesbetweenanearlier
versionandalaterversionofpolicy.ManagementCentershowsthechangesmade.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyname.Ifneeded,searchforthe
policyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
2. Withthepolicyselected,clickEdit.SelecttheVersionstab.
3. Selecttheversionsofpolicytocompare(pressandholdtheCtrlkeywhileselectingthepolicyversions).
4. ClickCompare.ThesystemdisplaystheComparePolicydialog.
n CPLExample.
n VPMexample.
StartinginManagementCenter1.6,youcandiffthesourcecodeofVPMpolicy.Toswitchbetweenthe
224
GeneratedCPLandXMLviews,selecttheappropriatewindow.
Thetwopoliciesaredisplayedside-by-side;thewebconsoledisplaystheversionyouselectedfirst(earlierversion)
ontheleftandyoursecondselection(laterversion)ontheright.
n Policyhighlightedinredexistsintheformerversionandwasremovedinthelaterversion.
n Policyhighlightedinyellowindicatesthatalineexistsinbothversionsofpolicy,buttherearedifferencesin
theline.
n Policymarkedingreendoesnotexistintheformerversionandwasaddedinthelaterversion.
n Policyhighlightedinwhitemeansthetwocopiesareidentical.
5. (Optional)Torestoreanearlierversionofthepolicy,See"RestoreaVersionofPolicy"onpage242.
6. ClickClose.
ComparetheDevicePolicyVersionwithCurrentPolicyVersion
YoucancomparethepolicyversioninstalledonthedevicewiththecurrentpolicyversionthatisstoredinManagement
Center.
225
View all of the details about an existing policy, including policy "View Existing Policy Information"
object information, the policy version, and the associated attributes. on page243
Compare different versions of the same policy. "Compare Different Versions of the
Same Policy" on page224
ExportPolicyorSharedObjectstoLocalDisk
YoucanexportpolicyobjectsfromthePolicyorSharedObjectsgrid.ThepolicyisexportedinJSONformat.Ifyou
exportmultiplepolicyobjects,theyarecollectedandexportedinasingleJSONfile.
1. SelectConfiguration>PolicyorConfiguration>SharedObjects.
2. Selectoneormorepolicyobjects.
3. ClickExport.
4. Dependingonyourbrowsersettings,youmaybepromptedtovieworsavethefile.ClickSaveifprompted.Inother
cases,thefileisautomaticallysavedtolocaldisk(typically,theDownloadsfolder).
226
InstallPolicy
Whenyoucreatepolicy,youdonothavetoinstallittodevicesimmediately;youcansaveit,continuetoeditandtestit,and
thendeployittodeviceswhenitiscompleteandworkingasexpected.
YoucannotinstallaCPLPolicyfragment.PolicyfragmentsareusedtoaugmentPolicy,nottoreplacepolicy.See
"CreateaCPLPolicyFragment"onpage188.
Youcanonlyinstallthelatestversionofpolicy;ifyouwanttoinstallanearlierversion,restorethatversionfirst.See
"RestoreaVersionofPolicy"onpage242.
PolicyInstallationMethods
Installpolicyusingoneofthemethodsdescribedinthefollowingtable.
Type Location Notes

"Install..." Configuration>Policy Install policy using
below job wizard. You
can select more
than one script to
install in the same
job.
"Installto Configuration>Policy> Policy_Name >Edit >Targets Install policy using
All..."on job wizard.
page230
"Installto Configuration>Policy> Policy_Name >Edit >Targets One click policy
Device"on installation. Does
page230 not use the job
wizard.
Install...
1. SelectConfiguration>Policy.Selectthepolicyname.
2. Fromthetargetsshown,selectthedevice(s)toinstallthepolicy.
3. ClickInstall....TheNewJobwizarddisplaystheNewJob:BasicInfodialog.Thenameofthepolicyisfilledinthe
requiredfield.
227
4. (Optional)Addadescription.ClickNext.TheNewJobwizarddisplaystheNewJob:Operationdialog.Fields
markedwitharedasterisk(*)arerequired.
5. FromSelectPoliciestoInstall,selecttheObjectSelector .Tochoosethepoliciestoinstall,clickthecheck
boxassociatedwitheachpolicy.ThisactionimmediatelypopulatestheSelectedlist.ClickOK.ChoosetheForce
installationcheckbox.ClickNext.TheAddJobwizarddisplaystheAddJob:Targetsdialog.
228
6. ClickNext.TheNewJobwizarddisplaystheNewJob:Scheduledialog.Chooseascheduletoinstallthepolicy.
ClickFinish.Thewebconsoledisplaysthefollowingmessages:
Dependingonhowmanytargetsyouarepushingpolicy,policyinstallationcantakeupto60seconds.During
thistime,thewebconsoledisplaysaJobProgress:InstallDialog.
229
InstalltoAll...
2. SelectthepolicynameandclickEdit.
3. ClicktheTargetstabandclickInstalltoAll...
4. Followsteps4to6in"Install..."onpage227
InstalltoDevice
1. SelectConfiguration>Policy..
2. SelectthepolicynameandclickEdit.
3. ClicktheTargetstabandclickInstalltoDevice.
230
InstallMultiplePolicies
Whenyoucreatepolicy,youdonothavetoinstallittodevicesimmediately;youcansaveit,continuetoeditandtestit,and
thendeployittodeviceswhenitiscompleteandworkingasexpected.Youcancreatemultiplepolicieswithouthavingto
installthepoliciesrightaway.Thisisparticularlyusefulforlargedeploymentsofpoliciestomultipledevicesordevice
groups.
Youcanschedulemultiplepoliciestodeploytodevicegroups,aslongasthefollowingaretrue:
n Eachpolicydoesnothaveunsavedchanges.Toensurethatthelatestpolicychangesareinstalled,clickSave
ChangesintheEditor.
n AnydevicesyouwanttoassociatewiththepolicyhavebeenaddedandactivatedinManagementCenter.
Itisabestpracticetoonlyscheduleinstallationofpoliciesthatarethelatestversion.However,youcanForce
InstallationofPolicies,byselectingtheForceInstallationcheckbox.Duringinstallationofpolicies,Management
Centerignoresthefollowinginstallationwarnings:
n Mismatchedon-boxpolicyobject
n MismatchedOSversions
ByforcingtheInstallation,youareensuringthatlargedeploymentsofpoliciesDONOTfailwhen
encounteringdevicesthatmayhavetheaboveissues.
1. FromtheJobstabselecttheScheduledJobssection.ClickAddJob.TheAddJobWizarddisplaystheAddJob:
BasicInfodialog.Fieldsmarkedwitharedasterisk(*)arerequired.
2. EnterauniqueName(*)forthislargepolicydeployment.EnteraDescription.
Forexample,theuniqueNamecanbeInstallPoliciesonAllActiveProxySGAppliances,andtheDescription
canbeDeploypoliciestoallactivatedProxySGappliances.
3. ClickNext.TheAddJobwizarddisplaystheAddJob:Operationdialog.
4. FromtheOperationdrop-down,selectInstallPolicy.Thepolicymarkedwitharedasteriskisamandatorypolicy,
andisinstalledregardlessoftheotherpoliciesyouselect.
231
5. FromSelectPoliciestoInstall,selecttheObjectSelector .Tochoosethepoliciestoinstall,clickthecheck
boxassociatedwitheachpolicy.ThisactionimmediatelypopulatestheSelectedlist.ClickOK.ChoosetheForce
installationcheckbox.ClickNext.TheAddJobwizarddisplaystheAddJob:Targetsdialog.
Eachselectedpolicywillbeinstalledtotargeteddevices(excludingdevicesthatarenotactive).
Youcannotchoosetargetsatthispoint.Ifyouarenotsureofthedevicestargetedbytheselectedpolicies,
clickBack.ManagementCenterhasbuiltinintelligence,sothatonlyproperlyconfiguredpoliciescanonly
beappliedtoappropriatetargets.
6. ClickNexttochooseaSchedule.See"AddaJob"onpage324and"InstallPolicy"onpage227.
ImportPolicyorSharedObjects
YoucanimportpolicyintoManagementCenter.Forexample,ifexamplepolicywasincludedinaknowledgebasearticle,
youcouldimportitdirectlyintoManagementCenter.YoucouldalsosharepoliciesbetweenManagementCenters.
YoucanimportpolicyintoManagementCenternthefollowingways:
n "ImportPolicyfromaFile(PolicyorSharedObjectsGrid)"below
n "ImportPolicyfromaFile(ObjectEdit)"onpage235
n "ImportPolicyfromaDevice"onpage236
ImportedpolicieswithoutareferenceIDareassignedareferenceIDwiththeformatauto_generated_id_1.
YoucanchangetheIDafterimportingthefile.
ImportPolicyfromaFile(PolicyorSharedObjectsGrid)
Youcanimportpolicyfromthefollowingfiletypes:
232
n ManagementCenter(.json)
n ContentPolicyLanguage(.cpl,.bpf,.txt)
n VisualPolicyManager(.xml)
Procedure
2. ClickImport.
ThesystemdisplaystheImportPolicywizard.
3. DraganddropthefileintotheSelectFiledotted-linearea.Alternatively,browsetothefile.
4. ClickNext.
5. Iftheimportedfilecontainsmultiplepolicies,youmightwanttoexcludesomefromimport.Todothis,clearthe
ImportPolicycheckbox.
233
Intheprecedingexample,theTest1CPLpolicyhasbeenexcludedfromimport.
6. Choosewhethertocreateanewpolicyortoupdateanexistingpolicy.
Thewizarddisplaysonlythosepolicyobjectsthatarerelevanttothefiletype.Ifthepolicyuuidorreference
IDintheimportfilematchesapolicyalreadyonthesystem,Updateexistingpolicyisthedefault(withthe
matchingpolicyprepopulatedinthePolicyfieldunderUpdateExistingPolicy).Otherwise,Createnew
policyisthedefault.
l Tocreateanewpolicy,clickCreatenewpolicyandenterameaningfulname.
234
l Toupdateanexistingpolicy,ensurethatUpdateexistingpolicyisselected.CleartheImportPolicycheck
boxforanypoliciesyoudonotwanttochange.
l Toupdateadifferentpolicythantheoneshown,clickthepencilicon ,selectthepolicyorpoliciesto
replace,andclickOK.
7. ClickImport.Thesystemdisplaystheresultsoftheimport.
8. ClickClosetoexitthewizard.
ImportPolicyfromaFile(ObjectEdit)
2. SelectthepolicyobjectandclickEdit.
3. ClickImportPolicyandselectFromFile.
4. DraganddropthefileintotheSelectFiledotted-linearea.Alternatively,browsetothefile.
235
5. ClickImport.
ImportPolicyfromaDevice
Importingpolicyfromadeviceisusefulinthefollowingsituations:
n Youwanttouseadevice'scurrentlyinstalledpolicyasthestartingpointforamanagedpolicy.
n Adevicehasapolicyconfigurationthatyouwanttouseasapolicytemplatetodeployonotherlikedevice(s).
Procedure
2. SelectapolicyobjectorCPLfragmentandclickEdit.
3. ClickImportPolicyandselectFromDevice.ThewebconsoledisplaystheImportPolicywizard.
4. FromtheSourceDevicedrop-downlist,selectthedevicefromwhichtoimportthepolicyconfigurationandclick
Next.
5. Selectthepolicythatyouwanttoimport.DependingonwhetherthepolicyisaVPMorCPLpolicy,thedeployment
typeisshownnexttothepolicy:
n VPM-ThispolicycontainspolicycreatedbytheVisualPolicyManagerandisdeployedintheVslot.
236
n Central-ThispolicycontainspolicycommontoyourentireorganizationandisdeployedintheCslot.
n Local-Thispolicycontainspolicyspecifictoyourorganizationalstructures,suchasdepartmentalpoliciesor
local(geographic-specific)policiesandisdeployedintheLslot.
n Forward-Thispolicycontainsforwardingrulesforthepolicyandisdeployedinthe"F"slot.
n Landlord-Policyrulesfortenantdetermination.
n Defaulttenant-Policyrulesforallrequestswheretenancycannotbedeterminedduringtheinitial
connection.
n Tenant-Policyspecificallyfortenants.
Fordetailsontenantpolicy,refertotheMulti-TenantPolicyDeploymentGuide.
6. SelectImportPolicy.
ThewebconsolepromptsyoutoconfirmtheoverwriteoftheexistingpolicyinManagementCenter.
7. ClickImportandOverwritetoaccepttheimport.
8. (Optional)ClickComparetoviewthedifferencesbetweenanearlierversionofapolicyandthecurrentversion.See
"CompareDifferentVersionsoftheSamePolicy"onpage224.
9. EnteracommentforthecommitoperationsandclickSave.Thecommentthatyouenterissavedasmetadata.
Export policy "Export Policy or Shared Objects to Local Disk" on page226
View existing policy information "View Existing Policy Information" on page243
Restore a version of the policy "Restore a Version of Policy " on page242
Deploy the policy, as is, to devices "Install Policy" on page227
237
ImportExternalPolicy
YoucancreateajobtoimportaCPLfragmentcreatedinanexternaltoolintoManagementCenter.Thejobcanbe
executedimmediately,manually,oronaschedule.Thisisusefulifyouwanttoregularlysyncthepolicywiththeversion
onanexternalserver.
Beforeyouimportanexternalpolicy,youneedtocreateapolicyobjectinManagementCenterintowhichtoimportthefile.
Prerequisites
BeforeyoucreatetheImportExternalPolicyjob,youneedtoperformthefollowingtasks:
1. CreatetheCPLinanexternaltool.
2. CreateapolicyobjectinManagementCenter.Youwillbeimportingtheexternalfileintothispolicy.See"Createa
CPLPolicyObject"onpage167.
3. EditthepolicyobjectandgototheInfotab.RecordtheUniqueID;youmustnametheexternalCPLfilewiththis
ID.
4. NametheexternalpolicyfilewiththeUniqueIDoftheManagementCenterpolicy.Example:7B6F26F9-94FB-
453C-B56F-8AE433ABDBBE.bpf
5. Storethefileonaweb,FTP,orSCPserver.
6. MakenoteoftheURLpathtothefile;youwillneedtospecifytheURLwhendefiningtheImportExternalPolicy
job.
Procedure
Tocreateajobforimportinganexternalpolicy:
1. ClicktheJobstab.
2. SelectNewJob.ThewebconsolerunstheNewJobwizard.Aredasterisk(*)denotesfieldsthataremandatory.
3. EnteraName(*)andDescription.
4. ClickNext.FromtheOperation(*)drop-downlist,selectImportExternalPolicy.
5. Specifythelocationoftheexternalpolicyfile:
n ImportfromURL:Thepathtothefileontheexternalweb,FTP,orSCPserver.Example:
ftp://company.com/policies/7B6F26F9-94FB-453C-B56F-8AE433ABDBBE.bpf
n Username:Ifauthenticationtotheserverisrequired,enterthenameofuserwithpermissiontoaccessthe
server.
n Password:Entertheuser'spassword.
6. ClickNext.TheNewJob:Targetsdialogdisplays.
7. FortheTarget,selectthenameofthepolicyobjectyoucreatedasacontainerfortheimportedexternalpolicy.
8. ClickNext.DefineascheduletoruntheImportExternalPolicyjob.See"JobSchedulingOptions"onpage328.
238
ManageCPLPolicies
WhenyouarefirstsettingupManagementCenter,youcancreatenewpoliciesorimportexistingpoliciesfrommanaged
devices;however,whenyouhavebeenmanagingdevicesfromManagementCenterforalongerperiodoftime,youmight
alsowanttoeditpoliciestochangecurrentdeviceconfigurations.
ManagementCentergivesyougreatflexibilityinbothcreatingandmodifyingyourpolicies.Youcan:
n CreateandmodifytheCPLdirectlyinthePolicyEditor
n Correctandmodifythebehaviorofexistingpolicybyre-orderingpolicysections
n Createversionsofpolicy,andrestorepreviousversionswhenneeded
n Createpolicywithoutdeployingittodevicesimmediately
Ensuringthatdevicesareconfiguredandbehaveasrequiredcouldinvolvecreating,modifying,andtestingpolicy.For
example,youmightcreatepolicyinyourevaluationenvironment,installittoasmallgroupofdevices,observethedevices
inatestphase,andtheneditthepolicyasneededbasedonyourobservations.
LearnaboutcreatingandmaintainingpolicyinManagementCenter:
1. Createpolicyanddeployittodevices.Youcoulddosomeorallofthefollowing:
n "UseContentPolicyLanguage(CPL)toCreatePolicy"onpage165inthePolicyEditor.
n "ImportPolicyorSharedObjects"onpage232.
n "AddAttributes"onpage298
n "InstallPolicy"onpage227todevicesordevicegroups.
n "InstallMultiplePolicies"onpage231todevicesordevicegroups.
n "ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225.
2. Toaddcustommetadatatopolicies,see"AddAttributes"onpage298.
3. "ViewExistingPolicyInformation"onpage243toseetherevisionsandpolicyinformation.
4. "CompareDifferentVersionsoftheSamePolicy"onpage224tofindtheeditedversionofapolicythatyouwantto
use.
ViewPolicyVersions
ManagementCenterenablesyoutoviewCPLorVPMpolicyversions.
2. FromthePolicyObjectslist,selectthepolicyname.
Ifneeded,searchforthepolicyobject;see"FilterbyAttributesandKeywordSearch"onpage151.
3. Withthepolicyselected,clickEdit.Thesystemdisplaystheeditor.
4. SelecttheVersionstab.
239
5. Selectthepolicyversionyouwanttoview.
6. ClickView.ThePreviewdialogdisplays.
CPLexample:
VPMexample:
240
7. (Optional)Tocomparepolicyversions,see"CompareDifferentVersionsoftheSamePolicy"onpage224.
8. (Optional)Torestoreanearlierversionofthepolicy,See"RestoreaVersionofPolicy"onthefacingpage.
9. ClickClose.
241
RestoreaVersionofPolicy
Aftertime,youmightfindthatthepolicypushedtodevicesneedsimprovementormustchangebecauseofchangesin
businessrequirementsorpractices.Insuchsituations,youcanmodifypolicyasneeded,orreverttoanearlierversionof
policythatisappropriate.Whenyouhavedeterminedwhichversionofpolicytorestore,youcanrestoreitusingthever-
sionhistory.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyname.Ifneeded,searchforthe
object;see"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.ClicktheVersionstab.Versionsofthepolicyarelistedindescendingnumericalorder.
3. FromtheVersionControlpage,verifythattheversionyouwanttorestoreisthecorrectone.Performoneorboth
ofthefollowingasrequired.
l Checktheversionmetadata.See"ViewExistingPolicyInformation"onthenextpage.
l Compareversionsofpolicy.See"CompareDifferentVersionsoftheSamePolicy"onpage224
4. Afteryouidentifytheversiontorestore,selectitandclickRestore.ThewebconsoledisplaystheRestoredialog.
5. IntheCommentfield,specifythereasonfortherestore.
6. ClickRestore.
TherestoredversionofthepolicyisincrementedtothelatestversioninthePolicylist,andthecommentyou
enteredinstep6isdisplayedintheCommentscolumn.
7. Toinstalltherestoredpolicytoassociateddevices,selectthepolicyandclickInstallPolicy.See"InstallPolicy"
onpage227.
242
ViewExistingPolicyInformation
Wheneveryoucreateaversionofpolicy,ManagementCenterautomaticallysavesinformationaboutit.Thisinformationis
calledmetadata.
1. YoucanviewmetadatabyselectingConfiguration>Policy.
2. SelectapolicyandclickEdit.
ViewPolicyObjectInformation
1. ClicktheInfotab.TheVersionControlpagedisplaysallversionsoftheselectedpolicy.Aredasterisk(*)denotes
2. UnderGeneralInformation,theOverviewdisplaystheinformationyouenteredwhencreatingthepolicyobject:
n Policyname(*)ThenameofthePolicythatyougaveitwhenyoucreatedit
n Policytype(*)ThePolicytypecaneitherbeCPLorVPM.
n DescriptionThisistheDescriptionthatyouenteredwhenyoucreatedthepolicy.Ifyoueditthisfield,make
suretoclickSavebeforeleavingtheInfotab.
n Replacesubstitutionvariables
Variablesubstitutionispowerfulandcanbeappliedtopoliciesandscripts.See"UseSubstitution
VariablesinPoliciesandScripts"onpage176.
3. MetadatadisplaysunderLatestRevision:
243
ViewAvailablePolicyVersions
1. ClicktheVersionstab.TheVersionControlpagedisplaysallversionsoftheselectedpolicy.Whenapolicyobject
iscreateditisassignedtheVersionnumber1.0.Everytimethataddattributesoredititinanyway,theversion
increasesbyincrementsof0.1.
2. Selectanearlyversionofpolicytocompare.
3. PressandholdtheCtrlkeywhileselectingthelaterversionofpolicytocompare.
n VersionNumberWhenapolicyobjectisfirstcreated,itsversionis1.0.Eachsubsequenttimetheobject
ismodifiedforexample,iftheobjectpropertiesareeditedorwhenpolicyisaddedtoittheversionnumber
incrementsby0.1.Forexample,whenyouaddpolicytoanobjectandsaveit,theversionbecomes1.1.
n DateThetimeanddatestampindicateswhenthepolicywaslastupdated.
n AuthorTheauthoristheuserwhosavedthecurrentversionofthepolicy.
n CommentsIftheauthorenteredcommentsaboutthepolicy,theyaredisplayedhere.Metadatadisplays
automatically-generatedcommentsasfollows:
o PolicyObjectcreatedWhenthepolicycontainerisinitiallyiscreatedandpolicyhasnotbeen
addedyet.
o NamechangedWhenthepolicynameisedited.
o DescriptionchangedWhenthepolicydescriptionisedited.
o NameanddescriptionchangedWhenboththenameanddescriptionareedited.
Ofthesemetadata,thecommentsareusuallythemostimportantinhelpingyouandotherusers
understandthepurposeandintentofcreatingthespecificpolicyversion.BlueCoatrecommendsthat
youalwaysenterclear,helpfulcommentswhencreatingpolicy.
ViewAssociatedPolicyAttributes
1. SelecttheAttributestab.TheAttributespagedisplaysallattributescurrentlyassignedtothisPolicy.The
attributesarecustomattributesthatyoucreated.See"AddAttributes"onpage298or"EditAttributes"onpage301.
2. YoucanedittheAssociatedattributes.Ifyoudo,youneedtosaveyourchanges.ClickSave.Doingthisactually
increasestheversionnumberbyanincrementof0.1.
SettheMaximumNumberofPolicyVersionstoStoreinManagementCenter
Afteryoucreateapolicy,youcaneditittomakeitspecificforyourspecificdevicetypes.Eachtimeyoueditorimporta
244
policy,arevisionofthepolicyisstored.YoucanspecifythenumberofrevisionsofpolicytostorebeforeManagement
Centerbeginstoprune.Youcanspecifyupto999revisions.
1. SelecttheAdministration>Settings.ClickGeneral.Generalfieldsdisplayontheright.Aredasterisk(*)denotes
2. SelectMaximumnumberofpolicyrevisionstostore.
3. Enteranumber(limit)from0to999.
l ClickSavetostorethesettingsontheserver.
245
ViewDeployedPolicyforeachDeviceSlot
1. FromtheNetworktab,selectadevice.
2. ClickEdit.
3. FromtheEditDevicewizard,selectthePoliciestab.
Thedeploymentslotsarenoteditable.
Policiesareassignedtoslotsinthefollowingways:
l Directassignment-Thepolicywasinstalleddirectlytotheslotandnotinheritedfromthedevicegrouptowhichthe
devicebelongs.
l Inheritedfrom[DeviceGroupName]-Thepolicywasinheritedfromthedevicegrouptowhichthedevicebelongs.
Notes:
l Local,Central,andForwardareCPLpolicyslots.
l VPMTenantandLandlordcanbeeitherCPLandVPM.
l PolicydeployedtotheLandlordslotoverridesanypreviouspolicydeployedtotheLandlordslot.
246
ViewDevicesAssociatedwithPolicy
Youcanviewthedevicesthatareassociatedwithapolicy.
1. SelectConfiguration>Policy.FromthePolicyObjectslist,selectthepolicyyouwanttoview.Ifneeded,filteron
attributes.See"FilterbyAttributesandKeywordSearch"onpage151.
2. ClickEdit.SelecttheTargetstab.
Onlythosedevicesthatcansupportthepolicyselectedaredisplayed.Thishelpstoknowwhichpoliciescan
beinstalledonwhichdevices.
3. Foreachdevicelisted,verifythefollowing:
n EnabledIfselected,thepolicythatisinstalledonthedeviceisenabled.
n NameThenamethatwasenteredinManagementCenterduringdeviceregistration.
n DeviceCountThenumberofdevicesavailable.
n DeviceModelThedevicehardwaremodel.
n InstalledVersionTheversionofpolicyinstalledonthedevice.Ifnoversionislisted,thedeviceisstill
associatedwithpolicy,butpolicyhasnotbeeninstalled.
n OSTypeTheoperatingsystemonthedevice.
n StateDisplayshistoricalassociationdatafordevices(whetherdeletedornot).
UseSpecificAttributeValuestoControlAccesstoPolicy
work.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Theseattributes
canbeusedtocontrolaccesstopolicy,asdescribedbelow.
Procedure
1. CreatethePolicyattribute.
2. Associatetheattributewithapolicyobject.
a. SelectConfiguration>Policy.
b. SelectthepolicynameandclickEdit.
Thesystemdisplaysthepolicyeditor.
c. SelecttheAttributestab.
d. SelecttheattributeandclickSave.
3. Addthepermissionruletoaneworexistingrole.
a. SelectAdministration>Roles.
b. SelectanexistingroleandclickEditorclickAddRole.
c. Ifthisisanewrole,provideanameanddescription,andclickNext.
d.
BlueCoatrecommendsthatyouenteralistofthepermissionsforthedefinedroleintheDescription
field.Thishelpsyouandotherusersunderstandthepermissionsofauser'sroleincludingtheintentof
theirjobfunction.
e. IntheAddRole:Permissionsdialog,clickAddPermission.
f. IntheObjectdrop-downlist,specifyPolicy.
247
g. IntheActiondrop-downlist,selectAlloperationsoraspecificoperation.
h. IntheFilterdrop-downlist,selectAttributehasspecificvalue.
i. Selecttheattributeandassignavaluetoitifnecessary.
j. ClickSave,thenFinish.
248
PermissionsReference
Whendefiningusers,groups,rolesandgrantpermissions,refertothefollowingforimportantinformation.
"Reference:PermissionsInterdependencies"onthefacingpage
"Reference:PermissionsFiltersObjectandAttributes"onpage259
"Reference:UnderstandingJobPermissions"onpage261
249
Reference:PermissionsInterdependencies
Whenaddingpermissionstoroles,rememberthatuserscanaccessanobjectaslongastheyhavearolewiththerequired
permission.Forexample,ifauserisaddedtoarolewhichallowsaccesstoonlyonedevicegroupandarolethathasView
permissionsforalldevices,theusercanseealldevicesinallgroups.
Refertothefollowingpermissionobjectstodeterminespecificdependencies.
TheViewpermissionisimpliedinallhigherpermissionlevelsexceptforAdd.Toreducethenumberofpermissions
inarole,youcanremovetheViewpermissionifahigher-levelpermissionforthesameobjectexistsintherole.For
example,ifarolealreadyhasthePolicy-Updatepermissionforimportingpolicy,youdonothavetoaddthe
Policy-Viewpermissionforaddingpolicyjobs.
Allobjects
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionsto
beuseful
All operations Performallfunctionsinallareasofthewebconsole. None

View Viewallareasofthewebconsole. None
AttributeDefinition
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionstobe
useful
All operations Add,delete,andeditattributes. None

Add Addattributes. Attribute Definition - View
Delete Deleteattributes. None
Update Editattributes. None
View View attributes. None
Audit
Permissionaction Allowsaccesstotheseareas/functions Requirestheseper-
missionstobeuseful
All operations Performallauditlogfunctions. None

View Read-onlyaccesstoauditlogrecords. None
BackupImage
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionstobeuseful
All operations Import,export,delete,andrestoreimage Management Center - View

backups.
Management Center - Update
250
Permissionaction Allowsaccesstotheseareas/functions Requiresthesepermissionstobeuseful
Delete Deletebackups.
Export Exportbackups.
Import Importbackups.
Update Restore backups. Management Center - View
Management Center - Update
View Viewinformationaboutexistingbackups.
ViewContents View the backup contents.
Device
Whenusingfilterswithaspecifiedvalue,makesurethatthevalueexactlymatchesthevalueinthe
deviceproperties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302and
"Reference:PermissionsFiltersObjectandAttributes"onpage259.
Permissionaction Allowsaccesstothese Requirestheseper- Grantthesep ermissionsformorefunctions

areas/functions missionstobeuseful
Alloperations Alldevicefunctions. Hierarchy - View To see the effective policy for a device:
Policy - View
To change membership in device prop-
erties:
Device Group - Change Membership
To see groups to which the device
belongs (not needed if assigning Change
Membership):
Device Group - View
Add Add devices. Hierarchy - View To add devices by importing from a file:
Device Group - Change Device - Add
Membership
Device - Update
Device - View
Backup Backupdevices. Hierarchy - View
Device Group - View

Backup Image - Update
Delete Deletedevices. Hierarchy - View
Manage Activateanddeactivate Device Group - View
devices.
251
Permissionaction Allowsaccesstothese Requirestheseper- Grantthesep ermissionsformorefunctions

areas/functions missionstobeuseful
Restore Restoreconfiguration Hierarchy - View

backupstodevices.
Device Group - View
Backup Image - Update
Update Editdevicebasicinform- Hierarchy - View To change membership in device prop-
ation,connectionpara- erties:
meters,andattributes.
Device Group - View
Device Group - Change Membership
To add devices by importing from a file:
Device - Add
Device - Update
View Viewdeviceinformation. Hierarchy - View
Device Group - View

DeviceGroup
Whenusingfilterswithaspecifiedvalue,makesurethatthevalueexactlymatchesthevalueinthedevicegroup
properties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302and
"Reference:PermissionsFiltersObjectandAttributes"onpage259.
Permissionaction Allowsaccesstotheseareas/functions Requirestheseper- Grantthesep er-

missionstobeuseful missionsformorefunc-
tions
Alloperations Performalldevicegroupfunctions. Hierarchy - View To see the devices in

groups:
Device - View
Add Add device groups. Hierarchy - View To associate devices
while adding a group:
Device Group -
Change Membership Device - View
To add device groups
or hierarchies by
importing from a file:
Device Group - Add
Device Group - Update
ChangeMembership Changeassociatedgroupsindeviceprop- Hierarchy - View
erties.
Device - Update
252
Permissionaction Allowsaccesstotheseareas/functions Requirestheseper- Grantthesep er-

missionstobeuseful missionsformorefunc-
tions
Delete Deletedevicegroups. Hierarchy - View
Device - View
Update Editdevicegroups'basicinformationand Hierarchy-View To add device groups
attributes. or hierarchies by
importing from a file:
Device Group - Add
View Read-onlyaccesstodevicegroups. Hierarchy-View
DeviceScript

beuseful
Alloperations Allfunctionsrelatedtoscript. None

Add Add script objects. Device - View
Delete Deletescriptobjects. None
EditMetadata Edit script object attributes and information. None
Update Editandexecutescriptcontent. Device - View
Device - Manage
View View script. None
Note:"CompareVersionsoftheScript"onpage148 is
available at this level.
Hierarchy
Permissionaction Allowsaccesstothese Requirestheseper- Grantthesep ermissionsforancillary

areas/functions missionstobeuseful functions
Alloperations Add,delete,andedithier- DeviceGroup-Alloper-

archies. ations
Add Add hierarchies. Hierarchy - View To add device groups or hierarchies
by importing from a file:
Device Group - All oper-
ations Device Group - Add
Delete Deletehierarchies(except Device Group - Delete
forthepredefinedhier-
archies).
253
Permissionaction Allowsaccesstothese Requirestheseper- Grantthesep ermissionsforancillary

areas/functions missionstobeuseful functions
Update Edithierarchies. Device Group - Update To add device groups or hierarchies

by importing from a file:
Device Group - Add
View Viewhierarchies. Device Group - View To see devices:
Device - View
ManagementCenter
beuseful
All operations PerformallManagementCenterfunctions. None

Backup PerformManagementCenterbackupandrestore. None
Policy
Permissionaction Allowsaccesstothese Requiresthesepermissionstobe Grantthesep ermissionsfor

areas/functions useful morefunctions
Alloperations Allfunctionsrelatedtopolicy. None

Add Add policy objects. Policy - View To assign targets while
adding a policy object:
Policy - Assign Target
Device - View
AssignTargets Addandremovetarget Device - View
devices.
CPL-AddSection Addpolicysectionstoexist- None To add policy sections
ingpolicyobjects. while adding a new policy
object:
Policy - Add
254

CPL-DeleteSec- Deletepolicysections. None

tion

CPL - Edit Default Editthedefaultsub-sectionin

policysections.

CPL-EditMan- Editthemandatorysub-sec-
datory tioninpolicysections.
* CPL - Edit Override - Consider
granting this permission to
senior roles only. Granting this
CPL-EditOver- Edittheoverridesub-section
permission allows users to edit
ride* inpolicysections.
the Override sub-section in all
policy sections, which could
have unintended results.
CPL-MoveSec- Movepolicysectionswithin None
tion policyobjects.
CPL-UpdateSec- Editthenameandpurposeof None
tion sections.
Delete Deletepolicyobjects. None
EditContents Restore previous versions None To select a reference
of policy and edit policy. device:

Device - View
EditMetadata Edit policy object attrib- None
utes and information.
Import Importpolicyfromdevices. Device - View
Policy - Update
Note:Because Management
Center imports policy as one sec-
tion, it might be useful to grant
some policy section permissions
in some cases (for example, to
allow users to break down the
imported policy into sections
and sub-sections).
255

Publish Installpolicyontarget None To add/remove target

devices. devices to policy before
installing:
Device - View
Device - Manage
Policy - Assign Targets
View View policy. None
Note:Edit>CheckCon-
sistency is available at
this level.
Report
Permission Allowsaccesstotheseareas/- Requiresthese Grantthesep ermissionsformore
action functions permissionsto functions
beuseful
All operations PerformallApplianceMonitoringreports None To filter reports and report wid-

andfunctions. gets by device or device group:
Device Group - View
View Read-onlyaccesstoreports.
Device - View
Role
beuseful
All operations All role functions. None

Add Users can add roles. Role - View
Delete Users can delete roles. None
Update Users can update roles. None
View Read-only access to roles. None
ScheduledJob
Jobpermissionsaredistinctfromtheoperationalpermissions.Ifyouhaveunexpectedresultsor'accessdenied'
errorswhenrunningjobs,see"Reference:UnderstandingJobPermissions"onpage261.
Permissionaction Allowsaccesstotheseareas/- Requiresthesepermissionsto Grantthesep er-

functions beuseful missionsformore
functions
All operations Add, edit, delete, enable, disable, None

and run jobs; view job progress, cur-
rent jobs, and job history.
256
Permissionaction Allowsaccesstotheseareas/- Requiresthesepermissionsto Grantthesep er-

functions beuseful missionsformore
functions
Add Add jobs. Scheduled Job - View

Caution:Scheduled Job -Add is an Device - View
elevated permission. See
(For policy jobs) Policy - View
"Reference:Understanding Job
Permissions" on page261.
CancelRunningJob Cancelallactive,runningjobs. Scheduled Job - View
Device - View
(For policy jobs) Policy - View
Delete Deletejobs. None
RunManually RunjobsmanuallyusingtheRunNow None
option.
Update Edit jobs' information and sched- None To view devices
ule; enable/disable jobs. and add/remove
targets:
Caution:Scheduled Job -Update is
an elevated permission. See Device - View
"Reference:Understanding Job
To add/remove
Permissions" on page261.
policies from a
job:
Policy- View
View View all scheduled and current jobs None
and job history.
Note: All users can see the Jobs
tab in the web console, even if
they do not have a Scheduled Job -
View permission.
Session
Sessionpermissionsarespecificallytocontrolaccesstousersessions.
Permissionaction Allowsaccesstotheseareas/functions Requirestheseper-

missionstobeuse-
ful
All operations View, kill, disable logins. None

View Viewactivesessions. None
KillSession Killanactivesession. None
DisableLogins EnableorDisableloginstoManagementCenter. None
Settings
257
Permissionaction Allowsaccesstotheseareas/functions Requiresthese

permissionstobe
useful
All operations Perform all settings functions in Administration Settings. None
(Hardware Diagnostics is always read-only.)

Update EditManagementCenterSettings. None
View ViewManagementCenterSettings,andHardwareDiagnostics. None
User
Permissionaction Allowsaccesstotheseareas/- Requirespermissionsto Grantthesep ermissions
functions beuseful formorefunctions
Alloperations Performalluserfunctions. None

Add Addusersandspecifybasicinform- User - View Toassignroleswhile
ation. addingauser
Role - View
Delete Deleteusers. None
Update Updateusers'basicinformationand None Toaddorremoverolesfrom
change/expireuserpasswords. auser:

Role - View
View Viewusers. None
UserGroup
Permission Allowsaccesstothese Requiresper- Grantthesep ermissionsformorefunc-
action areas/functions missionstobeuse- tions
ful
Alloperations Performallusergroupfunc- None

tions.
Add Addusergroups. User Group - View To add or remove group roles while
adding a user group:
Role - View
To add or remove group roles while
adding a user group:
User - View
Delete Deleteusergroups. None
Update Updateusergroups'basic None To add/remove users from groups:
information.
User - View
View Viewusergroups. None
258
Reference:PermissionsFiltersObjectandAttributes
Althoughyouarenotrestrictedtotheuser-definedsystemattributesofLocationandRack,thefollowinghelpstodetermine
whichfilterstousefortheDeviceandDeviceGrouppermissions.
SetFiltersforDeviceObject
SpecifyRackandLocationattributes.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302forinform-
ation.
Selectthe SpecifytheAttributes Whatausercanaccess

Attributestype
Attributehas Attribute:SelectRack. Devicesspecifiedwiththisrackindeviceproperties

specificvalue underAttributes>User-Defined.
Value:Specifytherack.
ClickSave.TheFilterfielddisplays"Rackis
'<value>'".
Attribute:SelectLocation. Devicesspecifiedwiththislocationindeviceprop-
ertiesunderAttributes>User-Defined.
Value:Specifythelocation.
ClickSave.TheFilterfielddisplays"Location
is'<value>'".
Attributehas Attribute:SelectRack. Devicesspecifiedwithanyrackspecifiedindevice
anyvalue propertiesunderAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Rackis
notempty".
Attribute:SelectLocation. Devicesspecifiedwithanylocationindeviceprop-
ertiesunderAttributes>User-Defined.
isnotempty".
SpecificDevice Device:Selectadevicefromthedrop-downlist. Thisselecteddevice.
ClickSave.TheFilterfielddisplays"Specified
Device".
Membersofspe- Hierarchy:Selectahierarchy.Yourselection Alldevicesinthespecifiedgrouporitssub-groups.
cificgroup determinesthevaluesfordevicegroup.
DeviceGroup:Selectthedevicegroup.
ClickSave.TheFilterfielddisplays"Members
ofspecifiedgroup".
SetFiltersforDeviceGroupObject
SpecifyPrimaryContactandLocationattributes.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302
forinformation.
259
SelecttheFil- SpecifytheAttributes Whatausercanaccess

tertype
Attributehas Attribute:SelectPrimaryContact Groupsspecifiedwiththisprimarycontactingroup

specificvalue propertiesunderAttributes>User-Defined.
Value:Specifythecontact.
ClickSave.TheFilterfielddisplays"Primaryis
'<value>'".
Attribute:SelectLocation Groupsspecifiedwiththislocationingroupproperties
underAttributes>User-Defined.
Value:Specifythelocation.
is'<value>'"
Attributehas Attribute:SelectPrimaryContact Groupsspecifiedwithanyprimarycontactingroup
anyvalue propertiesunderAttributes>User-Defined.
ClickSave.TheFilterfielddisplays"Primary
Contactisnotempty".
Attribute:SelectLocation Groupsspecifiedwithanylocationingroupproperties
underAttributes>User-Defined.
isnotempty".
SpecificDevice Hierarchy:Selectahierarchy.Yourselection Thespecifieddevicegroup.
Group determinesthevaluesfordevicegroup.
ClickSave.TheFilterfielddisplays"Specified
DeviceGroup".
Membersof Hierarchy:Selectahierarchy.Yourselection Thesub-groupsofthespecifiedgroup(butnotthe
specificgroup determinesthevaluesfordevicegroup. groupitself).
ClickSave.TheFilterfielddisplays"Members
ofspecifiedgroup".
SetFiltersforPolicyObject
Filterpermissionsforspecificpolicies.See"EditAttributes"onpage301.
SelecttheFilter SpecifytheAttributes Whatausercanaccess

type
SpecificPolicy Policy:Selectapolicy.AllpolicyobjectsthatexistinManagement Thespecifiedpolicy.

Centeraredisplayedhere.
ClickSave.TheFilterfielddisplaysPolicyAttributes.
Attributehasspe- Selectanattribute.Youmustcreateanattributeandassociateitwith Thepolicymatchingthe
cificvalue policybeforeusingthisoption. attributedetails.
ClickSave.TheFilterfielddisplaysPolicyAttributes.
Formoreinformationaboutuser-definedattributes,see"ManageAttributes"onpage297.
260
Reference:UnderstandingJobPermissions
Ajobisdistinctfromtheoperation(suchasbackingupdevicesandinstallingpolicy)thatthejobexecutes.Whenausercre-
atesajob,he/shedefinesitsoperation,targets,andschedule.Ifauserhaspermissionstoaddorupdatejobs,heorshecan
configureandsaveanyjob.
UserscanrunjobsinManagementCenterinthefollowingways.
UserrunsajobimmediatelyafterconfiguringitormanuallyusingRunNow
n Thejobexecutesastheuser.
n TheAuditLogdisplaystheeventasaJobExecutionandliststheusernameastheOperatingUser.
n Thejobinformationshowsthatitwasstartedbytheuser.
Aslongastheuserhasthejobpermissions,runningajobimmediatelyormanuallyalwaysresultsinacompleted
job.Inthepreviousscenario,iftheuserhaspermissionstoperformtheoperation,thejobcompleteswithouterrors;if
theuserhasinsufficientpermissionstoperformtheoperation,thejobcompleteswitherrors.
Userconfiguresajobscheduledinthefuture
n Thejobexecutesasthesystem.
n TheAuditLogdisplaystheeventasaJobExecutionandlistsSYSTEMastheOperatingUser.
n Thejobinformationshowsthatitwasstartedbythesystem.
Becausethejobexecutesasthesystem,whichcanperformalloperations,userswithpermissionstoschedulejobscancre-
atejobsforanoperationthattheydonothavepermissionstoperform.Allowingmoreusersthannecessarytoschedulejobs
isthusapotentialsecurityrisk.
ConsidergrantingtheScheduledJob-RunNowpermissiontomostuserswhorequiretheabilitytorunjobs.
ReservetheScheduledJob-AddandScheduledJob-Updatepermissionsforthemostseniorusers.
261
ConfigureUsers,Roles,andAttributes
AstheManagementCenteradministrator,youcanspecifythefollowingglobalsettingsafteryousetupManagementCenter
forthefirsttimeorwhenneeded.
"ManageManagementCenterUsers"onthenextpage
"DefineRoles"onpage288
"FilterDevicesorDeviceGroupsinaPermission"onpage294
"ManageAttributes"onpage297
"PrevieworDownloadLogs"onpage305
"CustomizetheAuditLog"onpage423
ManageManagementCenterUsers
TheUserstaballowsyoutomanageaccessManagementCenter.Beforeaddingusers,makesureyouhavedefinedroles.
Seethefollowingtopicsfordetails:
n "AddLocalUsers"onthenextpage
n "EditaLocalorImportedUser"onpage277
n "ManuallyResetaUser'sWebConsolePassword"onpage282
AddLocalUsers
UsethesesettingtoprovideManagementCenteraccesstolocalusers.
SecurityConsiderations
Thefollowingitemsaresupportedtoday:
n ManagementCenterlogsallaccessattemptstotheauditlogandsyslog.
n Administratorscanmanuallyexpireauserspasswordandforcethemtoenteranewone.
n Startingwith1.7,ManagementCentertracksthelastaccessattemptintheuserrecordanddisplaystherecordwhen
viewingtheusersdetails(Administration>Users).
n Startingwith1.7,ManagementCentertracksthenumberofloginfailuresauserhashadinarow.
Thefollowingitemsarenotsupported:
n ManagementCenterdoesnotenforcepasswordstrengths.
n Passwordsdonotexpireautomatically.
n ManagementCenterdoesnotautomaticallydisableaccountsiftheuserdoesnotentertheirpasswordcorrectlyafter
nattempts.
n ManagementCenterdoesnottrackpasswordhistory.
Iftheunsupportedfeaturesareimportanttoyou,useanexternalauthenticationservicelikeLDAP,ActiveDirectoryLDAP,
orRADIUS)instead.
AddRolesFirst
YoucanaddlocaluserstoManagementCenteratanytime,butitisgoodpracticetosetuptherolestructurebeforeyou
startaddingusers.Afterroleshavebeenadded,youcanassignusersthespecificrolesthattheyrequiretoperformtheir
jobs.Itisbestpracticetoassignthemostrestrictivepermissionspossiblesothatusersdonothavemoreaccessthanthey
need.ToimportusersfromActiveDirectory,LDAPorRADIUS,seeAddUsersfromanExistingDirectoryService.
Whenyouselectanexistinguserrecord,userdetailsopenintherightpane.Inthetitlebar,undertheusername,the
localuseraccountindicatesauserthatyoumanuallyaddedandtheimporteduseraccountindicatesauserthatyou
importedusinganexistingdirectoryservice.
TounderstandmoreabouthowpermissionsandfiltersworkwithusersandrolesinManagementCenter,see
"Reference:PermissionsFiltersObjectandAttributes"onpage259and"Reference:PermissionsInterdependencies"on
page250.
AddUsers
Beforeyoustartaddingusers,devisethenamingconventionforusernames.Onceausernameissaved,itcannotbe
changed.ThisdoesnotapplytoimporteduserstheirusernamesaresetinLDAP,ActiveDirectory,orRADIUSand
arethusread-only.
1. SelectAdministration>Users.
2. ClickAddUser.TheAddUser:BasicInfodialogdisplays.Aredasterisk(*)denotesfieldsthataremandatory.
264
Field Description
Username * Usernames are case-sensitive and cannot be changed.
Note: Although the username/password combination successfully
authenticates if the username has a mixture of cases, Management Center
recognizes the users as different users. For example: A user signs in as joe
and access is setup using that specific case for username. Then later the user
signs in as Joe. The login using Joe will have no access because the
account created is for the user joe.
Password * Example: admin1234
Verify Password * Example: admin1234
Password expired on: Does not expire
First Name The actual first name that the person uses.
Last Name The actual last name that the person uses.
Email The Email associated with this user and organization. Example joe@heremail.com
Phone The Phone number associated with this user and organization (including extension, if
any)
Mobile The personal mobile or cell number associate with this person.
Description 1024 character description can include anything from what town she resides to
average commute time to security certifications in this user's possession.
3. IntheAddUser:BasicInfoscreen,entertheuser'sinformation.
4. ClickNext.FromtheAddUser:AssignRolesdialog,selectarolefromAvailableRolesandadditAssigned
Roles.ThedefaultrolesareAdministrator(withadministratorrights)andviewOnly(withonlyviewingrights).You
mustassignaroleortheuserwillbeunabletologintoManagementCenter.See"DefineRoles"onpage288or
"EditanExistingRole"onpage290
5. ClickFinish.ThenewuserdisplaysintheUserslistandhasaccesstoManagementCenterbasedontheirdefined
role.
265
AddUsersfromanExistingDirectoryorService
AstheManagementCenteradministrator,youcanaddfromanexistingdirectoryorservice.
"AuthenticateUsersAgainstLDAPorLDAPS"onthenextpage
"AuthenticateUsersAgainstActiveDirectoryLDAP"onpage270
"AuthenticateUsersAgainstRADIUS"onpage272
AuthenticateUsersAgainstLDAPorLDAPS
TheseoptionsconfigureLDAPorLDAPS(LDAPoverSSL)authenticationinManagementCenter.
AsecondaryfailoverLDAPservercanbeconfiguredincasetheprimaryLDAPservercannotauthenticate.Ifthesecondary
LDAPservercannotauthenticate,authenticationcanonlyoccurthroughActiveDirectoryLDAPorRADIUS(ifconfigured).
Prerequisites
IfyouareconfiguringLDAPSandtheLDAPserverSSLkeyusesaself-signedcertificateoracertificatesignedbyanon-
trustedrootcertificateauthority,youmustimportthatcertificateintoManagementCenter.Toimportthecertificate,usethe
security ssl import external-certificatecommand.
ConfigureGeneralSettings
1. SelectAdministration>Settings.
2. ClickLDAPontheleft.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
3. SpecifygeneralLDAPsettingsasdescribedinthefollowingtable.
Setting Description InputValue/Format

Usermusthavepermission A user must have a role with permissions or false|true
be a member of a group with a role that has
permissions in order to log in.
Roleattribute Specify the roles to assign to imported businessCategory
users. Use the same name that exists in
LDAP, ensuring that the spelling and case
are identical.
Displaynameattribute Specify the format of user names. displayName
ConfigurePrimaryServerSettings
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EnterthePrimaryServerSettingsdescribedinthefollowingtable.

Isthe Enable LDAP false|true
authenticator authentication.
enabled*
267

LDAPURL* The URL used to connect Specify the LDAP host, port, and root.
to the LDAP directory
Example:ldap://localhost:10389/dc=example,dc=com
server.
LDAPS example
ldaps://ldapserver1:3269/dc=example,dc=com
Loginuser If required, enter the Specify the username.
username used for
browsing.
Loginpassword If required, enter the Specify the password.
password used for
browsing.
ConfigureSecondaryServerSettings
YoucanalsoconfigureaSecondaryLDAPServertotakeoverincasethePrimaryServerfails.ThesettingsunderSec-
ondaryServerarespecifictotheSecondaryLDAPServeronly.ThesettingsunderSecondaryRADIUSServerarespe-
cifictothesecondaryserveronly.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthat
aremandatory.
2. EntertheSecondaryServerSettingsdescribedinthefollowingtable.

Istheauthen- Enable LDAP authen- false|true
ticatorenabled* tication.
LDAPURL* The URL used to connect Specify the LDAP host, port, and root.
to the LDAP directory
Example:ldap://localhost:10389/dc=example,dc=com
server.
Loginuser If required, enter the user- Specify the username.
name used for browsing.
Loginpassword If required, enter the pass- Specify the password.
word used for browsing.
ConfigureSearchSettings
aremandatory.
2. ConfiguretheLDAPSearchSettingsdescribedinthefollowingtable.
268

Ignorepartialresultson When set to true, ignores any partial results false|true
search from LDAP searches. The default is false.
When using this authenticator to connect to
Active Directory, set this option to true.
BaseDNforusersearch* Specify where in the LDAP directory tree to Example: ou=users,
initiate the username search. o=organization
Usersearch* Specify the user search filter. Example: (uid={0})
BaseDNforgroupsearch* Specify where in the LDAP directory tree to Example: ou=groups
initiate the username search.
Attributetoreadgroupname* Specify the group name attribute. Use the Example: cn
same name that exists in LDAP, ensuring that
the spelling and case are identical.
Searchsub-tree* Specify whether to search sub-tree. false|true
FinalizeYourChanges
Aftersettingyourconfigurationoptions,youmustdooneofthefollowing:
1. Resetorcommityourchanges.
l ClickSavetostorethesettingsontheserver.Ifyouareunabletosaveyourchanges,makesurethatall
requiredsettingsarespecified.
2. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.Afterauserlogsin,youcan
managetheiraccountinManagementCenter.
SupportedLDAPServers
ServerTypes ConfigurationInterface
Apache DS Apache Directory Studio user interface
Novell eDirectory Novell ConsoleOne user interface
AddLDAPUsers
AfterLDAPisconfigured,haveusersloginwiththeirLDAPcredentials.Thefirsttimetheuserlogsin,ManagementCenter
addsthemtothesystem.Youcannot-externalusersatthistime.
269
AuthenticateUsersAgainstActiveDirectoryLDAP
SetupActiveDirectoryLDAPauthenticationinManagementCenter.AsecondaryfailoverActiveDirectoryLDAPserver
canbeconfiguredincasetheprimaryActiveDirectoryLDAPservercannotauthenticate.IfthesecondaryActiveDir-
ectoryLDAPservercannotauthenticate,authenticationcanonlyoccurthroughLDAPorRADIUS(ifconfigured).
PrerequisitesforenablingSynctherolemembershipandSyncthegroupmembership:
n Tosyncrolemembership,youmustdefinetheroleinManagementCenterbeforeusersassignedtotherolein
ActiveDirectoryauthenticate.
n Tosyncgroupmembership,youmustdefinethegroupinbothManagementCenterandActiveDirectory.Thegroup
namesmustmatchinordertomapcorrectly.
Afteryoudefinetherolesandgroups,andwhenauserauthenticatesinManagementCenter,theappropriaterolesand/or
groupmembershipsaresetupinManagementCenter.
SpecifyGeneralActiveDirectoryLDAPsettings.
aremandatory.
2. EntertheGeneralActiveDirectoryLDAPSettingsdescribedinthefollowingtable..

Synctherole Specify whether to assign users to roles that match false|true
membership the Role Attribute setting. No roles are
synchronized if the Role Attribute is not set.
Syncthegroup Specify whether to assign users to a user group false|true
membership that matches a group in Active Directory. The
spelling and case must be identical to match.
Usermusthave A user must have a role with permissions or be a false|true
permission member of a group with a role that has permissions in
order to log in.
Roleattribute Specify the roles to assign to imported users. Use the Specify the department to
same name that exists in Active Directory, ensuring which the role is assigned.
that the spelling and case are identical.
Displaynameattribute Specify the format of user names. displayName
SpecifyPrimaryServerSettings
aremandatory.
2. EnterthePrimaryServerSettingsdescribedinthefollowingtable.
270

Istheauthenticator Enable AD authentication. false|true
enabled*
LDAPURL* The host URLfor LDAP authentication. Example:
ldap://localhost:389
SpecifySecondaryServerSettings
YoucanalsoconfigureaSecondaryActiveDirectoryServertotakeoverincasethePrimaryServerfails.Thesettings
underSecondaryServerarespecifictotheSecondaryServeronly.ThesettingsunderSecondaryRADIUSServerare
specifictothesecondaryserveronly.
2. SelectActiveDirectoryLDAP.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EntertheSecondaryServerSettingsdescribedinthefollowingtable.

Istheauthenticator Enable AD authentication. false|true
enabled*
LDAPURL* The host URLfor LDAP authentication. Example:
ldap://localhost:389
FinalizeYourChanges
271
AuthenticateUsersAgainstRADIUS
RemoteAuthenticationDialInUserService(RADIUS)isanetworkingprotocolthatprovidescentralizedAuthentication,
Authorization,andAccounting(AAA)managementforuserswhoconnectanduseanetworkservice.Authenticationusing
aRADIUSserveractsmuchlikeauthenticatingagainstLDAPandrunsintheapplicationlayer.
Prerequisites
PrerequisitesforenablingSynctherolemembershipandSyncthegroupmembership:
n Tosyncrolemembership,youmustdefinetheroleinManagementCenterbeforeusersassignedtotherole
authenticate.
n Tosyncgroupmembership,youmustdefinethegroupinbothManagementCenter.Thegroupnamesmustmatch
inordertomapcorrectly.
n InstallBlueCoat'slatestdictionaryofVSAsforBlueCoatontheRADIUSserver.Thelatestversionofthe
dictionaryfileisavailablewiththeManagementCenterimageonBTO.
n DefinetheBlueCoatattributes,asinthefollowingexample:
o Blue-Coat-Group="mc_group_1"
o Blue-Coat-Role="mc_role_1"
wheremc_group_1andmc_role_1arethenamesyouspecifyforthegroupandrole,respectively,in
ManagementCenter.
AfteryoudefinetheVSAs,andwhenauserauthenticatesinManagementCenter,theappropriaterolesand/orgroupmem-
bershipsareappliedtothepermissionsetinManagementCenter.
SetupRADIUSauthenticationinManagementCenter.
2. SelectRADIUS.Thewebconsoledisplaysfieldsontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. ConfiguregeneralRADIUSsettings.
RADIUSSettings Description InputValue/Format

Istheauthenticator Enable RADIUS authentication. false|true
enabled*
Synctherole Specify whether to assign users to roles that false|true
membership match the Blue-Coat-Role VSA.
Syncthegroup Specify whether to assign users to roles that false|true
membership match the Blue-Coat-Group VSA.
Usermusthave A user must have a role with permissions or be a false|true
permission member of a group with a role that has permissions
in order to log in.
ConfigureSecondaryRADIUSServer
SupportedRADIUSServers
272
ServerTypes ConfigurationInterface ExampleUserCredentialsandAttributes

Steelbelted Windows XP VM user1/1resu
Note: You must Note: Restart Windows ser- mcuser1/1resu (FirstName=MC1, LastName-
create a RADIUS cli- vices after making any modi- e=User1)
ent for every fications.
device that mcuser2/2resu (Role=Role_administrator)
accesses the mcuser3/3resu (Group=MCAdministrator)
RADIUS server.
mcuser4/4resu (No vendor-specific attributes
defined)
Important: The group and role attribute values should
match the Blue-Coat-Group and Blue-Coat-Role
VSAs, respectively.
Safeword Windows XP VM user1/password shown on token
user2/2resu (fixed password)
RSA Web - Use Internet Explorer 11 Configure users with a hardware or software token.
Linux VM
FinalizeYourChanges
AuthenticateUserswithSSLMutualAuthentication
InmutualSSLauthentication,anSSLconnectionbetweenaclientandaserverisestablishedonlyiftheclientandserver
validateeachothersidentityduringtheSSLhandshake.TheserverandtheclientmusteachhavetheirownvalidX.509cer-
tificateandtheassociatedprivatekeyinordertoperformSSLmutualauthentication.
Certificatesandprivatekeyscanbestoredinmultiplelocations.Ontheclient,onesuchlocationisaCommonAccessCard
(CAC).However,aCACcardorreaderisnotrequiredforSSLmutualauthentication,youcaninstallthecertificatesonyour
browserandintoManagementCenter'struststore.
ThefollowingexampledescribesanSSLmutualauthenticationtransaction.
273
1. TheuserrequestsaccesstotheManagementConsole.
2. ManagementCenterpresentsitscertificatetothebrowser.
3. ThebrowservalidatesManagementCenter'scertificate.Thisincludesthefollowingchecks:
n Thecertificatesubjectmustmatchtheapplianceshostname.
n ThecertificatemustbeissuedbyaCAlistedinthebrowsersTrustedRootCertificatestore.
4. Thebrowserconfirmsthattheappliancehasthecertificate'sprivatekeybychallengingtheappliancetosign
randomdata.Thebrowservalidatesthesignatureusingtheappliance'scertificate.
5. Ifapplianceauthenticationsucceeds,thebrowseraccessestheclientcertificateandprivatekeyusingtheinstalled
certificateorCAC.Itthenpresentsthecertificatetotheappliance.
6. Theappliancevalidatesthecertificatethatthebrowserpresents.Thisincludesthefollowingchecks:
n ThecertificatemustbeissuedbyaCAincludedinManagementCenter'struststore.
n Theapplianceconfirmsthatthebrowserhasthecertificate'sprivatekeybychallengingthebrowsertosign
randomdata.Theappliancevalidatesthesignatureusingthebrowserscertificate.
n Thecertificatemusthaveavalidsignatureandnotbeexpired.
7. Ifauthenticationsucceeds,theappliancegrantsaccesstoManagementCenter.
8. (Ifapplicable)TheappliancepresentsaNoticeandConsentbanner.Theuserprovidesconsent.
Prerequisites
BeforeusingSSLmutualauthentication,youmustmeetthefollowingprerequisites:
n ThebrowsermusthaveanX.509certificateinstalledthatwillpassManagementCenter'strustvalidation.Thatis,if
theclientisusingitsownRootCertificateAuthority(CA)oradifferentCA,thatCAmustfirstbeinstalledinto
ManagementCenter'struststore.
n TheappliancecertificatemustbefromaCAlistedinthebrowsersTrustedRootCertificatestore.Installany
missingclientcertificatesorcustomrootCAcertificateintothebrowser.Forbrowserinstallinginstructions,referto
http://wiki.cacert.org/FAQ/BrowserClientsandselectyourbrowserofchoice.
SetupSSLMutualAuthentication
274
1. ImporttherootCAcertificate(s)andanyintermediatecertificate(s)requiredtovalidatetheclientcertificatesinto
ManagementCenter'struststore.
# security ssl import external-certificate <name> <URL>
# security ssl import server-certificate <URL>
2. Verifyinstallationwiththeappropriatecommand:
# security ssl list external-certificate all
# security ssl list external-certificates system
# security ssl list external-certificates user
# security ssl list server-certificates
# #security ssl view external-certificate <name>
See"#security"onpage459formoreinformationonthecertificateviewingcommands.
3. Determinetheclientauthenticationmethod,mandatoryoroptional;clientauthenticationisoffbydefault.
4. Issueoneofthefollowingcommands:
# security ssl client-authentication set-mandatory
# security ssl client-authentication set-optional
See"#security"onpage459formoreinformationontheclient-authenticationcommands.
Theflowchartbelowdepictstheprerequisites,setup,andauthenticationprocessformandatoryandoptionalSSLmutual
authentication.
275
Note
l WhenSSLmutualauthenticationisenabled,alldevicesusingManagementCenterasthehostrequireX.509
certificates.Forexample,toaccessfileservicesandAPI'sinamandatorysetting,acertificateisrequired.
l Browsersretainthecertificateused.IfyouhavemorethanoneX.509certificateinstalledandyouwanttousea
differentcertificate,youmustcloseandreopenyourbrowsertochangecertificates.
276
EditaLocalorImportedUser
Tomodifytheuserdetails(firstname,lastname,emailaddress,phonenumbers,description)orchangetheuser'srole,you
canusetheEditUserwizard.Youcaneditbothlocalandimportedusers.
2. Inthelistofusersontheleft,selecttheusernametoedit.
3. ClickEdit.ThewebconsoledisplaystheEditUserwizard.
4. ChangedesiredinformationontheBasicInfotab.Notethatyoucannotchangetheusername.
5. ClicktheAssignRolestabtomodifytheuser'srole.
6. ClickSave.
DeleteaUser
Organizationstypicallyimplementprocessestodeactivateandremoveaccesstointernalaccountssuchasmailboxes,
intranet,andapplicationswhenusersleavetheorganization.Asabestpractice,includedeletingtheuseraccountinMan-
agementCentertotheexitproceduresthatyourorganizationusestoreducetheriskofasecuritybreach.
DeletinganimporteduserdoesnotremovethatuserfromActiveDirectory,LDAPorRADIUS.
2. Inthelistofusersontheleft,selecttheuseryouwanttodelete.
3. ClickDelete.ADeleteUserdialogdisplays,promptingyoutoconfirmthedeletion.
4. Verifythatitisthecorrectuser,andthenclickDeleteUser.TheusernolongerdisplaysintheUserslistandisnota
registereduserofManagementCenter.
277
ChangeandResetPasswords
Selectthetopicfortheapplicablesituation.
Situation Topic
User knows his/her password and wants to change it "Change Your Password" on the
next page
User forgot his/her password "Reset Password" on page280
Admin wants to automate the password resetting process "Automate Password Reset Pro-
cess" on page429
Admin needs to manually change a user's password because user forgot "Manually Reset a User's
answer to security question or password reset process isn't automated WebConsole Password" on
page282
Admin forgot admin account password "Reset or Restore Admin
Account Passwords" on
page283
ChangeYourPassword
Youcanchangethepasswordthatyouusetologintothewebconsole.
IfyoulogintothewebconsoleusingyourLDAPorActiveDirectorycredentials,youcannotchangeyourpassword.
1. Inthewebconsolebanner,click andselectyourusername.
TheusernameforthestandardAdminloginis"ManagementCenter."
ThewebconsoledisplaystheProfiledialog.Fieldsmarkedwitharedasterisk(*)arerequiredsettings.
2. ClickChangePassword.
3. IntheCurrentPasswordfield,enteryourcurrentpassword.
4. InthefirstNewPasswordfield,enteranewpassword.
Asyoutypeyourpassword,thePasswordStrengthmeterindicatesthestrengthofthepassword.Becausethe
systemassessesthestrengthofthepasswordwitheachcharacter,themetermightfluctuatewhileyouaretyping.
BlueCoatrecommendsthatyouuseapasswordwithatleastSecurestrength.Youcantryanumberof
differentpasswordsuntilthePasswordStrengthmeterindicatesSecureorhigher.
5. IntheRetypeNewPasswordfield,enteryournewpasswordagain.
6. ClickSave.
Thenexttimeyoulogintothewebconsole,useyournewpassword.
279
ResetPassword
IfyouhaveforgottenyourpasswordtologintotheManagementCenterwebconsole,youcanrequestapasswordreset.
ThiscapabilityrequiresthattheadministratorhasenabledtheManagementCenterpasswordresetfeature;see"Automate
PasswordResetProcess"onpage429.ThepasswordresetisonlygoodforthewebconsoleandnotfortheCLIconsole.
Thepasswordresettingprocessrequiresthatyouanswerasecurityquestion,usingtheexactupper/lowercaseyou
enteredwhenyouinitiallydefineditinyouruserprofile.Youalsomusthavethecorrectemailaddressinyourpro-
file.Ifyouforgettheanswertoyoursecurityquestion,orfailedtodefineanemailaddress,youwillnotbeableto
usetheautomatedpasswordresetprocess.
1. Ifyouhaveforgottenyourpasswordwhenloggingin,clickResetPassword.
TheResetPassword:ValidateUserdialogdisplays.
2. EnteryourUsernameandclickNext.TheResetPassword:SecurityQuestiondialogdisplays.
3. IntheAnswerfield,entertheanswertotheSecurityQuestion,usingtheexactspellingandupper/lowercaseyou
enteredwhendefiningit.ClickNext.TheResetPassword:EmailConfirmationdialogdisplays.
4. Checkyouremail'sInboxtoretrieveyourtemporarypassword.
5. ThenexttimeyoulogintotheManagementCenterwebconsole,usethetemporarypassword.
280
Changeyourpasswordbecausethetemporarypasswordwillexpire.
AutomatePasswordResetProcess
AsanadministratoronManagementCenter,youneedtoconfiguresettingssothatuserscanrequestapasswordresetif
theyforgettheirpassword.
1. SelectAdministration>Settings>General.
2. SettheIsResetPasswordenabled?fieldtotrue.
3. ForResetPasswordEmailSubject,modifytheemailsubjectline,ifdesired.
4. ForResetPasswordEmailMessage,modifythebodyoftheemailthatisautomaticallysenttouserswhenthey
clicktheResetPasswordlink.Forexample,youcanaddaperson'snametothesignatureinsteadofthegeneric
BlueCoatManagementCenter.
Themessagecontainstwosubstitutionvariables:{fullname}and{password}.ManagementCenter
automaticallyreplaces{fullname}withtheuser'sfirstandlastnameandreplaces{password}witha
temporarypassword.
5. ClickSavetostorethesettingsontheserver.
6. Makesureanemailserverisconfigured.See"ConfigureMailSettings"onpage402.
Whentheemailissentwiththetemporarypassword,theuser'saccountismarkedsotheadministratorsknowthat
thepasswordisonlytemporary.Thetemporarypasswordwillexpire.
281
ManuallyResetaUser'sWebConsolePassword
Ifusersforgettheirwebconsolepassword,youcanmanuallyresetthepasswordforthem.(Alternatively,ifyouhaveauto-
matedtheprocess,theusercanrequestapasswordresetwhenloggingin.See"AutomatePasswordResetProcess"on
page429.)Evenifyouhaveautomatedtheprocess,youmaystillneedtomanuallychangesomeone'spasswordifthe
userhasforgottentheanswertohis/hersecurityquestion.
2. Inthelistofusersontheleft,selecttheusernamewhosepasswordyouwanttochange.
3. ClickEdit.ThewebconsoledisplaystheEditUserwizard.
YoucannotchangethepasswordforusersauthenticatedagainstLDAP,ActiveDirectory,orRADIUS
(authenticatedusershavethefollowingicon: ).
4. FromtheBasicInfotab,clicktheChangepasswordlink.
Twonewfieldsdisplay:NewPasswordandVerifyNewPassword.
5. Enteranewpasswordinthefields.Ifyoudonotenteridenticaltextinbothfields,youreceiveanerrormessage.
6. ClickSave.Thedialogclosesandthewebconsolebannerdisplaysanalertindicatingthattheuser'spassword
wassaved.
7. Communicatethenewpasswordtotheuserandrecommendapasswordchangeassoonaspossible.
282
ResetorRestoreAdminAccountPasswords
YoucanresetthepasswordfortheCLI(serialconsole).YoucanalsorestorethedefaultpasswordfortheadminUI(web
console).TheadminaccounttoaccesstheCLIversustheadminaccounttoaccessthewebconsolearedifferentaccounts
(andthusthepasswordsarenotthesame).
ToresettheCLIadminaccountpassworduse#security reset-password.Thiscommandisonlyavailable
throughtheserialconsole.
1. "AccesstheManagementCenterCLI"onpage439.
2. Enterprivilegedmodebytypingenableatthecommandprompt.See"PrivilegedModeCommands"onpage446.
3. EnteryourenablepasswordandpressEnter.
4. Atthe#prompt,typerestore-defaults reset-adminandpressEnter.
TheCLIpromptdisplaysthefollowing:
This operation will restore admin password on UI to default. Management Center ser-
vice will be unavailable during this operation.
Are you sure you want to restore UI admin password? [y/N]
ResetstheUIadminpasswordtoadmin/admin.
283
ManageUserGroups
Toreducethetimeandeffortinvolvedinassigningrolestousers,youcancreateausergroup,adduserstoit,andthen
assignrolestothegroup.Creatingusergroupsalsohelpsensureconsistencyamonguserswhorequirethesameaccess.
Beforeaddingusergroups,makesureyouhavedefinedroles.
UsetheGroupstabtoadd,edit,anddeleteusergroups.Seethefollowingtopicsfordetails:
n "AddUserGroups"below
n "EditaUserGroup"onpage286
AddUserGroups
Althoughyoucanaddusersandassignrolestothemindividually,doingsocanbelabor-intensiveiftherearemanyusers
inthesystemwhorequirethesamepermissions.Toreducethetimeandeffortinvolvedinassigningrolestousers,you
cancreateagroup,adduserstoit,andthenassignrolestothegroup.Creatingusergroupsalsohelpsensureconsistency
amonguserswhorequirethesameaccess.
Usersinherittherolesandpermissionsassignedtothemindividuallyandtothegroupsinwhichtheyaremembers.If
usersinheritpermissionsthatseemtoconflict,keepinmindthattheycanaccessanobjectaslongastheyhavearole
withtherequiredpermission.Forexample,ifoneofauser'sgroupshasarolewiththeViewpermissionforpolicyobjects
butanothergrouphasnopolicypermissions,theusercanviewpolicyobjects.
Groupscannotbemembersofothergroups.
1. SelectAdministration>Groups.
2. FromtheGroupssection,clickAddGroup.ThewebconsoledisplaystheAddGroupwizard.
3. IntheAddGroup:BasicInfopage,enterthegroup'sinformation.Aredasterisk(*)denotesfieldsthatare
mandatory.EnteraNameforyourgroup.Thisgroupnamedisplaysonthedashboardandotherareasintheweb
console.
Beforeyoustartnamingusergroups,deviseanamingconvention.Forexample,ausergroupnamecanbe
basedonanorganization,jobfunctionorgeographicallocation.
4. IntheAddGroups:BasicInfopage,addadescription(eventhoughitisnotrequired).
Althoughenteringadescriptionisoptional,thedescriptionhelpsyouandotherusersunderstandthepurpose
orfunctionofthegroup.Thishelpstounderstandthecorrectrolesandpermissionstoapplywithinthegroup.
BlueCoatrecommendsthatyoualwaysenteraclear,helpfuldescription.
5. ClickNext.
6. IntheAddGroup:Membersdialog,selectusersfromtheAvailableUsersandaddthemtotheMemberslist
usingthearrowbuttons.ClickNext.
7. IntheAddGroup:AssignRolesdialog,selectagrouprolefromtheAvailableRolesittotheAssignedRoleslist.
See"DefineRoles"onpage288.
284
8. ClickFinish.Thenameofthegroupthatyoujustcreatedwillbedisplayedintheleftpane.
285
EditaUserGroup
Tomodifytheusergroupdetails(nameordescription),add/removegroupmembers,orchangetherole(s)assignedtothe
group,youcanusetheEditGroupwizard.
2. Inthelistofgroupsontheleft,selectthegrouptoedit.
3. ClickEdit.ThewebconsoledisplaystheEditGroupwizard.
4. ChangedesiredinformationontheBasicInfotab.
5. Toaddausertothegroup:
a. ClicktheMemberstab.
b. SelecttheusernameintheAvailableUserslist.
c. ClicktherightarrowbuttontoaddtheusertotheMemberslist.
d. Repeatforotherusersyouwanttoaddtothegroup.
6. Toremoveauserfromthegroup:
a. ClicktheMemberstab.
b. SelecttheusernameintheMemberslistontheright.
c. Clicktheleftarrowbuttontoremovetheuser.TheusermovesovertotheAvailableUserslist.
d. Repeatforotherusersyouwanttoremove.
7. ClicktheAssignRolestabtomodifytherole(s)associatedwiththegroup.
8. ClickSave.
DeleteaUserGroup
Deletingagroupdoesnotremovethemembersinthegroup.
2. Inthelistofgroupsontheleft,selectthegroupyouwanttodelete.
3. ClickDelete.ADeleteGroupdialogdisplays,promptingyoutoconfirmthedeletion.
4. Verifythatitisthecorrectgroup,andthenclickDeleteGroup.ThegroupnolongerdisplaysintheGroupslist.
286
ManageUserSessions
ManagementCentertracksandlogseachusersession.Administratorscanviewandmanagecurrentusersessionsfrom
Administration>UserSessions.Asasuperadmin,theabilitytologinwillnotbeaffectedbywhatyoudointhisdialog.
Youcandelete(kill)anyusersessionwhichwillimmediatelylogtheuseroutoftheManagementCenterwebconsole.
Asabestpractice,BlueCoatrecommendsthatalluserslogoutofthewebconsoleaftercompletingtheirtasks.AsaMan-
agementCenteradministrator,youmayneedtoenforcethispractice.Ifauserhaschangedrolesorhasacceptedanewjob
thatmaychangetheiraccessrights,youcanmanageallactiveorstoredusersessions.
1. Fromthewebconsolebanner,selectAdministration>UserSessions.
2. Topreventusersfromloggingintothewebconsole,selecttheDisableuserlogintoManagementCentercheck
box.
3. (Optional)Todeleteausersession:
a. Selectausersession.Greendenotesyoursession(you),notanactivesession.
b. ClickKillSession.
c. Confirmthatyouwanttokillthesession.
287
DefineRoles
Rolesarenotnecessarilyassociatedwithjobsorjobtitles;rather,eachroleshouldcontainthepermissionsrequiredtoper-
formaspecifictaskorsetoftasks.Managingrolesbasedontasksiseasierthanmanagingpermissionsattachedtofea-
turesorfunctions.Becausemultipleusersinorganizationsoftenperformthesametask(forexample,twoteamsof20
supportengineersrequireaDeviceAdminrole),andtasksaresharedevenacrossdifferentteams(fiveproductengineers
alsorequire'DeviceAdmin'),thenumberofrolesyouneedtodefineisinprinciplemuchlowerthanthenumberofusersin
thesystem.See"EditanExistingRole"onpage290and"DuplicateanExistingRole"onpage290.
AboutRoles
TherolestructureinManagementCenterhastwopredefinedlevels:
n administrator,whichhasallpermissionsforallobjects.Thedefaultadminaccounthastheadministratorrole.
n viewOnly,whichhastheviewpermissionforallobjects.
Youcancreateotherrolesthatallowviewaccesstosomeobjects,addorupdateaccesstosomeobjects,oramixofdif-
ferentpermissionsasshownintheexamplebelow.
BlueCoatrecommendsthatyoucreateroleswithallnecessarypermissionsandfiltersbeforeaddingusers.
Procedure
1. SelectAdministration>RolesandclickAddRole.
2. IntheAddRole:BasicInfodialog,enteranamefortherole.
IfyouauthenticateusersagainstLDAP,ActiveDirectoryorRADIUS,createaroleinsyncwiththedirectory
service.
288
3. (Optional)Enteradescription.
BlueCoatrecommendsthatyouenteralistofthepermissionsforthedefinedroleintheDescriptionfield.
Thishelpsyouandotherusersunderstandthepermissionsofauser'sroleincludingtheintentoftheirjob
function.
4. ClickNext.
5. IntheAddRole:Permissionsdialog,clickAddPermission.
6. FromtheObjectdrop-downlist,selectAllobjectsoraspecificobject.
7. FromtheActiondrop-downlist,selectAlloperationsoroneormoreindividualactions.
8. (Optional)IntheFilterdrop-downlist,selectafiltertoapplytoboththeactionandtheobject.
See"GrantPermissions"onpage291forinformationonobjects,actions,andfilters.
9. Toaddmorepermissions,repeatsteps6through8.
10. Optional:AddReporterpermissions.
11. ClickFinish.
289
DuplicateanExistingRole
Toavoidspendinganexcessiveamountoftimeondefiningroleswithsimilarpermissions,youcandefinearolebasedon
arolethatalreadyexistsinthesystem.Forexample,ifyouhavealreadycreatedarolethatallowsaccesstodevice
groups,youcanbaseotherrolesonitwithdifferentattributes.
1. ClicktheAdministrationtabandselectRoles.
2. Selecttheroleonwhichyouwanttobasethenewrole.
3. ClickDuplicateRole.TheRolestabdisplaysthenewrole,withthenameoftheoriginalrolefollowedby(1).For
example,ifyouduplicatedtheviewOnlyrole,thenewrole'snameisviewOnly(1).
4. SelecttheroleyoujustcreatedandclickEdit.ThewebconsoledisplaystheEditRoledialogcontainingtwotabs:
n BasicInfo
n Permissions
5. Updatethenameanddescriptiontoreflectthepurposeofthenewrole.
6. ClickPermissions.
7. Editthepermissionsforthenewrole;see"GrantPermissions"onthenextpageforinstructions.
8. ClickSave.TheroleissavedandtheRolestabdisplaysitwiththenewnameanddescription.
EditanExistingRole
Youcannotdirectlyassignpermissionstousers;thus,youmustalwayseditaroletochangeapermission.Youcanedita
role'sbasicinformationorthepermissionsthattherolecomprises.
Updatebasicinformation
1. SelectAdministration>Roles.FromtheRolespageyoucanperformthefollowingactions:
n AddRole
n Edit
n Duplicate
n Delete
n Refresh
2. SelecttherolewhoseinformationyouwanttoupdateandclickEdit.ThewebconsoledisplaystheEditRoledialog.
3. OntheBasicInfotab,editthenameoftheroleorthedescriptionasrequired.ClickSave.
Updatepermissions
1. SelectAdministration>Roles.ThewebconsoledisplaystheRolespagewhereyoucanperformthefollowing
actions:
n AddRole
n Edit
n Duplicate
n Delete
n Refresh
2. SelecttherolewhosepermissionsyouwanttoupdateandclickEdit.ThewebconsoledisplaystheEditRole
dialogcontainingtwotabs:
290
n BasicInfo
n Permissions
3. ClickthePermissionstab.Thewebconsoledisplaysthelistofpermissions.
4. Tochangeonlypartofapermission,selectObjectorAction.See"Reference:PermissionsInterdependencies"on
page250.Dooneormoreofthefollowingasneeded:
n IntheObjectdrop-downlist,double-clickandspecifyAllobjectsoraspecificobject.
n IntheActiondrop-downlist,double-clickandselectAlloperationsoraspecificoperation.
n (Ifapplicable)IntheFilterdrop-downlist,clicktheplussign(+)andselectafilter.See"FilterDevicesor
DeviceGroupsinaPermission"onpage294.
5. Addorremoveanexistingpermission:
n Toaddapermission,clickAddPermission.Seesteps7through10in"DefineRoles"onpage288for
instructions.
n Toremoveapermission,selectitandclickRemovePermission.Thepermissionisremovedfromthelist.
6. ClickSave.
ControlRolesandPermissionsthroughusersessions.Ifyoueditarole'spermissionswhileusersareloggedinto
thewebconsole,usersmustlogoutandloginagaintoseetheeffectsofthechange.See"ManageUserSessions"
onpage306.
GrantPermissions
Youcanadd,remove,andeditpermissionsforanyrole.Arolemusthaveatleastonepermissionfortheroletotakeeffect.
1. SelectAdministration>Roles.
2. SelectaroleandclickView.ThewebconsoledisplaystheViewRoledialog.
3. ClickPermissions.Youcanadd,remove,andeditpermissionsonthistab.
Apermissionconsistsof:
n Theobject,whichdescribesthearea,feature,orfunctionthattheusercanaccess,suchasdevicesandglobal
settings.
n Theaction,whichisthescopeofaccesstoanobject.Itdetailswhatactionsausercandowiththeobject,suchas
theabilitytoaddandeditdevices,orviewglobalsettings.Theactionsthatareavailabledependontheselected
object.StartinginManagementCenter,1.6.x,youcanaddmultipleactionsperobject.
n Afilter,whichdictatespermissionstoasub-setorspecificareaoftheobject,suchascertainattributesabouta
deviceorpolicy.Filtersareavailablefordevicesanddevicegroups;forinstructionsonspecifyingfilters,see"Filter
DevicesorDeviceGroupsinaPermission"onpage294.
Theavailablefilterscorrespondtothespecifiedactions.Thatis,ifmultipleactionsaredefined,thefilterslistincludes
allpossiblefiltersforthoseactions.Ifanactionissubsequentlydeleted,thecorrespondingfilterwillalsobedeletedif
itdoesnotapplytoanyremainingactions.
IftheViewpermissionforanobjectisnotincludedinarole,userswiththeroleareunabletoseetheobjectwhen
theylogintothewebconsole.Forexample,ifaroledoesnotincludeapermissionfortheDeviceobject,users
addedtotheroledonotseetheNetworktab.
See"DefineRoles"onpage288formoreinformationaboutsettingrolesandpermissions.
291
292
UpdateAccessWhenaUser'sJobChanges
Whenauser'sjobchanges,youcanadjusttheirinformationtoreflecttheirnewjoborresponsibilities.
2. (Ifapplicable)Updateauser'srolestoreflectchangesinpositionorresponsibilities.
3. (Ifapplicable)Updatetheuser'sbasicdetails.
4. (Ifapplicable)Updatearoletoapplychangestoalluserswhohavetherole.See"EditanExistingRole"onpage290.
UpdateaUser'sRoles
Whenauserhasanewjoborresponsibilitieswithintheorganization,youmighthavetoupdatetheirrolestoensurethat
theycanperformtheirnewtasks.
2. IntheUsersleftpane,selecttheuserwhoserolesyouwanttochange.Theuser'sdetailsdisplay.
Importedusershavethefollowingicon:
3. ClickEdit.ThewebconsoledisplaystheEditUserdialog.
4. ClickAssignRoles.Thedialogdisplaysalistofalltherolesinthesystem.Rolestowhichtheuserisnotassigned
arelistedunderAvailableRoles.RolestowhichtheuseriscurrentlyassignedarelistedunderAssignedRoles.
5. Updateroles:
l Toaddarole,selectitfromAvailableRolesandusingthearrow,addittotheAssignedRoleslist.
l Toremovearole,selectitfromAssignedRolesandusingthearrow,addittoAvailableRoleslist.
6. ClickSave.Thewebconsolebannerdisplaysanalertindicatingthattheuserwassaved.
293
Rolesarelinkedtousersessions.Ifyoueditusers'roleswhiletheyareloggedintothewebconsole,instructthem
tologoutandloginagaintoseetheeffectsofthechange.
FilterDevicesorDeviceGroupsinaPermission
Youcancontrolaccesstodevicesanddevicegroups(folders)onamoregranularlevelthanwithotherobjectsinMan-
agementCenterusingpermissionfilters.Thesefiltersarebasedontheattributesthatyouspecifyindeviceanddevice
groupproperties.See"SetUser-DefinedDeviceAttributesforAccessControl"onpage302forinformation.
1. Performoneofthefollowing:
n Addapermission.See"GrantPermissions"onpage291.
n Editapermission.See"EditanExistingRole"onpage290.
2. IntheAdd/EditRoledialog,selectthepermissionandclicktheplussign(+)intheFilterfield.TheAdd/EditFilter
dialogdisplays.
3. SelectafilterfromtheFilterTypedrop-downlistandspecifyfiltervalues.See"Reference:PermissionsFilters
ObjectandAttributes"onpage259.
4. ClickSave.ThefilterdisplaysintheFilterfield.
RestrictAccesstoReporterReports
Whencreatingoreditingroles,youcansetpermissionstolimittheReporterreportfieldstherolehasaccessto.The
choicesyoumakelimitthereportsthatusersinthatroleareabletoviewandalsoprecludethemfromaddingcor-
respondingwidgetstoadashboard.
Procedure
2. SelectaroleandclickEdit.ThesystemdisplaystheEditRoledialog.
3. ClicktheReporterPermissionstab.
4. ClickAddPermission.
ThesystemdisplaystheAddReportPermission:AssignReporterDatabasedialog.
5. SelecttheReporterdatabasetoapplypermissionsto.
294
IfyouselectadatabasethatincludesAllDatabasesinthetitle,thepermissionsyousetwillapplytoalldatabases
(presentandfuture)onthatdevice.IfyouselectAllReporters-AllDatabases,thepermissionsyousetwill
globallyapplytoalldatabasesonalldevices.
Ifyou'vealreadyappliedpermissionstoadatabase,itwillnotdisplayintheReporter-Databasedrop-down
list.
6. ClickNext.ThesystemdisplaystheAddReportPermissions-RestrictedFields,Reportsdialog.
7. Restrictreportfields.
8. Toviewthereportsaffectedbyyourchoices,selectShowRestrictedReports.ThesystemdisplaystheRestricted
ReportsbyFielddialog.
295
9. Whenyouaresatisfiedwithyourchoices,closetheRestrictedReportsbyFielddialogbyclickingClose.
10. ClickFinish,thenSave.
Usersinthespecifiedrolearenowprecludedfromviewingreportsintheselectedfields.
UsersAssociatedWithMultipleRoles
Ifauserisassociatedwithmorethanonerole(orbygroupassociation),allapplicablerolesaredisplayed.Forexample,
whenviewingreports,theusercanchoosearoleandacorrespondingdatabasefromthemenuontheReports
>Reporterpage.Ifarolehasnoaccesstoadatabase,thatroledoesnotdisplayintheRoledrop-downmenu.
296
ManageAttributes
tainattributes.Attributesarecustommetadatausedtorefineandeditdevices,devicegroupspolicy,andscripts.Attributes
canbeusedtofilteronspecificdevices,devicegroupsorobjects.
n Device
n DeviceGroup
n Policy
n DeviceScript
3. Toaddanattribute,clickAddAttribute.See"AddAttributes"onthefacingpage.
n Name
n DefaultValueSelectthedefaultvaluethatdisplaysintheAttributeslist.Defaultvaluescanbesubstitutedbyother
variables.See"UseSubstitutionVariablesinPoliciesandScripts"onpage176.
297
AddAttributes
work.Attributesarecustommetadatausedtorefineandeditdevices,devicegroups,policy,andscripts.Becauseyou
havedifferentdevicesandappliancestomanage,thosedevicesrequire,andareoftenrestrictedto,certainattributes.Use
theseattributestofilteronspecificdevices,devicegroupsorobjects.
2. SelectoneofthefollowingfromtheManageAttributeslist:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. ClickAddAttribute.Definethepropertiesoftheattributethatyouarecreating.Aredasterisk(*)denotesfieldsthat
aremandatory.
Property DescriptionorPurpose
Display Name (*) Name that displays throughout Management Center.
298
Name (*) This is the name with no spaces.
Type (*) The format in which users must enter or select attribute values.
Available Values(*) The Available Values depend on the Type you selected.
Default Value If this attribute has a default value, it is displayed here.
Mandatory All attributes that you check as mandatory will appear as options when you
create a new policy, device, device group, or device script. All mandatory
attributes can be filtered on when you "Filter by Attributes and Keyword Search"
on page151.
Inheritable This attribute applies to devices and devices groups. Attributes that are checked
as inheritable can "inherit" their attributes from a parent device group.
Displayed as a default When enabled, the attribute displays as a column in the Policy Object grid,
column Script Object grid, or Network dashboard. Even if this option is not enabled, you
can still display the attribute by right-clicking the column header, selecting
Columns and selecting the attribute to display. See Customize the Network
View.
Description Give a useful description of this attribute to distinguish it from the others when
viewing all of the attributes in a list.
4. ClickSave.
299
MandatoryAttributes
Attributesaremetadatathatyoucanapplytoobjects.Nothingchangestotheexistingdevices,devicegroups,
policy,orscriptswhenanattributeismarkedmandatory.However,markingaattributeasmandatorymeans
thatwheneveryoucreateaneworaddadevice,devicegroup,policyordevicescriptobject,youwillbeforced
toenteravalueforthatmandatoryattribute.
Whenyoumarkanattributeasmandatory,thentheattribute'svalueisrequired.Youcanenablevariablesub-
stitutiononlyifyousavetheattributewithadefaultvalue.See"UseSubstitutionVariablesinPoliciesandScripts"
onpage176
300
EditAttributes
Afteryouhavedefinedanattribute,youcanrefineandeditthatattributetoapplytoanyofthedevices,devicegroups,policy
anddevicescriptswithinyournetwork.Editinganattributechangesthewaydevices,devicegroups,policyorscriptobjects
canbefilteredandsearched.
1. SelecttheAdministration>Attributessection.
2. FromtheManageAttributeslist,selectanattributetoeditfromthefollowingattributetypes:
n Device
n DeviceGroup
n Policy
n DeviceScript
3. SelectanattributefromthelistandclickEdit.
4. Changethepropertiesfortheattribute.Aredasterisk(*)denotesfieldsthataremandatory.
Display Name (*) Name that displays throughout Management Center.
Name (*) This is the name with no spaces.
Type (*) The format in which users must enter or select attribute values.
Available Values(*) The Available Values depend on the Type you selected.
Default Value If this attribute has a default value, it is displayed here.
Mandatory All attributes that you check as mandatory will appear as options when you create
a new policy, device, device group, or device script. All mandatory attributes
can be filtered on when you "Filter by Attributes and Keyword Search" on
page151.
Inheritable This attribute applies to devices and devices groups. Attributes that are checked
as inheritable can "inherit" their attributes from a parent device group.
Displayed as a default When enabled, the attribute displays as a column in the Policy Object grid, Script
column Object grid, or Network dashboard. Even if this option is not enabled, you can
still display the attribute by right-clicking the column header, selecting Columns
and selecting the attribute to display. See Customize the Network View.
Description Give a useful description of this attribute to distinguish it from the others when
viewing all of the attributes in a list.
5. ClickSave.
301
SetUser-DefinedDeviceAttributesforAccessControl
User-DefinedattributescaneitherbecustomattributesthatyoucreatefromtheAdministrationtab(orifyouedittheattrib-
utessystemattributesofLocationandRack).SystemattributescontainvaluesthatManagementCentercollectsfor
reportingpurposes.
n ConnectionParameters-IPorhostname,Username,Password,EnablePasswordandSSHPortnumber.
n Name-DeviceName
n Membership-Thehierarchyanddevicegroupthatthedevicebelongs.See"ConfigureHierarchyforDevicesand
DeviceGroups"onpage100.
n Attributes-CustomizedLocationandRackattributesornewcustomattributes(ormetadata)thatadministrators
cancreate.See"AddAttributes"onpage298.
1. Collectstatisticsforthedevicebyclickingthecheckbox.See"ViewStatisticsMonitoringReports"onpage376.
2. Usetheup/downarrowstospecifyaBandwidthCost."SetBandwidthCostforReports"onpage399.
Thebandwidthcostisamultiplierandisthusnotexpressedinaspecificcurrencyunit.Forexample,you
canspecifyavaluetorepresentonaveragehowyoupaypergigabitfordatausageonyournetwork.
3. IftheUser-Definedattributehasaredasterisk*itisrequired.Youmustspecifyavaluebeforecontinuing.
Administratorscancreateattributesinadditiontotheuser-definedattributesofLocationandRack.Todefine
yourowndeviceanddevicegroupattributes,see"AddAttributes"onpage298and"EditAttributes"onthe
previouspage.
Formorefine-grainedcontrolofadeviceordevicegroup,youcanaddpermissionsforthespecifiedattributes.
See"Reference:PermissionsFiltersObjectandAttributes"onpage259.Showscreen.
302
FilterandKeywordSearch
ApplyfilterstoanyobjectwithinManagementCenter.Objectscaninclude:
n Attributes
n AuditedObjects
n Authentication
n Devices
n PolicyObjects
n PolicyDeviceAssignment
n Roles
n ScriptObjects
Filteronattributesandthenusethekeywordsearch.Whenyouaremanaginghundredsorthousandsofpoliciesacrossmul-
tipledevices,itisimportanttobeabletofindaparticularpolicyorconfigurationquickly.
YouarenotlimitedtotheFilterfieldsdisplayed.Youcancustomizeyourfilters.
Procedure
Defaultfieldsaredependentuponthetypeofobjectthatyouarefiltering.Forexample:
n Name-Filtersbytheobjectname
n Type-Filtersbytheobjecttype
n Description-FiltersbytheobjectDescription
n Author-Filtersbywhocreatedtheobject
1. Tofilterbyaparticulartypeofpolicy,clicktheTypedrop-downlist.SelectaPolicyType:
n CPL
n CPLFragment
n VPM
2. ClickApplyFilters.
3. TheObjectlistdisplaysalloftheObjectsbyType.Afteryouhaveappliedfilters,searchforspecificobjectsusingthe
KeywordSearch.
4. FromthePolicyObjectslistedbyType,searchforaspecificPolicyusingtheKeywordSearch.
ThelogicisFilter*and*KeywordSearch.
SearchbyKeyword
Whensearching,ManagementCenterbreakstextintokeywordsandthensearchesforkeywordsentered.Management
Center'sindexsystemhasaspecialcasefordot.AlthoughManagementCenterseesdotsasseparatingletterswithina
word(i.e.ManagementCenterconsidersdotsasapartofaword).
Youcannotsearchonspecialcharacterssuchas^%|~.
Colonsaretreatedlikeothernon-lettersbysplittingkeywordsapart.IPv4andIPv6addressesworkdifferentlybecauseof
colons.
Thewildcardsymbolis*.ManagementCenterautomaticallyappendsan*attheendofyoursearchtermbutifyou
wanttostartwithawildcardsearch,youhavetoenterityourself.
303
Canquotesbeusedinasearch?
Usequoteswhennonlettersarepartofthesearchterm.Forexample,yoursearchtermincludesacolon.Theexceptionto
thissearchruleistheuseofadotbecauseadotthatisNOTfollowedbywhitespaceisconsideredpartofthekeyword.
Howdoyousearchforwholewords?
Enterthewholeword.Ifthereismorethanoneword,separateeachwordwithaspace.Ifusingspecialcharacters,
encloseeachwordindoublequotes.
Howdoyousearchforpartialwords?
Enterthepartialterm,andManagementCenterattemptstocompletethesearch.Forexample,enterhiandManagement
Centermatchesthattobothhighlightandhigh.
ExampleSearches
IPv4127.0.0.1
l 127.0.0matchesanyIPv4startingwith127.0.0
l *.0.0.1-matchesanyIPv4endingin0.0.1
IPv60:0:0:0:0:1
UsequotesforIPv6addressesbecauseIPv6usescolonsinsteadofdotsastheseparator.
l 0:0:0matchesanyIPv6startwith0:0:0
l *0:0:1matchesanyIPv6endingwith0:0:1
Hostnames
l abc.com-matchesahostnamedabc.com
l *.commatchesahostnameendingin.com
l *:8080matchesahostnamewith:8080astheport
Search
1. FromtheKeywordSearchfield,enteryoursearchterm.
Whatifthesearchfindsnomatch?
Ifthesearchfindsnomatch,therightpanedisplaysamessageindicatingthatobjectsmatchthekeywordfilter.Youcan
searchagainusingadifferentkeyword.
Whatifthesearchsucceedsinfindingmatches?
Ifthesearchfindsmatches,theresultsdisplayinalphabeticalorderintheObjectslist.
Howdoyouclearthesearchresults?
Toclearsearchresultsanddisplayallobjectsinthesystem,clicktheXinthesearchfield.
304
PrevieworDownloadLogs
Youcansortandpreviewalogbyfilenameorlogtype.Youcanpreviewonelogordownloadmultiplelogs.
1. SelectAdministration>Logs.
2. Selectalogtoview.ClickPreview.Forexample,toviewthelocalhost_access.loginatextviewer,clickPreview.
3. Todownloadmultiplelogs,selectthecheckboxesoflogsthatyouwanttodownloadandthenclickDownload.
ManagementCenterdownloadsa.ziparchivefiletothedefaultdownloadlocation.
AvailableLogs
Thefollowingtablelisttheavailablelogs.
Name Type Description

localhost_access.log WEB-ACCESS Tracks users requests to the Management Center UI.
log.log WEB Primary Management Center log.
debug.log DEBUG This log provides diagnostics information to help with debug-
ging. The log only displays if a user enables debug diagnostics
(Administration >Settings >Diagnostics ).
journal.txt PDM Primary log for the performance data collector of Management
Center. This log is useful for determining why performance
data is not showing up in Management Center or is being
delayed.
clp_services.log SYSTEM Internal CLP OS log.
Rolloverlogformatsaresimilartothefollowing:
n name.zip
n name.log-data
LogTypes
Thefollowingtabledescribesthelogtypes.
Type Description
WEB Logs related to Management Center and its operation.
WEB- Logs that track user requests to Management Center web UI.
ACCESS
DEBUG As the name implies, these are debugging logs.
SYSTEM Internal core OS logs.
PDM Performance Data processing logs. These correspond to anything related to the appstat pro-
cessing of PDM logs from the ProxySG or other systems.
305
ManageUserSessions
ManagementCentertracksandlogseachusersession.Administratorscanviewandmanagecurrentusersessionsfrom
Administration>UserSessions.Asasuperadmin,theabilitytologinwillnotbeaffectedbywhatyoudointhisdialog.
Youcandelete(kill)anyusersessionwhichwillimmediatelylogtheuseroutoftheManagementCenterwebconsole.
Asabestpractice,BlueCoatrecommendsthatalluserslogoutofthewebconsoleaftercompletingtheirtasks.AsaMan-
agementCenteradministrator,youmayneedtoenforcethispractice.Ifauserhaschangedrolesorhasacceptedanew
jobthatmaychangetheiraccessrights,youcanmanageallactiveorstoredusersessions.
1. Fromthewebconsolebanner,selectAdministration>UserSessions.
2. Topreventusersfromloggingintothewebconsole,selecttheDisableuserlogintoManagementCentercheck
box.
3. (Optional)Todeleteausersession:
a. Selectausersession.Greendenotesyoursession(you),notanactivesession.
b. ClickKillSession.
c. Confirmthatyouwanttokillthesession.
306
ReceiveErrorNotifications
Configurehowyouwillbenotifiedwhenerrorsoccur.
Manage Alerts 307
Configure SMTP Alerts 318
Configure SNMP Alerts 319
"ConfigureSMTPAlerts"onpage318
"ConfigureSNMPAlerts"onpage319
ManageAlerts
ManagementCenterprovidesanareaforadministratorstostoreandmanagevariousalerts.Whetheryouneedtosetthe
stateofanalert,changetheowner,providefeedback,orfindaspecificalert,youcandoitallinoneplace.Thisisdifferent
fromthemessageviewer.YouarestillabletoviewmessagesintheRecentMessagespane.See"ReadAlerts"on
page436.
TogettotheAlertsmanagementpage:
n SelectAdministration>Settings.
n ClicktheAlertNotification button.Thisshowsthenumberofopen(orunresolved)alerts.
Overview
Thelandingpageshowsthecurrentalertsandtheoptionsavailableformanagement.
n Sortingoptionsallowyoutoviewthealertsbasedonvariouscriteria.

n DetailsandFiltersTabsgivequickinformationaboutthealert(s).

n Navigationoptionsatthebottomallowyoutogotospecificpages.

n Managementoptionsallowyoutotakeactiononspecificalert(s).
SortingAlerts
Theprimaryelementonthelandingpageisthelistofavailablealerts.Thesecansortedbydifferentcolumns.
*IndicatescolumnsthatareNOTshownbydefault

SortBy... Description
Severity Impact level of an alert on the affected category.
Priority Importance level of resolving an alert.
Message Current status of an alert. Alerts are either considered open or closed.
Count * Number of times an issue is reported.
Source* System reporting an alert.
Note:This field is populated only if an external network is reporting
an issue.
Category Element affected by an alert.
State Current status of an alert.
Received Date and time an issue is reported as an alert
Acknowledged Received status of an alert.
Owner Person currently responsible for an alert.
Sortandviewthealertswiththeseoptions:
n Adjustthelengthofcolumnsbyhoveringbetweentwocolumnstogettheadjustmentcursor
n Tosortthelist,youhavetwooptions:
o Clickonacolumnheader.Thefirstclicksortsthelistbythatcolumninascendingorder.Asecondclicksorts
itindescendingorder.
o Hoveroveracolumnheader,thenselectMenuArrow>SortAscendingorSortDescending.
n Tocustomizewhichcolumnsshow,hoveroveranycolumnheader,thenselectMenuArrow>Columns.
n Toresetthecolumnsbacktothedefaultcolumnsandwidth,hoveroveranycolumnheader,thenselectMenu
Arrow>ResetColumns.
DetailsandFiltersTabs
Getanoverviewofaspecificalertorusefilteroptionsinordertofindspecificalerts.
Ifyouneedmorespacetoviewthealertslist,collapsethispanebyclickingthearrowtab ontheleftofit.
SeeFiltersPanelforanexampleimage.
308
PreviewDetailsPanel
Givesabriefsummaryoftheselectedalert.Ifyouneedtoviewmoredetails,suchasthehistoryofthealert,seeEditing
Alerts.
Selectonlyonealerttopreviewthedetails.
FiltersPanel
Findspecificalertswithvariousfilters.Onceapplied,theFilterstabshowshowmanyactivefiltersthereare.Example:
(Active3).
Apply/Clear
Saveordeleteanyfilterchangesselected.
Customize
309
SelectthefiltersthatshowintheFilterPanel .
TimeRange
Selectthetimerangeyouwanttosearchin.
HourOptions DayOptions
Last 1 Hr Last 24 Hrs
Last 12 Hrs Last 3 Days
Last 24 Hrs Last 7 Days
State
Selectthealertcurrentstatus(es).
Option Description
New New or unworked issues.
Pending Already known issue, but resolution hasn't started.
Assigned Assigned to a specific user.
In Progress A resolution has been started.
Resolved The issue has been resolved.
The issue has been closed. This can be used whether or
Closed
not the issue has been resolved.
Acknowledge
Selectthereceiptstatus(es).
Option Description
Alert received by
Acknowledge
owner.
310
Option Description
Alert not
Unacknowledge received by
owner.
Category
Selecttheelement(s)affected.
Option Element(s)
Policy Policy specific.
Configuration Scripts, Shared Objects, Tenants, and Files.
Alerts related to the function of a device or Man-
Operational
agement Center.
Networks linked to Management Center, including
System
files, software, hardware, and firmware.
Security Security related alerts.
Other For an issue not listed in any other category.
Priority
Selecttheimportancelevelofresolution.
PriorityLevel
Low
Medium
High
Urgent
Owner
Selectthecurrentowner.
Alertsthatarenotassigned(intheOwnersortingcolumn)willnotshowupifanownerisselected.
KeywordSearch
NexttothePreview/Filterpaneisthekeywordsearchingoption.Ifyouknowkeywordsinthealertsyouarelook-
ingfor,enterthemintothesearchboxandclickthemagnifyingglassorpressEnter.Toclearthesearchterms,
clickthe( )withinthesearchbox.
Navigation
Navigatebetweenpagesandsetnavigationoptions.
311
Option Icon Description
Beginning Go to the first page.
Back Go back a page.
Current page number and total page count.

Page Number
Type a number to go to a specific page.
Forward Go forward a page.
End Go to the last page.
Refresh Refresh the list.
Page Size Number of alerts displayed per page.
AlertManagement
Create,edit,delete,oracknowledgereceiptofalert(s).
CreatingNewAlerts
UseRaiseAlerttocreateanewalert.
312
Message*
Enterinthemessageforthealert.*Thisfieldisrequired.
Severity
Theimpactlevelontheaffectedcategory.*Indicatesdefault
Option Icon Severity Definition

Level
Info * Low Little or no
impact.
Warning Medium Potential to cause
errors.
Error High Errors found.
Fatal Critical System failure.
Priority
Theimportancelevelofresolvingthealert.*Indicatesdefault
313
PriorityLevel
Low*
Medium
High
Urgent
State
Thecurrentstatusofthealert.Alertsareeitherconsideredopenorclosed.*Indicatesdefault
Option Description Status

New New or unworked issues. Open
Pending Already known issue, but resolution hasn't star- Open
ted.
Assigned* Assigned to a specific user. Open
In Progress A resolution has been started. Open
Resolved The issue has been resolved. Closed
Closed The issue has been closed. This can be used Closed
whether or not the issue has been resolved.
Owner
Theadministratorcurrentlyloggedinissetasthedefaultowner.Youmayassignittoadifferentowneraslongastheper-
sonhaspreviouslybeenaddedasauser.See"AddLocalUsers"onpage264.
AlertscreatedbythesystemwillshowasnotassignedintheOwnersortingcolumn.
Category
Theelementaffectedbythealert.*Indicatesdefault
Option Element(s)
Policy Policy specific.
Configuration Scripts, Shared Objects, Tenants, and Files.
Operational Alerts related to the operation of a device or Man-
agement Center.
System Networks linked to Management Center, including
files, software, hardware, and firmware.
Security Security related alerts.
Other* For an issue not listed in any other category.
Description
314
(Optional)Enteramoredetaileddescriptionofthealertand/orthereasonsforit.
Ifyouforgetanyinformationforthedetaileddescription,youcanalwaysEdititoraddnotetotheJournaltabata
latertime.
Save/Cancel
SaveorCancelthenewalert.
EditingAlerts
Youcaneditthealertsusingoneoftwomethods:
n Toeditalltheinformationforanalert,selectamessageandthenclickEdit.Alternately,right-clickamessageto
gettheEditoption.
Onlyonemessagecanbeselectedforeditingatatime.
EditDetailsTab
Thebasicinformation,normallysetinRaiseAlert,canbeeditedintheDetailstab.Asummaryofthecurrentsaved
statusofthealertshowsinaboxbelowtheeditabledetails.Theactionbuttonsinclude:
n
SaveAlertforanychangesyoumake.
n
AcknowledgeorUnacknowledgethereceiptofthemessage.
n
Discardanychanges.
n
TakeOwnershiptoinstantlyassignittoyourself.

JournalTab
AhistoryofthechangesmadetothealertareloggedintheJournaltabbeneaththeNotesfield.Actionsyoucan
takeinclude:
n AddmoreinformationintheNotesfield.
n AddNotetothealert.
n Clearanyinformationtyped.
315
Back
Returntothelistofalerts.Alternately,youcanclickontheAlertslinkabovetheBackbuttontoreturntothelist.

n Selectmessage(s)toaccesstheavailablequickOperations.Theseallowyoutoeditinformationonanalertwithout
havingtoopentheEditscreen.
AssignUsers
Selectausertohaveownership.Youmayassignittoadifferentowneraslongasthepersonhaspreviouslybeen
addedasauser.See"AddLocalUsers"onpage264.
AlertscreatedbythesystemwillshowasnotassignedintheOwnersortingcolumn.
TakeOwnership
Instantlyassignsthealerttoyourself.

ChangeState
Thecurrentstatus.Alertsareeitherconsideredopenorclosed.
*Indicatesdefault
Option Description Status
New New or unworked issues. Open
Pending Already known issue, but resolution hasn't Open
started.
Assigned* Assigned to a specific user. Open
In Progress A resolution has been started. Open
Resolved The issue has been resolved. Closed
Closed The issue has been closed. This can be Closed
used whether or not the issue has been
resolved.
ChangePriority
Theimportancelevelofresolution.*Indicatesdefault
316
PriorityLevel
Low*
Medium
High
Urgent
OtherAlertManagementOptions
n Selectmessage(s)toDeletethem.Alternately,right-clickthemessage(s)togettheDeleteoption.
n Messagesareautomaticallyremovedbythesystemafterasettime.Thedefaultis120days.See"Configure
HousekeepingSettings"onpage425formoreinformation.
Tochangetheamountofdaysalertsareretained:
1. SelectAdministration>Settings>Housekeeping.
2. ChangethevalueinNumberofdaysofclosedalertrecordstokeep.
3. ClickSave.
4. (Optional)ClickActivatetopushyourchangestotheserverimmediately.
n Selectmessage(s)toAcknowledgeorUnacknowledgethereceiptofthem.Alternately,right-clickthemessage
(s)togettheacknowledgmentoptions.
Onlymessagesofthesamereceiptstatuscanbeselectedatthesametimeforthebuttontowork.
Example:UndertheAcknowledgedcolumn,allmessagesmarkednotyet.
n Refreshthelistofavailablealerts.
317
ConfigureSMTPAlerts
ConfigurethemailserverforsendinghealthmonitoringnotificationsfromManagementCenterandspecifywhichadmin-
istratorsreceivethealerts.
2. ClickSMTPAlertsontheleft.SMTPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifySMTPsettings.

What to send* Specify OFF to turn off e-mail OFF|ERROR
notification or ERRORwhen errors
occur with mail delivery.
Mail Server* The SMTP mail server to use for Example:smtp.organization.com
outgoing mail.
Send to address* E-mail addresses to which alerts are A comma-separated list of valid e-
sent. For example, enter mail addresses.
administrators' e-mail addresses or a
distribution list.
From address* The e-mail address from which e- Example: bccm@organization.com
mails are sent.
Ifyouareunabletosaveyourchanges,makesurethatallrequiredsettingsarespecified.
318
ConfigureSNMPAlerts
TheSimpleNetworkManagementProtocol(SNMP)itselfdoesnotdefinewhichvariablesamanagedsystemshouldoffer.
Rather,SNMPusesanextensibledesign,wheretheavailableinformationisdefinedbyManagementInformationBases
(MIBs).
ConfigureSNMPsettingsforManagementCenter.IfyouwanttoenterapasswordfortheSNMPtraps,see"Configure
theSNMPAgentPassword"onpage403.
TheMIBsareavailableontheBTODownloadspage.RefertotheBlueCoatManagementCenterReleaseNotes
forinformationonMIBs.
2. SelectSNMPAlerts.SNMPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifySNMPsettings.

What to send* Specify OFF to turn off SNMP notifications OFF|ERROR
or ERRORwhen errors occur with the
SNMPtraps.

SNMP Destination IP* Specify an IP address for the listener. Example: 192.0.2.0
SNMP Destination port* Specify the port for the listener. Example: 155
SNMP Version* Specify the protocol version for the 1|2|3
SNMPlistener.
Community A password that allows access to a device's Enter the password.
statistics (transmitted in plaintext).
See " Configure the SNMP
Agent Password" on
page403.
Engine ID The unique SNMP engine ID based on the Clickgenerate to generate the
device IP. This engine ID is associated with engine ID.
the specific Management Center
installation and displays in each
SNMPpacket to identify the source of the
packet.
Applies to SNMPv3 only.
Security Use name used to access the management Enter the username.
module.
319

Auth Protocol The authentication protocol algorithm to SHA|MD5
use. SHAis the default.
Auth Passphrase Passphrase to use for authentication. Enter the passphrase.

Priv Protocol The protocol to use for SNMPmessage AES|DES
privacy.AES is the default.
Priv Passphrase Passphrase to use when encrypting Enter the passphrase.
messages.
320
CustomizetheAuditLog
BecausetheAuditLogrecordsalltransactionsonmultiplelevels,thelogcangrowveryquicklyespeciallyifyoumany
devicesaremanagedinManagementCenterandthereisahighlevelofuseractivity.AlthoughtheAuditLogisdesigned
tomakeiteasyforyoutolocatetherecordsyouwant,youcancustomizethedisplayfurthertohelpyoulocatespecific
records,isolaterecordsfromacertaindateortime,filterrecordspertainingtospecificusersorobjects,andmore.
UsethefollowingmethodsinconjunctiontocustomizetheAuditLogdisplaytosuityourpurposes.
WhenyoumakethefollowingchangesintheAuditLogViewer,thechangesdonotpersistbeyondthecurrent
browsersession;thenexttimeyoulogintothewebconsole,youmustgothroughthesamestepstochangethe
vieweragain.
Showorhidecolumns
Youcanshowcolumnsthatyouhid,orcolumnsthatarenotvisiblebydefault,suchasRecordTypeandInfo3through
Info5.Youcanhidesomecolumnsifyouwantamoregenerallookatthelogorifyourscreensizeislimited.
ToseeallinformationavailableintheAuditLogandensurethatyoucanseeanappropriatelevelofdetail,youcanshowall
columnsfirstandthenchoosewhichones,ifany,youwanttohide.
1. Onanycolumnheader,clickthearrow.Thewebconsoledisplaysalistofoptions.
2. Selectanoptiontoshowthecolumn.
Clearanoptiontohidethecolumn.
3. Clickanywhereoutsideofthelisttocloseit.
TheAuditLogshows/hidesthecolumnsyouspecified.
Sortcolumns
BecausetheAuditLogdisplaysrecordsindescendingchronologicalorderbydefault,youcanre-arrangethemtoanalyze
thedatamoreeffectively.Bydefault,therecordsaresortedindescendingorderofOperationTime(latesttoearliest).
1. Clicktheheaderofthecolumnyouwanttosort.
n Iftheheaderdisplaysanuparrow,thedataisarrangedinascendingorder(A-Z,earliesttolatest).
n Iftheheaderdisplaysadownarrow,thedataisarrangedindescendingorder(Z-A,latesttoearliest).
2. Clicktheheaderagaintoreversethesortorder.
InthefollowingexamplethecolumnsaresortedbyOperationType,soallAuthenticationsaredisplayedfirst.
Filterrecords
Tolimittheamountthedatathatthelogdisplaysandfocusonlyonspecificrecords,applyfiltersusingthedrop-downlists
ontheright.Dependingonthetransactionlevel,youmayneedtofilterpagesofrecords.Thefilterslimittherecordtype.To
narrowthesearch,applyoneormorefilters.
321
Ifapplyingafilterresultsintoofewrecordsornottherightrecords,removeorchangesomefilters.Toresetthefiltersto
default,clickClear.
322
CreateandManageJobs
ManagementCenterallowsyoutocreatejobsforrunningavarietyofoperationsonadefinedschedule.Forexample,you
cancreatejobsforbackingupManagementCentereachday,installingpolicyonagroupofProxySGappliancesimme-
diately,orexecutingaProxySGscriptonamonthlybasis.Jobsdon'tnecessarilyneedapreciseschedule,though;ifyou
don'tdefineascheduleforajob,youcanrunthejobmanually.Inaddition,youmayoverridethedefinedscheduleforajob
andrunitimmediately.
Schedulingajobandrunninganoperationrequiredifferentpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.
1. Planthejob:
n Determinewhichoperationyouwanttocreateajobfor.See"JobOperations"onpage325.
n Whichdevicesdoyouwanttoperformtheoperationon?Thesewillbethetargetsofthejob.
n Decidehowoftenthejobshouldrun.Thiswillbethejobschedule.See"JobSchedulingOptions"onpage328.
2. Createthejob.See"AddaJob"onthenextpage.
3. Monitorscheduledjobs,andrununscheduledjobsasneeded.See"MonitorJobs"onpage330.
4. Monitorjobsastheyarerunning.See"ViewCurrentJobs"onpage332.
5. Viewjobhistory.SeeJobHistory.
AddaJob
TheManagementCenterNewJobwizardpromptsyouforinformationrequiredtocreateajob:name,operation,targets(indi-
vidualdevicesorgroups),andschedule.Thefieldsvaryforeachtypeofoperation.
Thebasicstepsforaddingajobaredescribedbelow.
1. ClickJobs>ScheduledJobs>NewJob.TheNewJobWizardpresentsitsfirstscreen,theBasicInfodialog.
2. IntheBasicInfodialog,enteranameforyourjob.
3. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.
4. Optional:Emailthejobresults.ClickEmailresultsandselectthecondition.Then,entertheemail(s)oftherecipient
(s)andclickNext.Youcanchoosetoemailtheresultswhenthejobsucceeds,fails,orforallconditions.
5. IntheOperationdialog,selectanoperationfromthedrop-downlist.Additionalfieldsmaydisplay,dependingon
whichoperationyouselect.See"JobOperations"onthefacingpage.
6. Afterfillinginthefieldsrequiredfortheoperationyouselected,clickNext.
7. IntheTargetsdialog,selecttheDevicesorGrouptab.Addmultipledevicesordevicegroupsbyselectingthe
checkboxnexttothenamesofdevicesordevicegroups.AllselectedtargetsappearinSelectedTargets.When
youhaveaddedallofthetargetsforthejob,clickNext.
8. IntheScheduledialog,defineascheduleforthejob.See"JobSchedulingOptions"onpage328formore
information.
n Immediateautomaticallyrunsthejobafteritiscreated
n NoSchedulenospecifictimeordayisspecified;whenyouarereadytorunthejob,usetheRunNow
buttontomanuallyexecutethejob
n RunOnceOnlyspecifythedateandtimetorunthejob
n Periodicrunsthejobeveryxnumberofminutes,hours,ordays,startingatthespecifiedtimeanddate
n Dailyrunsthejobeverydayatthespecifiedtime
n Monthlyrunsthejobonceamonthonthespecifieddayofthemonthandspecifiedtimeofday
9. ClickFinish.
ThenewjobisavailableintheScheduledJobssection,orifyourunthejobimmediately,theJobProgresswindowdis-
playsuntilyoucloseitorselectContinueinBackground.
Schedulejobstorunwhennetworkperformanceisnotimpactedorjobsthatrecuroften.Schedulingajobandexecut-
ingajob(runnow)applydifferentpermissions.See"Reference:UnderstandingJobPermissions"onpage261
TheJobstabisonewaytoaddajobinManagementCenter.Someoperationshavealternativemethodsforcreatingjobs.
Seethetopicsinthetablebelow.
Operation Refertothistopic
Execute Script "Execute a Script" on page150
Export Backups "Export Device Backups" on page85
Install Policy "Install Policy" on page227
324
JobOperations
Whendefiningajob,additionalfieldsmaydisplay,dependingonwhichoperationyouselect.Thelistbelowdescribeseach
operationanditsassociatedfields.
*designatesarequiredfield
Operation Description Fields

BackupDevices Backs up the configuration of the selected device BackupName *
(s) on a defined schedule; any supported type of
device can be backed up. BackupDescription *
Management Center supports configuration

backup/restore/import/export of the fol-
lowing device types: ProxySG, Content Ana-
lysis, Malware Analysis, and SSL Visibility.
See also "Back Up Device Configurations" on

page78.
BackupMan- Stores a backup of the Management Center con- ExporttoServer - Select the check
agementCenter figuration to the specified server on a defined box.
schedule.
ServerURL * - Supported protocols
See also "Back Up the Management Center Con- include scp, ftp/ftps, and http/ht-
figuration" on page408. tps.
EncryptionPhrase * - 1 or more
characters, alphanumeric.
Username
Password
ChangeMon- Activate or deactivate devices. Management ChangeHealthMonitoringstate -
itoringState Center actively monitors the health status of Select the radio button and Activ-
activated devices. ateDevices or Deactivate
Deactivated devices are not monitored. Whether Devices .
you choose to activate or deactivate a device ChangeStatisticsMonitoringstate
depends on your business requirements. -Select the radio button and Enable
You can also disable statistics monitoring without StatisticsMonitoringcollection or
deactivating a device. DisableStatisticsMonitoringcol-
lection.
See also "Monitor Device Health and Statistics"
on page90.
325

CheckCon- Checks whether the policy installed on selected Policy * - Click to select the ref-
sistency devices matches the reference policy. erence policy to use for com-
See also "Check Consistency between Policy and parison.
Devices" on page222. Selectpolicyversion* - Select the
radio button for either Thelatest
policyversion or specify a previous
Version.
ExecuteaScript Runs the designated script on the selected target DeviceScript * - Click to select
ProxySG appliances on a defined schedule. the script to execute
See also "Execute a Script" on page150.
ExportBackups Saves backup files of the selected target device ExporttoServer - Select the check
(s) to the specified server on a defined schedule. box.
Exporting device backups is necessary to save
space and is mandatory if you are upgrading the ServerURL * - Supported protocols
device to a new image. include scp, ftp/ftps, and http/ht-
tps.
Management Center supports configuration EncryptionPhrase * - 1 or more
backup/restore/import/export of the fol- characters, alphanumeric.
lowing device types: ProxySG, Content Ana-
lysis, Malware Analysis, and SSL Visibility. Username
See also "Export Device Backups" on page85. Password

PruneBackups - Select this check
box if you want to remove the
backup from the backup slot when
you export the backup.
RetentionCount * - Enter the num-

ber of backups to keep.
PrunePinned - Select this check

box if you want to prune backups
that have been pinned (or saved).
FileTransfer Transfers a file to the system. If you have pre- ServerURL* - Enter the URL of the
viously downloaded a file, such as a con- file. Supported protocols include
figuration, image, license, text, or other file, and http/https.
you want it on the new system, this option loads
it. FileType - Specify the file type.
Ifthefilealreadyexists - Choose
what to do if the file already exists.
326

ImportExternal Imports the designated ProxySG policy or policy ImportfromURL * - Supported pro-
Policy fragment from a web, FTP, or SCP server and tocols include scp, ftp/ftps, and
merges it into the selected target policy frag- http/https. The filename must be
ment in Management Center. the ID assigned to the target policy.
See "Import External Policy " on page238. Username
Password
InstallPolicy Runs the designated policy on the selected target Policies * - Click to select the
ProxySG appliances on a defined schedule. policies to install.
See "Install Policy" on page227. ForceInstallation - Select this
check box to override any warnings.
InstallSystem Upgrades the selected device to the specified SystemImage - Select the image
Image image. The file must be uploaded to Management to install. The file will only be listed
Center (Configuration>Files ) and the device here if it has been uploaded to Man-
type must be specified. agement Center (Configuration>
Files ).
See Remove Unused Tenant Policy.
RemoveUnused Removes tenant policy when there is no policy No additional fields.
Policy assigned to the tenant on the appliance.
See Remove Unused Tenant Policy.
Synchronize Synchronizes configuration settings from one SourceDevice * - Select the device
Devices device (the source) to one or more similar whose settings you want to copy to
devices running the same or later OS versions. other devices.
Management Center supports synchronization of Whattosynchronize (*) - Varies by
the following device types: SSL Visibility, Content source device.
Analysis, and Malware Analysis.
See also "Synchronize Devices" on page97.
327
JobSchedulingOptions
DefineascheduleforeachjobthatyoucreateoreditfromtheScheduledialogintheJobwizard.
Verifythatthetimezoneisconfiguredfortheregioninwhichthejobwilloccur.See"SynchronizetheSystemClockusing
NTP"onpage400.
Considerthefollowingschedulingoptions.
Immediate
IfyouselectImmediate,thejobrunsimmediatelyafteryoufinishcreatingoreditingthejob.Tohavethejoblistedonthe
Scheduledjobspage,selectSavethisjobinScheduledJobs.
ThejobdisplaysinJobHistoryandScheduledJobs(ifyouselectedthecheckbox).
NoSchedule
Torunaon-demandjobortodefinetheschedulelater,selectNoSchedule.
Althoughthejobdoesnothaveaschedule,itstilldisplaysintheScheduledJobssection.Whenyouarereadytorunthe
job,initiatethejobmanuallybyselectingRunNow.ManagementCenterdisplaystheAreyousureyouwanttorunthe
selectedjobnow?message.ClickYes.TheJobHistorypagedisplaysthecompletedjob.
RunOnceOnly
Certainjobsonlyneedtoberunonce(forexample,whenyouinstallpolicytoadevice).
SelectRunOnceOnlyandthenspecifythedateandtimetorunthejob:
n IntheRunatfieldenterthetime(usinga24-hourclock)youwanttorunthejob,orusethearrowstoadjustthetime.
n Click andselecttheday.
ThejobislistedintheScheduledJobssectionuntilitrunsatthescheduledtime.
Periodic
Youcanscheduleajobtorunperiodically,suchaseverytwoweeksoreverythreedays.Tospecifyaperiodicschedule,
328
youindicatethefrequencythejobshouldrunandwhenyouwantthefirstjobtorun:
n Runevery(number)of(minutes,hours,ordays)
n Startingat(time)on(aspecificdate).Enterthetimeusinga24-hourclock.
ThejobwillbelistedintheScheduledJobssection.
Daily
Youcanscheduleajobtoruneverydayatacertaintime.Specifythetimeusinga24-hourclock:
n Runat(hh):(mm)
ThejobwillbelistedintheScheduledJobssection.
Monthly
Youcanscheduleajobtorunmonthly.Tospecifyamonthlyschedule,youindicatewhichdayofthemonthtorunthejob
aswellasthetimeofday:
n Runonthe(first,second,third,fourth,fifth)(Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday)
ofthemonth.
n Runonday(1-31)ofthemonth.
n Runonthelastdayofthemonth.
n Runat(hh):(mm)Enterthetimeusinga24-hourclock.
ThescheduledjobwilldisplayintheScheduledJobssection.
Itisimportanttorememberthatifthejobthatyouareschedulingisbig(meaningitwilltakealotoftimeand
resources),itisrecommendedyouschedulethejobtorunduringoff-hoursoronweekends.
329
MonitorJobs
ScheduledJobslistallthejobsthathavebeencreatedandareeitherscheduledtorunorhavenoscheduleandmustbe
runmanually.Usethisscreentoseewhenscheduledjobswillrunnext,whenjobshavelastrun,howmanytimeseachjob
hasrun,andwhocreatedthejob.
1. SelectJobs>ScheduledJobs.
2. Fromthislistofscheduledjobs,youcanselectajobandperformanyofthefollowingtasksonthejob:
n EditChangeanyofthejobparameters(basicinformation,operationparameters,targets,schedule).See
"EditaJob"onthefacingpage.
n DeletePermanentlyremovethejobfromthelistofscheduledjobs
n EnableRe-enableajobthathasbeendisabled
n DisableDisablethejobsothatitwillnotrunasscheduled
n RunNowInitiatetheoperationofthejob;anyjobcanbemanuallyrununscheduledaswellasscheduled
Youcanalsoright-clickajobandselectthetaskfromthemenu.
Bydefault,jobsaresortedalphabeticallybyname.Tosortbyadifferentcolumn:
1. Hoverthemouseonthecolumnheadingyouwanttosortby,ontherightedgeofthecolumn.
2. ClickthetriangleandselectSortAscendingorSortDescending.
330
EditaJob
YoucaneditanyjoblistedontheScheduledJobspage.
1. SelectJobs>ScheduleJobs.
2. Selectthenameofthejobthatyouwanttoedit.ClickEdit.ThewebconsoledisplaystheEditJobWizard.
3. Edittheinformationoneachtabasneededtocompletethejob:
n BasicInfoChangethejobname,description,andwhethertoemailjobresults.Aredasterisk(*)denotes
n OperationChangeanyofthefieldsspecifictotheoperation.(See"JobOperations"onpage325for
details.)However,youcannotmodifytheoperationitself;ifyouwanttochangetheoperation,youwillneed
tocreateanewjob.
n TargetsBasedontheoperation,youcaneitheraddorremovetargets,oramessagedisplaysstatingthat
thejobwillrunonthetargetsalreadyspecified.
n ScheduleFromSchedule,youcanchoosefromthefollowingscheduletypes.(See"JobScheduling
Options"onpage328).
o Immediate
o NoSchedule
o RunOnceOnly
o Periodic
o Daily
o Weekly
o Monthly
4. ClickSave.
331
ViewCurrentJobs
TheCurrentJobssectiondisplaysallcurrentlyrunningjobs.Toviewjobsthathavealreadyoccurred,"ViewJobHistory"on
page334.Toviewallscheduledjobs,see"MonitorJobs"onpage330.Tocancelacurrentlyrunningjob,see"CancelaCur-
rentlyRunningJob"onthefacingpage.
1. SelectJobs>CurrentJobs.Thetoppanedisplaysthefollowingdetails:
Column Description
Name This is the name you gave the job when you created it. See "Add a Job" on page324.
Status This is the current status of the job. The status of a job changes from Running to
Complete.
Progress This progress bar is constantly updating. You can view in real-time the progress of the
current job. The color of the progress bar correlates with the top of the web console
banner.
StartTime This shows the start time (in a 24-hour clock format) of the current job.
EndTime The shows the end time (in a 24-hour clock format) of the current job.
Description This is the description you gave the job when you created it. Although entering a
description is optional, the description (and name) help differentiate versions of the
similar jobs. For example, a common job is "Backup", but without a good description it is
difficult to see which devices are currently being backed up.
EachtimeyoustartajobmanuallyaJobProgresswindowdisplays.Ifyouwanttorunthescriptinthe
background(andgetridofthewindow)whileyoudoothertasksinManagementCenter,clickContinuein
Background.
2. Ifyouselectanameofacurrentlyrunningjobinthetoppane,thedetailsofthatjobappearinthetwobottompanes.
3. TheJobProgressSummarypaneincludesfiltersforthedeviceonwhichthejobiscurrentlyrunning.Tocancela
currentlyrunningjob,clickCancel.
Ifyouhavetoomanyjobsgoingtokeeptrackof,youcanfiltertheresultsby:
n Complete=Green
n Error=Red(Hoveryourmouseoveralljobswitherrorstoviewthedetailsoftheerror)
n Warning=(Hoveryourmouseoveralljobswithwarningstoviewthedetailsofthewarning)
n Running=Grey(Greysignifiesinactivity)
Formoreinformationoncolorsandstatusindicators,see"AboutColor-CodedStatusIndicators"onpage28.
332
CancelaCurrentlyRunningJob
Tocancelacurrentlyrunningjob,selectJobs>CurrentJobs.
1. Selectthejobyouwanttocancel.
2. ClickCancel.
Somestepsofajobthatarecurrentlyinprogresswillruntocompletioninsteadofbeingcanceled.
3. EnsurethatthejobrunningiscanceledbycheckingtheStatuscolumnandtheJobResultspane.Checkfor
errors!ErrorsappearredwithanexclamationmarkintheStatuscolumn:
4. Alljobsthatyousuccessfullycancelareobviousinthewebconsole.Canceledjobsappearas:
Somejobshavemultiplecommandsrunningonmultipledevices.Themorecomplexajobis,themoreerrors
mayoccurwhenyouchoosetocancelarunningjob.
333
ViewJobHistory
Viewallpastjobsandtheirstatus.TheJobHistorysectionissimilartotheCurrentJobslist,buttheJobHistorydisplays
thousandsofresultsofjobsthathavealreadyoccurred.TheCurrentJobssectiondisplayscurrentlyrunningjobs.Toview
currentlyrunningjobs,see"ViewCurrentJobs"onpage332.Toviewallscheduledjobs,see"MonitorJobs"onpage330.
YoucanviewmoredetailsofacompletedjobfromJobHistory.
1. SelectJobs>JobHistory.
2. TheJobHistorytoppanedisplaysthefollowingdetailsabouteachcompletedjob:
Column Description
Name This is the name you gave the job when you created it. See "Add a Job" on page324.
Status This is the status of the job. More details are available about the job.
Progress This progress bar is displays completed jobs, with the latest job that was run always on
top.
StartTime This shows the start time (in a 24-hour clock format) of the selected job.
EndTime The shows the end time (in a 24-hour clock format) of the selected job.
Description This is the description you gave the job when you created it. Although entering a
description is optional, the description (and name) help differentiate versions of the
similar jobs. For example, a common job is "Backup", but without a good description it is
difficult to the different backups that occurred.
3. Ifyouselectanameofajobinthetoppane,thedetailsofthatjobappearinthetwobottompanes.TheJobName
andtheJobResultsaredetailedinthebottompanes.Youcancopyandpastethetextinthesepanes.Thetextin
theStatusfieldisespeciallyusefulfordebugging.
ManagementCentercanbedownwhileajobisrunning.ThejobsthatrunwhileManagementCenterisdown
neverappearinCurrentJobsbuttheywillappearinJobHistorywhenManagementCenterisbackupand
running.
ViewJobProgress
TheJobProgressSummarypaneincludesfiltersforthedeviceonwhichthejobshaverunorarecurrentlyrunning.Ifyou
needtofiltertheJobHistoryresults,youcanfiltertheresultsby:
n Complete=Green(Greenindicatesthatthejobisrunningorhasalreadyrunsuccessfully)
n Error=Red(Redsignifiesthatthejobdidnotrunbecauseofanerror.Selectthejobnametodrilldownforthe
details)
n Warning=Yellow(Yellowsignifiesthejobran,butissuesoccurred.Selectthejobnametodrilldownforthedetails)
n Running=GreenorGrey(Greysignifiesinactivity)
WhentheJobProgresswindowdisplaysacurrentlyrunningjobthatistakingalongtime,youhavetheoptionto
ContinueinBackground.
Formoredetailsontheuseofcolorandstatusindicators,see"AboutColor-CodedStatusIndicators"onpage28.
334
YoucannotdeleteajobfromJobHistory,youcanonly"CancelaCurrentlyRunningJob"onpage333.
335
ManagementCenterReports
ManagementCenterallowsyoutoconsolidatedatafromall,oragroupof,ProxySGappliancesyouhaveaddedasmanaged
networkdevices.ManagementCenteroffersStatisticsMonitoringandReporterreports.
StatisticsMonitoringReports
StatisticsMonitoringreportsconsolidatestatisticsfromyourmanagedProxySGdevices.TherearetwocategoriesofStat-
isticsMonitoringreports:
l Devices:avarietyofreportsaboutthenetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesina
devicegroup,orallProxySGdevices
l WANOptimization:reportsforProxySGapplianceswithaProxyorMACH5Editionlicense.
"ViewStatisticsMonitoringReports"onpage376
Fordescriptionsofeachreport,referto"Reference:StatisticsMonitoringReportsinManagementCenter"onpage377.
ReporterReports
IfyouhaveintegratedBlueCoatReporterintoManagementCenter,additionalsetsofreportsareavailabletoyou.Reporter
reportsaregroupedintothefollowingcategories:
l Security:reportsthatrevealactivityonthenetworkthatmayposesecurityorliabilityconcerns.
l WebApplications:reportsthatprovideinsightintothewebapplicationsbeingaccessedonyournetwork,aswellas
theriskinessoftheseapplications.
l UserBehavior:reportsthatgiveyouinsightintothewebsitesandcategoriesofwebtrafficusersareviewingorare
blockedfromviewing,andtheamountofwebtrafficfordifferenttimeperiods.
l BandwidthUsage:reportsthatanalyzehourly,daily,andmonthlybandwidthusageonthenetwork,andestimate
thetimeanddatacostofthatusage.
"IntegrateReporterintoManagementCenter"onthenextpage
Fordescriptionsofeachofthesereports,see"Reference:ReportDescriptions"onpage351.
IntegrateReporterintoManagementCenter
Prerequisites
n ObtainorverifyadministratoraccesstoReporterEnterpriseServer10.1.xorlater.
n VerifythatReporterEnterpriseServerisdeployedinlinewithProxySGapplianceswithinyournetwork.
n EnsurethatyouhaveaccesstoaReporterEnterpriseServer(usernameandpassword).
n TobeabletoviewReporterreportsonmanageddevices,youwillneedtoaddaReporterEnterpriseServerfromthe
Networktab.
Procedure
TointegrateReportersothatyoucanviewReporterreportsintheManagementCenterwebconsole:
1. Verifyprerequisitesabove.
2. AddReporterasamanageddeviceinManagementCenter.
3. "ViewaReporterReport"onpage339.
337
AddReporterasaManagedDevice
BeforeyoucanviewReporterreportsinManagementCenter,youneedtoaddaReporterdevice.
2. (Optional)Browsetothehierarchyandfolders/subfolderswhereyouwanttoaddReporter.
3. ClickAddDevice.TheAddDevicewizardbegins.Aredasterisk(*)denotesfieldsthataremandatory.
4. SpecifythefollowingConnectionParameters:
n IntheDeploymentStatusdrop-downlist,selectExistingdevice.
n IntheDeviceTypedrop-downlist,selectReporter.
n EnterReporter'sIPaddressorhostname.
n Entertheusernameandpasswordyouusetoauthenticatetothedevice.
n SpecifytheroleassignedtothisuserinReporter.
5. ClickTestConnection.ManagementCenterattemptstoconnecttoReporterusingtheinformationyouentered.
Iftheconnectiontestfails,youwillreceiveanerror.Makesurethattheinformationyouenterediscorrect
andtryagain.Iftheconnectiontestsucceeds,youreceiveasuccessmessageandthewizardpromptsyou
tocontinue.
6. ClickNext.EnteranameanddescriptionfortheReporterEnterpriseServer.
7. ClickNext.EntertheMembershipsuchastheLocation,Organization,orthenameofthedevicegrouptowhichthe
ReporterEnterpriseServerwillbelong.
8. ClickNext.EntertheSystemorUser-DefinedAttributes.See"ManageAttributes"onpage297.
9. ClickFinish.TheNetworktabdisplaysReporterinthedevicelistandthewebconsoledisplaysanalertindicating
thatthedevicewasaddedandactivated.YoucannowgenerateReporterreports.
338
ViewaReporterReport
ReporterreportscanonlybeviewedifyouhavealreadyaddedtheReporterEnterpriseServerasamanageddevice.
TheprocedurebelowdocumentsanexampleofhowtoviewaReporterreport.ThisexampleusestheSecurityreport
TrendofBlockedRequests.
1. SelectReports>Reporter.
2. SelectaroleandtheReporterdatabasefromtheDatabasedrop-downlistatthetopofReportsHome.The
databaseyouselectdeterminesthelistofavailablereports.
Ifthedatabaseyouwantisnotavailable,see"DetermineWhyAReporterDatabaseDoesNotDisplay"on
page368.
Reporterhasthefollowingreportcategories:
l Security
l UserBehavior
l LogDetail
l BandwidthUsage
l WebApplications
3. Inthisexample,selectTrendofBlockedRequestsintheSecuritylist.Adefaultlinegraphisdisplayedwith
AverageRequestsandaNormalRequestRange.Linegraphsshowhowdataforthetrendchangesovertime.
AverageRequestsrepresenttheaveragenumberofblockedrequestsspecifictoyourorganization.TheNormal
RequestRangeisacalculationthatproducesa"normal"rangeofblockedrequestsspecifictoyourorganization.
4. (Optional)Changethedatefiltertodisplayadifferenttimerangeonthereport.Thedefaulttimerangeis7d(7days).
Youcanalsousethearrows and tofilterthedateandtime.Whenyouchangethedaterange,thedatesare

expandedorcontractedalongthebottomofthereport.
339
5. (Optional)FromtheQuickPickdrop-down,selectatypeofrelativedatefilter,forexample,BeforeorSince.
6. (Optional)Changethereportview:
n Todisplaythebottomcolumnsonly,select .
n Todisplaythegraphonly,select .
n Todisplayboththebottomcolumnsandthegraph,select .
7. (Optional)Tochangethegraphtype,select .Graphtypesinclude:
n Area-Anareagraphdisplaysgraphicallyquantitativedata.Itisbasedonthelinechart.Theareabetween
axisandlinearecommonlyemphasizedwithcolorsandtextures.Commonlyusedareagraphscompareone
areawithtwoormoreareas.
n Bar-Abargraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthat
theyrepresent.Thebarsareplottedhorizontallyandshowcomparisonsamongcategories.Oneaxisofthe
graphshowsthespecificcategoriesbeingcompared,andtheotheraxisrepresentsadiscretevalue.
Groupedbargraphsdisplaybarsclusteredingroupsofmorethanonebargraph.
n Column-Acolumngraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothe
valuesthattheyrepresent.Thebarsareplottedverticallyandshowcomparisonsamongcategories.One
axisofthegraphshowsthespecificcategoriesbeingcompared,andtheotheraxisrepresentsadiscrete
value.Groupedcolumngraphsdisplaybarsclusteredingroupsofmorethanonecolumngraph.
n Line-Linegraphsshowhowdataforonedatatypechangesovertime.
n Pie-Apiegraphisacircularstatisticalgraphic,dividedintoslicestoillustratenumericalproportion.Inapie
graph,thearclengthofeachslice(andthusthecentralangleandarea),isproportionaltothequantityit
represents.Thepiechartdisplaysthevaluenameandmetricwhenauserhoversthemouseoverasection.
8. ThedefaultoverlayfortheTrendofBlockedRequestsreportisRequests.(Optional)Toaddorchangeoverlays,
selectanoverlayfromthelegendontherightofthereport:
n Requests
n PageViews
n BrowseTime
n Cost(Time)
n Cost(Bytes)
n TotalBytes
n BytesSent
n BytesReceived
340
Eachoverlayisrepresentedbyadifferentcolorandpattern.
9. (Optional)Viewthereportwithalloverlaysapplied:
10. (Optional)ToviewdatafromadifferentReporterdatabase,selectadatabasefromtheDatabasedrop-downlistat
thetopofReportsHome.Thedatasetisdifferent,thusthereportsandwidgetswillchangebasedonthedatabase
selected.Reportsalreadyopenfromotherdatabasesstillappearintheleftpane.
341
11. (Optional)Inadditiontoagraph,eachreporthasadatagriddisplayingthestatisticsusedinthegraph.Youcandrill
downintothisdatatodisplayadditionalreports.Forexample,ifaCategoryreportisdisplayed,youcanselectone
ofthecategoriesinthedatagridanddrilldowntofindoutwhatsitesarebeingviewedandwhoisviewingthem.To
drilldowninareport:
a. Selecttherowinthedatagridthatyouwanttodrilldowninto.
b. Click todisplayalistoffieldsyoucanviewdetailson.
c. Selectthedesiredfieldyouwantmoreinformationabout,orselectMoreFieldsorTrendFieldstosee
additionaloptions.Thedrilldownreportdisplaysinanewreporttab.
d. Continuedrillingdown,asnecessary.
AnotherwaytodisplaytheDrilldownmenuistoright-clicktherowinthedatagrid.
342
12. (Optional)GenerateananOverviewreportofitemsinthedatagrid.Toseemoreinformationaboutaniteminthe
report,clickthehyperlinktolaunchanOverviewreportforthatitem.Forexample,ifyouclickthehyperlinkfor
Facebook,theOverviewreportwillshowadailytrendoftraffictoFacebook,thetopusersandClientIPsaccessing
Facebook,andabreakdownoftheprotocolsusedtoaccessFacebook.
13. (Optional)Filterorchangethereportcriteria.
CustomizeReporterReportOptions
StartingwithManagementCenter1.6,youcannowcustomizeeveryReporterreport.Insomecases,thesereportscan
takesignificantlytakelongertorunthanthestandardreportsavailableonManagementCenter.Thesereportscannotbe
savedforlateruse.
Youcanalterwhatisreportedinthefollowingways:
l "AddReportFilters"below
l "ChangetheReportSummary"onpage346
AddReportFilters
1. SelectaReporterdatabase.
2. Selectthedesiredreport.
3. Optionaladjustthereportsettings(daterange,format,andsoon).
4. Tocustomizethereport,selectthegeariconintheupperrightcorner.
343
5. Addafilter.
a. GotoFiltersandclickAddFilter.
b. Selectafield.
c. Selecttheappropriateoperator.Theavailableoperatorschangedependingontheselectedaction.
344
d. Selectorenteravalue.
6. OptionalAddanotherfilterbyrepeatingstep5.Youcanaddanynumberoffilters.s
345
7. ClickRunReport.
Examples
Example1:IftheadministratorselectsthefilterSite,theoperatorcontains,andentersfacebookforthevalue,thereport
returnsonlysitesthatcontainthestring"facebook."
Example2:IftheadministratorselectsthefilterClientIP,theoperatormatches,andenterstheIPaddressrange
10.1.1.0/22,thereportincludesalladdressesinthatnetworkmask.
Example3:IftheadministratorselectsthefilterHoursofDay,theoperatorinbetween,andselectsthehours9a.m.and
5p.m,thereportincludesdataonlyforthetimebetween9and5.
ChangetheReportSummary
Thissectiondescribeshowtochangethereportsummary.
Changethenumberofdisplayeditemsperpage.
1. IntheSummarizeByfield,changetheDisplay:value.
2. Changeotheroptionsasdesired.
3. ClickRunReport.
Changethereportsummary.Thatis,changethefocusofthereport.
346
1. IntheSummarizeByfield,changetheSummarizeBy:value.
3. ClickRunReport.
WhenyouchangetheSummarizeBy:field,anewreportisgeneratedandthenameofthereportischangedtomatchyour
selection.Thepreviousreportisstillavailableintheleftpane.
Createatwo-levelreport.
1. IntheSummarizeByfield,clickSummaryType:TwoLevel.
2. Selectthetwovaluestoreport.Inthefollowingexample,thereportissummarizedbyDayandthenbyVerdict.
347
4. ClickRunReport.
SetTimeZoneforReporterReports
Associateacustomtimezonewithyouruserprofile.ThattimezoneisthenusedforallReporterreports.Eachusercan
setadifferenttimezonewithoutaffectingotheruser'sviews.
2. SelecttheReporterTimeZonetab.
348
3. Selectthenewtimezone.
349
4. ClickSave.
5. WhenyouopenaReporterreport,notethenewtimezoneicon.
6. VerifyyoursettingsbyopeningaReporterreportandhoveringoverthetimezoneicon.
Onceset,youcanchangethetimezonebyclickingthetimezoneicon.
350
Reference:ReportDescriptions
ThefollowingreportgroupsareavailableifyouhaveintegratedReporter10.1.xorlaterwithManagementCenter:
SomereportsrequireReporter10.1.3.xorlater.Theserequirementsarenotedinthereportdescription.
n Security
n UserBehavior
n BandwidthUsage
n WebApplications
n LogDetail
FromtheDatabasedrop-downlist,selecttheReporterdatabasetouseinyourreports.Theinformationdisplayedinthe
reportgroupwilldifferaccordingtothedatabaseselected.Forexample,WAFdatabasereportscontainanActionsreportin
theSecuritygroup.Thatreportisnotdisplayedforotherdatabases.
ThefollowingtablesbrieflydescribethedefaultgraphineachoftheReporterreports.Inadditiontoagraph,eachreporthas
adatagriddisplayingthestatisticsusedinthegraph,youcandrill-downintothisdataformoredetails.Notethatyouhave
manyoptionsforcustomizingreports:displayingjustthegraph,displayingjustthedatagrid,changingthegraphtype,spe-
cifyingadatefilter,andselecting/unselectingoverlays.See"ViewaReporterReport"onpage339fordetails.
ReporterreportsinManagementCenterarederivedfromReporterdatabaselogfiles,andthesereportsmaybedif-
ferentorenhancedfromsimilarreportsinReporterEnterpriseServer.
Security
TheSecurityreportsrevealactivityonthenetworkthatmayposesecurityorliabilityconcerns.Theavailablereportsmay
differdependingontheselecteddatabasetype.
Report DescriptionofDefaultGraph
Potentially To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Infected unified database.
Clients -
Reporter 10.1.4 introduces the ability to create a database that includes malware scanning and
Unified
sandboxing results from the Blue Coat Content Analysis (CA) appliances and Malware Analysis
(MA) appliances that are deployed as part of your SGOS proxy security solution. These reports
are called Unified reports.
Displays an area, bar, column, or pie chart of the client IP addresses that might be infected by
malicious content, as found by sandboxing, file reputation, predictive analysis score, anti-virus,
and WebPulse. By default, the report lists each IP address, sorted by the number of risky
requests.
Potential To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Malware
Displays a bar chart of the client IP addresses that might be infected by malicious content, as
Infected
found by sandboxing, file Reputation, anti-virus, WebPulse. By default, the report lists each IP
Clients
address, sorted by the number of risky requests.
351
Malware Displays a bar chart of the names of the malware detected by CAS / Proxy AV. To view this
Detected report, you must add a Reporter appliance running 10.1.3.x or later.
Names
Note: This report will be blank if user name data isnt available in the Reporter log file.
Blocked For each user, this report shows a bar chart of the number of requests that were blocked due
Users to the URL being from one or more of the following categories: Spyware, Suspicious, Phishing,
or Malicious.
Blocked For each user agent (browser + version), the report shows a bar chart of the number of blocked
Request by web requests to URLs from one of the following categories: Spyware, Suspicious, Phishing, or
User Agent Malicious.
Threat Displays a a bar chart of the websites that had blocked web requests to URLs from any of the
Sites following categories: Spyware, Suspicious, Phishing, or Malicious. The sites with the most
Blocked blocked web requests appear at the top of the report.
Trend of Displays a line graph that shows the number of risky web requests (for example, requests to
Risky URLs of malware categories) over the specified time period. The graph contains a shaded area
Requests that represents the normal requests range, which is a range based on the organization's web
traffic history over the last month. In addition, a dotted horizontal trend line indicates the
average number of risky web requests during the last month.
Trend of Displays a line graph that shows the number of users making requests to URLs of risky cat-
Risky Users egories (Spyware, Suspicious , Phishing, or Malicious ) over the specified time period. The
graph contains a shaded area that represents the normal count range, which is a range based
on the organization's web traffic history over the last month. In addition, a dotted horizontal
trend line indicates the average number of users making risky web requests during the last
month.
Note: User drill-downs are blank if user name data isnt available in the Reporter log file.
Trend of Displays a line graph that shows the number of web requests that were blocked over the spe-
Blocked cified time period. The requests could be blocked for a variety of reasons, such as due to deny
Requests policies on the ProxySG. The graph contains a shaded area that represents the normal requests
range, which is a range based on the organization's web traffic history over the last month. In
addition, a dotted horizontal trend line indicates the average number of risky web requests
blocked during the last month.
Trend of Displays a line graph that shows the number of users who were blocked over the specified time
Blocked period. The users could be blocked for a variety of reasons, such as due to deny policies on the
Users ProxySG. The graph contains a shaded area that represents the "normal count range," a range
based on the organization's web traffic history over the last month. In addition, a dotted hori-
zontal trend line indicates the average number of users blocked during the last month.
Note: User drill-downs are blank if user name data isnt available in the Reporter log file.
Trend of Displays a line graph that shows the number of client IP addresses that accessed URLs in the fol-
Risky Cli- lowing categories: Spyware, Suspicious, Phishing, or Malicious. The graph contains a shaded
ents area that represents the "normal count range," a range based on the organization's web traffic
history over the last month. In addition, a dotted horizontal trend line indicates the average
number of client IPs that were potentially infected during the last month.
352
Threats To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays a bar chart that provides details for the number of threats discovered by each detec-
tion method (Sandboxing, File Reputation, Anti-virus, WebPulse).
Threats - To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Unified unified database.
Displays an area, bar, column, or pie chart that provides details for the number of threats dis-
covered by each detection method (sandboxing, file reputation, predictive analysis score, anti-
virus, WebPulse).
If Malware Analysis processing results in a detonation, the Malware Analysis sends that res-
ult to the Content Analysis, which notifies the SGOS proxy device. The SGOS proxy device
caches the result and blocks subsequent requests that match. However, the log entries
for these cache block actions do not contain the sandboxing vendor or score. Because of
this, you might not see the Malware Analysis benefits reflected in the reports. For
example, the SGOS proxy device might block 20 requests that match a cached result; the
Malware Analysis is credited with only one result (the one that resulted in the cache
entry). However, when the SGOS proxy device receives a clear cache action (for example,
when new AV patterns are loaded), the Malware Analysis action re-occurs on the next
request.
Trend of To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Threats
Displays a column chart that shows the trend over time for each detection method (Sand-
boxing, File Reputation, Anti-virus, Web Pulse).
Trend of To view this report, you must add a Reporter appliance running 10.1.4.x or later and select a
Threats - unified database.
Unified
Displays an area, bar, column, or pie chart that shows the trend over time for each detection
method (sandboxing, file reputation, predictive analysis score, anti-virus, WebPulse).
Threats - To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
WAF later.
Displays an area, bar, column, or pie chart that shows the number of threats by category
(attack family or anti-virus). Each colored section represents a threat type and corresponding
number of incidents.
353
Trend of To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
Threats - later.
WAF
Displays an area, bar, column, or pie chart that shows the trend over time for anti-virus and
attack family threats.
Actions To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows action-related data. This data includes
requests, page views, browse time, cost (time), cost (bytes), total bytes, bytes sent, bytes
received, cache bytes, server bytes, bytes saved.
Methods To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows data per HTTP method. These actions
include requests, page views, browse time, cost (time), cost (bytes), total bytes, bytes sent,
bytes received, cache bytes, server bytes, bytes saved.
Attack Fam- To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
ilies later.
Displays an area, bar, column, or pie chart that shows the number of requests per attack type
(for example, SQLinjection). The data corresponds to that recorded for the x-bluecoat-
waf-attack-family log field. Each slice represents an attack type. The chart displays only
the top ten attack types.
Attack Fam- To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
ilies Per later.
Country
Displays an area, bar, column, or pie chart that shows the total number of attacks per country.
The bar is segmented; each color represents a different attack type. The chart displays only
the top ten countries. The data is based on geolocation data and is only shown when either x-
bluecoat-waf-attack-family or x-virus-id does not include -.
Sandboxing To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Risk Score
Displays a pie chart that shows the number of requests in each risk score. Each slice represents
a risk score.
Sandboxing
Displays an area, bar, column, or pie chart that shows the trend over time for each risk score.
Predictive
Displays an area, bar, column, or pie chart that shows the trend over time for each predictive
Analysis
analysis score.
File Repu-
Displays an area, bar, column, or pie chart that shows the trend over time for each file repu-
tation
tation score.
354
File Risk To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Score
Displays a pie chart that shows the number of requests in each risk score. Each slice represents
a risk score.
UserBehavior
TheUserBehaviorreportsgiveyouinsightintothewebsitesandcategoriesofwebtrafficusersareviewingorareblocked
fromviewing,andtheamountofwebtrafficfordifferenttimeperiods.
Blocked Displays a bar graph that shows the number of web requests that were blocked on each web-
Requests site. The sites with the most blocked requests appear at the top of the report.
by Site
Blocked Displays a bar graph that shows the number of web requests that were blocked in each
Requests URLcategory. The categories with the most blocked requests appear at the top of the report.
by Cat-
egory
Blocked Displays a bar graph that shows the number of web requests that were blocked for each user.
Requests The users with the most blocked requests appear at the top of the report.
by User
Filtering Displays a stacked column graph that shows the number of web requests that triggered specific
Verdict policy verdicts. By default, all verdicts are selected; you will want to select just the policy ver-
Trend by dicts you are interested in (such as connect_method_denied and policy_denied).
Day
Sites Displays a bar graph that lists the websites with the most page views. For each website, the
graph illustrates the number of page views during the specified time period. The site with the
most page views appears at the top of the report.
Categories Displays a pie chart that shows the categories with the most page views; all other categories
are combined into an Other slice.
Categories Displays a bar graph that lists the names of the most active users and indicates the most
per User accessed URL categories for the pages they viewed. The graph shows the number of pages
viewed in each category for each user.
Users A bar graph that shows the users with the most page views during the specified time period.
The user with the most page views appears at the top of the report.
Client IPs Displays a bar graph that shows the client IP addresses with the most page views during the spe-
cified time period. The client IP with the most page views appears at the top of the report.
355
User Agent To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
Families later.
Displays an area, bar, column, or pie chart that shows the top 10 client user agent families (not
user agent strings). For example, Firefox.
Countries To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows the top ten countries per number of
requests (based on geolocation data).
Protocols To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays an area, bar, column, or pie chart that shows the number of number or requests per
protocol. The chart shows only the top 10 protocols.
Days Displays an area graph that shows the number of web requests for each day in the selected time
period.
Days of Displays a column graph that shows the number of web requests for each day of the week in the
Week selected time period. For example, the Monday column reflects the total of all requests that
were made on Mondays during the time period. This report allows you to see how the trends in
web browsing differ by day of the week.
Hours of This column graph totals web requests for each hour of the day. For example, every Web page
Day request that occurred at 9am, 10am, and so on. This allows you to analyze which hours are con-
sistently the heaviest with Web requests. Network administrators might use this data to adjust
bandwidth policy.
Months This report totals web requests for each month. For example, every web page request that
occurred in January, February, and so on. This allows you to drill down each month and analyze
trends.
Trend of Displays the number of unique users per day over the selected time period. To view this report,
Discovered you must add a Reporter appliance running 10.1.2.x or later.
Users
Trend of Displays the number of unique IP addresses per day over the selected time period. To view this
Discovered report, you must add a Reporter appliance running 10.1.2.x or later.
Client IP
Addresses
BandwidthUsage
UsetheBandwidthUsagereportstoanalyzehourly,daily,andmonthlybandwidthusageonthenetwork,andtoestimate
thetimeanddatacostofthatusage.
Thecost-relatedreportscalculatebandwidthcostbasedontheCostperMBandCostperHoursettingsinReporter.For
example,ifCostperHourissetto$10,theCost(Time)valueiscalculatedbymultiplyingthetimespentwebbrowsingby
$10.OrifCostperMBissetto$4,theCost(Bytes)valueiscalculatedbymultiplyingthenumberofmegabytesoftraffic
by$4.
356
Cost per The data in this bar graph approximates the cost accrued per user based on total bytes of
User throughput and time spent web browsing. Reporter lists each user, sorted by the total cost of
bandwidth.
Note: This report are blank if user name data isnt available in the Reporter log file.
Cost per Displays a bar graph that shows the total bandwidth cost for the websites each user visited dur-
User and ing the selected time period. The users with the highest bandwidth cost appear at the top of
Site the graph.
Note: This report are blank if user name data isnt available in the Reporter log file.
Cost per Displays a column chart that shows the total cost of time and bandwidth for each hour of the
Hour of day. For example, total cost at 9am, 10am, and so on. This allows you to analyze which hours
Day have the most traffic and are therefore most expensive. Network administrators might use this
data to adjust bandwidth policy.
Cost per Displays an area chart that shows the cost of time and bandwidth each day in the specified time
Day period.
Cost per Displays a column graph that shows the total cost of time and bandwidth each day of the week
Day of in the selected time period. For example, the Monday column reflects the total cost on
Week Mondays during the time period. This report allows you to see how the cost of web usage differs
by day of the week.
Cost per This area graph totals time and bandwidth costs for each month. For example, total costs in
Month January, February, and so on. This allows you to drill down each month and analyze trends.
Bandwidth This column chart shows the total bytes sent and received for each hour of the day. For
per Hour example, total bandwidth usage at 9am, 10am, and so on. This allows you to analyze which
of Day hours have the most traffic. Network administrators might use this data to adjust bandwidth
policy.
Bandwidth This area chart shows the total bytes sent and received each day in the specified time period,
per Day allowing you to see a trend of bandwidth usage over time.
Bandwidth This column graph shows the total bytes sent and received each day of the week in the selected
per Day of time period. For example, the Monday column reflects the amount of bandwidth used on
Week Mondays during the time period. This report allows you to see how the trends in web usage dif-
fer by day of the week.
Bandwidth This area chart shows total bandwidth used each month. For example, total bytes in January,
per Month February, and so on. This allows you to drill down each month and analyze trends.
Server IPs To view this report, you must add a WAF database from a Reporter appliance running 10.1.3.x or
later.
Displays an area, bar, column, or pie chart that shows the number of requests per server IP
address. You can also select other data, including requests, page views, browse time, cost
(time), cost (bytes), total bytes, bytes sent, bytes received, cache bytes, server bytes, and
bytes saved.
LogDetail
TheLogDetailreportsprovideinformationaboutthebcreporterwarp_v1accesslogfields.
357
Full Log Details To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Displays a grid report of the access log fields associated with the selected database. For
example, if a WAF database is selected, this report shows data for the bcreporterwarp_
v1 access log.
Blocked Log To view this report, you must add a Reporter appliance running 10.1.3.x or later.
Details
Displays a grid report of the access log fields for blocked requests associated with the
selected database. For example, if a WAF database is selected, this report shows data
for the bcreporterwarp_v1 access log.
WebApplications
TheWebApplicationreportsprovideinsightintothewebapplicationsbeingaccessedonyournetwork,aswellastherisk-
inessoftheseapplications.
Web Applic- A bar graph that shows the number of requests for each web application during the specified
ations time period. The web applications having the most web requests appear at the top of the
report. Use this report to see what types of web application traffic are running on your net-
work.
Web Applic- Displays a pie chart of the top web applications as calculated by the number of users access-
ations by ing the content over the selected time period. To view this report, you must add a Reporter
Users appliance running 10.1.2.x or later.
Web Applic- Displays a pie chart of the top web applications as calculated by the number of unique IP
ations by Cli- addresses accessing the content over the selected time period. To view this report, you
ent IPs must add a Reporter appliance running 10.1.2.x or later.
Blocked Displays a bar graph that shows the number of web requests denied by a policy verdict (that
Web Applic- is, blocked) for each web application during the specified time period. The web applications
ations with the most blocked requests appear at the top of the report. Use this report to confirm
that policies are being enforced properly.
Trend of Displays the number of unique web applications per day over the selected time period. To
Active Web view this report, you must add a Reporter appliance running 10.1.2.x or later.
Applications
Trend of Displays total bytes sent, bytes received, and the number of requests per day over the selec-
Web Applic- ted time period. To view this report, you must add a Reporter appliance running 10.1.2.x or
ation Traffic later.
Web Applic- Displays a bar graph that shows the number of requests for different web application oper-
ation Oper- ations (such as Play Video, Download Files, Upload Media) during the specified time period.
ations
Users of Risky applications are those with risk scores greater than 7. Ranked by total bytes received,
Risky Applic- this report lists users who have accessed web applications that are widely deemed as risky for
ations business network use (a risk score greater than 7).
358
Web Applic- Displays a pie chart that shows the number of requests for web applications at each risk
ations per score. For example, the report shows a bar for each risk score (1, 2, and so on) with different
Risk color segments representing different web applications. The length of each segment cor-
responds to the number of requests for that application.
Tips:
l Sort the values in the Web Application column to alter the pie chart to show the corresponding
data.
l You may want to turn off the Other overlay, if this segment has a significant number of
requests.
Users Per Shows the number of users per risk score (1 to 10) over the selected time period. To view
Risk Score this report, you must add a Reporter appliance running 10.1.2.x or later.
Risk Dis- Displays a pie chart that shows the percentage of requests at each risk level. Each slice rep-
tribution resents a risk level.
Risk Dis- Displays a color-coded bar chart that shows the amount of traffic (hits and bytes) for each
tribution risk score (1 to 10) per user over the selected time period. To view this report, you must add
Per User a Reporter appliance running 10.1.2.x or later.
Trend of Displays a color-coded bar chart representing the amount of traffic (hits and bytes) for each
Risk Dis- risk score (1 to 10) per day over the selected time period. To view this report, you must add
tribution a Reporter appliance running 10.1.2.x or later.
Social Media Displays a bar graph that shows the number of requests for each operation (such as Post Mes-
Activity sages and Upload Media) used in social networking web applications. The operations that
have the most activity appear at the top of the report.
Social Media Displays a bar graph that shows the number of requests for each social networking application
Applications (Facebook, Twitter, Pinterest, and so on). The social networking applications with the most
requests appear at the top of the report. With this report, you can see how much social
media traffic your network has and which applications are most popular. Depending on com-
pany policy, you may decide to put controls on social networking after viewing this report.
Facebook Displays a bar graph that shows the number of Facebook requests by each user. The names of
Users the users with the most Facebook requests appear at the top of the report. This report
allows you to see who the most active Facebook users are.
Facebook Displays a bar chart that shows the amount of traffic attributed to different categories of
Categories Facebook traffic (other than social networking). For example, you can see the number of
Facebook requests that are for games or messaging.
Mail Activity Displays a bar graph that shows the number of requests for various email operations. For
example, you can see the number of requests for Send Email, Download Attachment, and
Upload Attachment operations for email web applications.
Mail Applic- Displays a bar graph that shows the number of requests for web mail applications (Gmail,
ations Yahoo Mail, Hotmail, and so on). The email applications with the most requests appear at the
top of the report. This report allows you to determine the most popular web mail applic-
ations on your network.
359
Top Mail Displays a bar graph that shows, for each user, the number of requests for Send Email or Send
Senders Attachment operations. This report allows you to see which users are the biggest web mail
consumers. The IP addresses of the users with the most web mail traffic appear at the top of
the report.
Search Displays a bar graph that displays top search terms that users enter in browser search engines
Terms (Google, Yahoo, Bing, and so forth). You can drill down to find the user(s) who searched for
the term and which search engine was used.
Search Displays a bar graph that displays the number of requests for each search engine (Search
Applications Engines/Portals category).
SearchforSpecificReportData(SearchandForensicReport)
ManagementCenterenablesyoutosearchforspecificreportdatausingasimplesearchorbyexecutingaforensicreport.
UseSimpleSearch
TheReports>Reporterpageincludesasimplesearchfieldinthetopright-handcorner,asshownbelow.
1. SelecttheCategorydrop-downandpickasearchtype.Theavailablecriteriadiffers,dependingontheselected
database.
360
2. Enterasearchtermandclickthemagnifyingglass(orpressEnter).
3. Thesearchresultsdisplayinanewtab.
4. Clickthesearchresulttoviewdetaileddataaboutthatitem.
RunForensicReport
UsetheForensicReportfeaturetodrilldownintothedatabasetofindspecificinformationbasedonthesource,destination,
andverdictpropertiesofoneormorerequests.TheForensicReportbuttonislocateddirectlybeneaththeManagement
Centerbanner.
361
1. ClickForensicReport.ThesystemopenstheRunForensicReportwindow.
2. Select(orenter)thesearchcriteriafromtheavailabledataorenteratransactionID.
3. Selectatimeduration.
362
4. ClickRunReport.ThesystemdisplaysthesearchresultsintheFullLogDetailsreport.
5. Clicklinksinthesearchresulttoviewdetaileddataaboutthatitem.
363
ReporterGraphTypesandViews
Reportergraphtypesdependonthetypeofdatarepresentedinthereport.Theavailablegraphtypesare:
n Area-Anareagraphdisplaysgraphicallyquantitativedata.Itisbasedonthelinechart.Theareabetweenaxisand
linearecommonlyemphasizedwithcolors,andtextures.Commonlyusedareagraphscompareoneareawithtwo
ormoreareas.
n Bar-Abargraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthatthey
represent.Thebarsareplottedhorizontally.Regardlessofwhetherabargraphisverticalorhorizontal,thebars
showcomparisonsamongcategories.Oneaxisofthegraphshowsthespecificcategoriesbeingcompared,and
theotheraxisrepresentsadiscretevalue.Groupedbargraphsdisplaybarsclusteredingroupsofmorethanonebar
graph.
n Column-Acolumngraphpresentsgroupeddatawithrectangularbarswithlengthsproportionaltothevaluesthat
theyrepresent.Thebarsareplottedvertically.Regardlessofwhetherabargraphisverticalorhorizontal,thebars
showcomparisonsamongcategories.Oneaxisofthegraphshowsthespecificcategoriesbeingcompared,and
theotheraxisrepresentsadiscretevalue.Groupedcolumngraphsdisplaybarsclusteredingroupsofmorethan
onecolumngraph.
n Line-Linegraphsshowhowdataforonedatatypechangesovertime.
n Pie-Apiegraphisacircularstatisticalgraphic,dividedintoslicestoillustratenumericalproportion.Inapiegraph,
thearclengthofeachslice(andthusthecentralangleandarea),isproportionaltothequantityitrepresents.
CombinationsofReporterviewsincludedatarepresentedinthefollowingways:
n GraphandColumn
n Graphonly
n Columnonly
DrilldownonspecificdatawithinareportbyselectingalinethecolumnportioninthereportandselectDrilldown.Drilling
downismosthelpfulwhenyouknowwhatyouarelookingfor.Forexample,ifyouareviewingaTrendofRiskyUsers
report,youcandrilldownontheusernameorriskcategoriestofindthesitesthattheuserisvisitingthemost.Youareable
toright-clickthelinetodrilldownaswell.Thefollowingisanexampleofdatathatcanisavailablewhenyouaredrilling
downinareport:
364
SetTimeZoneforReporterReports
Associateacustomtimezonewithyouruserprofile.ThattimezoneisthenusedforallReporterreports.Eachusercanset
adifferenttimezonewithoutaffectingotheruser'sviews.
2. SelecttheReporterTimeZonetab.
365
3. Selectthenewtimezone.
366
4. ClickSave.
5. WhenyouopenaReporterreport,notethenewtimezoneicon.
6. VerifyyoursettingsbyopeningaReporterreportandhoveringoverthetimezoneicon.
Onceset,youcanchangethetimezonebyclickingthetimezoneicon.
367
DetermineWhyAReporterDatabaseDoesNotDisplay
IfyoutrytorunreportsandthedatabaseyouwantisnotavailableintheDatabase:drop-downmenu(Reports>
Reporter),clickStatustodisplaythatdatabase'scurrentstatus.
1. ClickReports>Reporter.
2. ClicktheDatabase:drop-down.Thesystemdisplaystheavailabledatabases.
3. IfthedatabaseyouwantisnotinthemenuoryouwanttoseethecurrentstatusoftheReporterserversandall
associateddatabases,clickStatus.
4. IfaReporterserverisavailable(andyouhavepermissionstoviewit),youcanclicktheplussymbol
todisplaytheassociateddatabase(s).
Usethestatusinformationtohelpyoudeterminewhythedatabaseisnotavailable.
ViewStatisticsMonitoringReports
Anorganizationwithoutaneffectivemonitoringsystemissusceptibletoissuessuchasunplanneddowntimeandper-
formancedegradation;thus,theabilitytomonitornetworkactivityiscrucialforcapacityplanningandquickresponsesto
potentialproblems.Byanalyzingreportdata,organizationscanplanforscalabilityandanticipatefuturerequirements.
ManagementCenterkeepsupto12monthsofperhourdataand7daysofperminutedataforalldevicesthathave
statisticsmonitoringenabled.TopurgethisdatafromManagementCenter,seePurgeStatistics.
368
Asanadministrator,itiscriticalthatyoubeawareofissues,changes,andtrendsthatcouldariseinyournetwork.InMan-
agementCenter,youcanreportonkeymetricssuchasCPUusage,connectioncounts,bandwidthgainsandlosses,and
otherstatisticsofmanagedappliances.StatisticsMonitoringreportsprovideyouwithvisibilityintonetworkperformance.
Withreports,youcanidentifytrendssuchas:
n Usagepatterns
n Bandwidthsavings
n Peaknumbersofconcurrentusers
n Statisticsaveragedoverweeksandmonths
Toensurethatyourdataanalysisisaccurateandtimely,identifythemetricsthataremostimportanttoyouandrunreports
regularly.
Youcanmonitorthehealthofyourdeviceswithoutgeneratingareport.See"MonitorDeviceHealth"onpage106.
Prerequisites
YoucanreportonProxySGappliancesthat:
n RunSGOS6.3.xandlater
n HaveaProxyorMACH5Editionlicense(Note:thisisarequirementforWANOptimizationreports,notDevice
reports)
n Havethelatesttrustpackageinstalled
n DonothaveFederalInformationProcessingStandards(FIPS)modeenabled
n Havestatisticscollectionenabledindeviceproperties(see"AddaDevice"onpage65)
YoucanstillmanageProxySGappliancesthatdonotmeettheserequirements,buttheirstatisticswillbeunavailablefrom
StatisticsMonitoring.
Procedure
ToviewStatisticsMonitoringreports:
1. SelectReports>StatisticsMonitoring.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsinManagement
Center"onpage377fordescriptions.
3. Fromadashboardwidget,youcanalso"DisplayaFullReport"onpage383.
4. Refinereportstomakethemmoreuseful:
n Displaydataforaspecifictimeperiod.See"ChangetheScopeofaStatisticsMonitoringReport"on
page382.
n Addmetricstofocusonspecificdata.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
Reference:StatisticsMonitoringReportsinManagementCenter
ThefollowingStatisticsMonitoringreportsareavailableinManagementCenter.
DevicesReports
DevicereportsshowstatisticsonnetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesinadevicegroup,
orallProxySGdevices.
369
Report Description Report Field Overlays

Format
CPU Displays the percentage of CPU being used. By default, Line Memory,
data shown in this report is an average of CPU usage graph Users
across all devices.
Memory Displays the percentage of memory being used. By Line CPU,
default, data shown in this report is an average of graph Users
memory usage across all devices.
Current Displays the total number of users that currently have Line CPU,
Users traffic going through the ProxySG appliance. By default, graph Memory
data shown in this report is the number of current users
across all devices.
Interfaces Displays the total number of bytes or packets sent or Circle Bytes
received through ProxySG appliance network ports. graph Received,
Select the device for which you want to view interface Bytes Sent,
information; the data renders as a pie chart, where each Packets
segment represents one interface. Received,
Packets Sent
Interfaces Displays the bytes sent and received and packets sent Table
Detail and received through ProxySG appliance network ports. chart
The information is presented in a grid; you can sort data
by column headers or hide some columns to limit the
information displayed.
Trend of Displays the trend of bytes or packets sent or received Stack Bytes
Interfaces through ProxySG appliance network ports over the spe- graph Received,
cified period of time. Bytes Sent,
Packets
Received,
Packets Sent
Devices Displays a comparison of the traffic through specified Circle Bypassed
ProxySG appliances measured in bytes. graph Bytes, Server
Bytes, Client
Bytes
Devices Displays bandwidth savings in bytes, actual bandwidth, Table
Detail effective bandwidth, and the bandwidth gain for traffic chart
through ProxySG appliances.
Intercepted Displays bandwidth savings in bytes, actual bandwidth, Table
Traffic Sav- effective bandwidth, and the bandwidth gain for inter- chart
ings cepted traffic through different ProxySG appliances.
370

Format
Traffic Mix Displays the distribution of traffic and bandwidth stat- Line
istics. graph,
circle
graph,
and
table
chart
Traffic Stat- Displays the effective bandwidth, actual bandwidth, and Line
istics bandwidth savings for different services. graph
and
table
chart
TheWANOptimizationreportsdisplaystatisticsforProxySGapplianceswithaProxyorMACH5Editionlicense.

Format

Bandwidth Displays bandwidth savings in Line CPU,
Savings bytes received from mon- graph Memory,
(bytes) itored devices. Users
Bandwidth Displays bandwidth savings Line CPU,
Savings expressed in terms of cost. graph Memory,
(cost) Users
Savings expressed as a percentage. graph Memory,
(percent) Users
Bandwidth Displays bandwidth gains Line CPU,
Gain (including negative gains) for graph Memory,
a specified interval. Users
Effective Compares effective and Line CPU,
Bandwidth actual bandwidth, measured graph Memory,
in bytes. Users
Services Compares specified services. Circle Bypassed Bytes, Bandwidth Savings, Band-
graph width Savings Percentage, Bandwidth Gain,
Effective Bandwidth, Client Bytes, Server
Bytes, New Intercepted Connections, Peak
Intercepted Connections
371

Format

Services Displays bandwidth savings Table
Detail for different services in chart
bytes, actual bandwidth,
effective bandwidth, and the
bandwidth gain.
Trend of Displays the trend of the spe- Stack Bypassed Bytes, Bandwidth Savings, Band-
Services cified service over a period graph width Savings Percentage, Bandwidth Gain,
of time. Effective Bandwidth, Client Bytes, Server
Proxies Breaks down the total num- Circle Bypassed Bytes, Bandwidth Savings, Band-
ber of server bytes through graph width Savings Percentage, Bandwidth Gain,
different proxies. Effective Bandwidth, Client Bytes, Server
Intercepted Connection
Proxies Displays bandwidth savings in Table
Detail bytes, actual bandwidth, chart
bandwidth gain.
Trend of Displays the trend of proxies Stack Bypassed Bytes, Bandwidth Savings, Band-
Proxies versus the Server Bytes by graph width Savings Percentage, Bandwidth Gain,
default aggregated across all Effective Bandwidth, Client Bytes, Server
devices. Bytes, New Intercepted Connections, Peak
ADNHistory Displays the number of Line
optimized and unoptimized graph
bytes for different peer IP and
addresses. table
chart
ModifyOptionsforStatisticsMonitoringReports
Bydefault,aStatisticsMonitoringreportdisplaysdataforthelastsevendaysforallProxySGdevicesbutyoucancus-
tomizethereportbychangingthestartdateandinterval,choosingwhichdevicesordevicegrouptoreporton,andadding
overlaysofadditionalstatistics.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsin
ManagementCenter"onpage377fordescriptions.
3. Afteryouselectthereport,thereportopensinanewtab.
4. Besidethereporttitle,clickOptions.TheFiltersdialogdisplays.
372
5. Filterthereportdatausingtheoptionsdescribedinthefollowingtable.
Option Description
Start Date The date and time from which report data begins.
The interval you select is based on the start date. For example, if you specify
the 13th of the month for the start date and an interval of 7 days, the report
shows data from the 13th through the 19th.
Specify the date in MM/DD/YYformat, or click the calendar to pick a date.

Interval The number of hours or days after the start date for which the report shows
data.
Note: The start date and interval in conjunction might result in future days on
the report. For example, if you want data from only the last four days,
selecting a start date from four days ago results in three future days on the
report. To avoid confusion, you can select a start date that is earlier than
required so that future days do not display.
Select the interval from the drop-down list. Intervals can include 60 minutes,
24 hours, 7 days or 31 days.
If you select 60 minutes, the time field is available. Select a time from the
drop-down list. Times are available in one-hour increments.
Filter Select a filter from the drop-down list. If you select Device or Device
Groups , use the to select multiple ProxySG devices or a single device
group.
Field The source for which to show trending data.
(This option is not Select the specific item that you want to report on(by default, the first item
available for all in the drop-down list is displayed when you first open the report). The report
reports) displays the data for your selection.
373
Option Description
Overlays Metrics that you can add to the report to help you interpret the data. You can
add overlay(s) to the report.
(This option is not
When you add overlays, the additional data displays in a legend at the bottom
available for all
of the report.Use the legend to identify the appearance and color of each
reports)
data type.
The following is an example of the legend for the BandwidthSavings(bytes)

report:
6. ClickSave.
ThewebconsoledisplaystheStatisticsMonitoringreportwiththeoptionsyouselected.Thenameandnumberofdevices
willdisplaynexttoDeviceFilteratthetopofthereport.Ifafilterisn'tdefined,theDeviceFilterwillsayAllDevices.
ChangetheScopeofaStatisticsMonitoringReport
Bydefault,StatisticsMonitoringreportsandreportwidgetsdisplaydataforthelastsevendays.Forexample,ifyouselect
areportonApril14th,thereportopenswithL ast7Daysselectedforthedaterangeatthebottomleftcorner.Thestart
dateortimeoftheselectedraterangeisdisplayedbetween<>.Thebottomrightofthereportsindicatesthespecificdate
rangeofthedatashowninthereport,suchasDisplayingdaysfor04/14/15-4/21/15.
Toviewdatafromabroaderornarrowertimeframe,selectanintervalfromtheDateRangedrop-downlist.Thereport
dataupdatesimmediatelytoreflectyourselection.
Refertothefollowingtabletounderstandhowthedaterangeaffectsthereportdata;assumethatthecurrentdateandtime
isTuesday,October15that09:05.
SelectedDate Description Reportshowsdataforthis

Range period
CurrentHour Thecurrenthour. 09:00-10:00

Today Thecurrentday. October15th
CurrentWeek Thecurrentcalendarweek,startingonMonday. October14th-October20th
CurrentMonth Thecurrentcalendarmonth,startingonthe1st. October1st-31st
Yesterday Thepreviousday. October14th
PreviousWeek Thepreviouscalendarweek,startingonMonday. October7th-13th
PreviousMonth Thepreviouscalendarmonth,startingonthe1st. September1st-30th
Last7Days Theperiodoftimestarting7daysagoandending October8th-October15th
today.
Last31Days Theperiodoftimestarting31daysagoandending September14th-October15th
today.
374
Toviewdatafromdifferentpointsintime,usethedaterangeand<>inconjunction.Using<>causesthereporttogoback
andforward,respectively,attheintervalspecifiedinDateRange.Forexample,ifthedaterangeisLast7Daysandthe
reportshowsdatafromOctober8thtoOctober15th,clicking<causesthereporttodisplaydatafromOctober1sttoOcto-
ber8th.IfyouchangethedaterangetoTodayandclick<,thereportdisplaysdatafromthepreviousday.Youcanuse>to
returntomorerecentdatesandtimes.
Formoreinformationaboutreportdates,seeDateFilters.
Itispossibletodisplayfuturedaysinreportsifyouuse>.Ifareportabruptlyshowsnodatawhileyouarechanging
thedatesortimes,checkthedates/timesthathavenodataandexcludethemfromyouranalysis(orchangethedate
rangeagain).
FilteronDevicesorDeviceGroups
Toviewareportofdatafrommultipledevicesorfromaparticulardevicegroup:
1. DisplaythedesiredStatisticsMonitoringreport.
2. ClicktheOptionsbutton.
3. ChangetheStartDateandInterval,ifdesired.
4. UsetheFilterdrop-downlisttoselectindividualdevicesorspecifyadevicegroup.
5. Tochoosefromtheavailabledevicesordevicegroups,click .
n Device:SelectoneormoredevicesandclickOK.
n DeviceGroup:SelectonegroupandclickOK.
6. ClickSave.
Afteryousaveyourchanges,thereportdataupdatesimmediately.TheDeviceFilterdisplaysthenames(orIPaddresses)
ofthedevicesfilteredinthereports.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
ZoomInandOutonReports
Inreportsthatdisplaychangesovertime,itisusefultoseemoredetailonaspecificdatapoint.Forexample,ifyouarelook-
ingatareportwithCurrentWeekasthedaterange,zoominginonaspecificdaydisplaysthereportforthedayathourly
intervals.Zoominginonaspecifichourdisplaysthereportforthehouratfive-minuteintervals.
1. Inthereport,hoveroverthedatapointyouwanttoseeingreaterdetail.Thedatapointexpandsslightly.
2. ClickthedatapointandselectZoomIn.Thereportdisplaysthedataatthenewlevel.
3. Toreturntothepreviouslevel,clickanydatapointandselectZoomOut.
StatisticsMonitoringGraphTypes
StatisticsMonitoringgraphtypesdependonthetypeofdatarepresentedinthereport.Somereportsconsistofacom-
binationoftheseformats.
n Linegraphsshowhowdataforonedatatypechangesovertime.Youcanhoveroverthelinegraphsforextratool
tipsthatcanincludedatasuchasthedate,percentage,totalnumber,etc.
n Stackgraphsshowchangesinasetofdata,forbothfortheindividualdatatypesandthetotaloftheindividual
items.Eachcolorinastackgraphrepresentsonetypeofdatachangingovertime.
n Circlegraphsshowtheproportionsofspecificdatawithasetofdata.
Example:TheEffectiveBandwidthgraphintheTrafficMixreportshowstheproportion(inpercentage)ofeffective
bandwidthfordifferenttraffictypes.Hoveroverasegmentinthegraphtodisplaythenumberofbytesforeachtraffic
375
type.
n Tablechartsarrangedatainrowstocomparedatafrommultiplesources.
Example:TheDevicesDetailreportwidgetshowstheactualbandwidthversuseffectivebandwidthforalldevices
inthesystem.
DisplayaFullReport
Displayafullreportfromastatisticsmonitoringwidget.
1. SelectDashboards>StatisticsMonitoring.ThewebconsoledisplaystheStatisticsMonitoringDashboard.
n Ifthereportyouwanthasawidgetonthedashboard,expandthewidgetifnecessaryandthenclickView
FullReportatthebottomofit.
n Ifthereportdoesnothaveawidgetonthedashboard,clickReport>StatisticsMonitoring.Available
reportsaredisplayedintwolists:DevicesandWANOptimization.
3. Selectthereportyouwanttoview.Thereportopensinanewtab.
Ifyouleaveareportopenforanextendedperiodoftime,youcanrefreshittoensurethatnostaledataisdisplayed.
Torefreshareport,click atthebottomofthereport.
Learn about different graph types. "Statistics Monitoring Graph Types" on page384
See the report for different dates or times. "Change the Scope of a Statistics Monitoring Report" on page382
Change the metrics and other data that display "Modify Options for Statistics Monitoring Reports" on page380
on the report.
View descriptions of the Statistics Monitoring "Reference:Statistics Monitoring Reports in Management Center"
reports. on the next page
ViewStatisticsMonitoringReports
Anorganizationwithoutaneffectivemonitoringsystemissusceptibletoissuessuchasunplanneddowntimeandper-
formancedegradation;thus,theabilitytomonitornetworkactivityiscrucialforcapacityplanningandquickresponsesto
376
potentialproblems.Byanalyzingreportdata,organizationscanplanforscalabilityandanticipatefuturerequirements.
ManagementCenterkeepsupto12monthsofperhourdataand7daysofperminutedataforalldevicesthathave
statisticsmonitoringenabled.TopurgethisdatafromManagementCenter,seePurgeStatistics.
Asanadministrator,itiscriticalthatyoubeawareofissues,changes,andtrendsthatcouldariseinyournetwork.InMan-
agementCenter,youcanreportonkeymetricssuchasCPUusage,connectioncounts,bandwidthgainsandlosses,and
otherstatisticsofmanagedappliances.StatisticsMonitoringreportsprovideyouwithvisibilityintonetworkperformance.
Withreports,youcanidentifytrendssuchas:
n Usagepatterns
n Bandwidthsavings
n Peaknumbersofconcurrentusers
n Statisticsaveragedoverweeksandmonths
Toensurethatyourdataanalysisisaccurateandtimely,identifythemetricsthataremostimportanttoyouandrunreports
regularly.
Youcanmonitorthehealthofyourdeviceswithoutgeneratingareport.See"MonitorDeviceHealth"onpage106.
Prerequisites
YoucanreportonProxySGappliancesthat:
n RunSGOS6.3.xandlater
n HaveaProxyorMACH5Editionlicense(Note:thisisarequirementforWANOptimizationreports,notDevice
reports)
n Havethelatesttrustpackageinstalled
n DonothaveFederalInformationProcessingStandards(FIPS)modeenabled
n Havestatisticscollectionenabledindeviceproperties(see"AddaDevice"onpage65)
YoucanstillmanageProxySGappliancesthatdonotmeettheserequirements,buttheirstatisticswillbeunavailablefrom
StatisticsMonitoring.
Procedure
ToviewStatisticsMonitoringreports:
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsinManagement
Center"belowfordescriptions.
3. Fromadashboardwidget,youcanalso"DisplayaFullReport"onpage383.
4. Refinereportstomakethemmoreuseful:
n Displaydataforaspecifictimeperiod.See"ChangetheScopeofaStatisticsMonitoringReport"on
page382.
n Addmetricstofocusonspecificdata.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
Reference:StatisticsMonitoringReportsinManagementCenter
ThefollowingStatisticsMonitoringreportsareavailableinManagementCenter.
DevicesReports
377
DevicereportsshowstatisticsonnetworktrafficseenbyasingleProxySGdevice,ProxySGappliancesinadevice
group,orallProxySGdevices.

Format
CPU Displays the percentage of CPU being used. By default, Line Memory,
data shown in this report is an average of CPU usage graph Users
across all devices.
Memory Displays the percentage of memory being used. By Line CPU,
default, data shown in this report is an average of graph Users
memory usage across all devices.
Current Displays the total number of users that currently have Line CPU,
Users traffic going through the ProxySG appliance. By default, graph Memory
data shown in this report is the number of current users
across all devices.
Interfaces Displays the total number of bytes or packets sent or Circle Bytes
received through ProxySG appliance network ports. graph Received,
Select the device for which you want to view interface Bytes Sent,
information; the data renders as a pie chart, where each Packets
segment represents one interface. Received,
Packets Sent
Interfaces Displays the bytes sent and received and packets sent Table
Detail and received through ProxySG appliance network ports. chart
The information is presented in a grid; you can sort data
by column headers or hide some columns to limit the
information displayed.
Trend of Displays the trend of bytes or packets sent or received Stack Bytes
Interfaces through ProxySG appliance network ports over the spe- graph Received,
cified period of time. Bytes Sent,
Packets
Received,
Packets Sent
Devices Displays a comparison of the traffic through specified Circle Bypassed
ProxySG appliances measured in bytes. graph Bytes, Server
Bytes, Client
Bytes
Devices Displays bandwidth savings in bytes, actual bandwidth, Table
Detail effective bandwidth, and the bandwidth gain for traffic chart
through ProxySG appliances.
Intercepted Displays bandwidth savings in bytes, actual bandwidth, Table
Traffic Sav- effective bandwidth, and the bandwidth gain for inter- chart
ings cepted traffic through different ProxySG appliances.
378

Format
Traffic Mix Displays the distribution of traffic and bandwidth stat- Line
istics. graph,
circle
graph,
and
table
chart
Traffic Stat- Displays the effective bandwidth, actual bandwidth, and Line
istics bandwidth savings for different services. graph
and
table
chart
TheWANOptimizationreportsdisplaystatisticsforProxySGapplianceswithaProxyorMACH5Editionlicense.

Format

Bandwidth Displays bandwidth savings in Line CPU,
Savings bytes received from mon- graph Memory,
(bytes) itored devices. Users
Savings expressed in terms of cost. graph Memory,
(cost) Users
Savings expressed as a percentage. graph Memory,
(percent) Users
Bandwidth Displays bandwidth gains Line CPU,
Gain (including negative gains) for graph Memory,
a specified interval. Users
Effective Compares effective and Line CPU,
Bandwidth actual bandwidth, measured graph Memory,
in bytes. Users
Services Compares specified services. Circle Bypassed Bytes, Bandwidth Savings, Band-
graph width Savings Percentage, Bandwidth Gain,
Effective Bandwidth, Client Bytes, Server
379

Format

Services Displays bandwidth savings Table
Detail for different services in chart
bytes, actual bandwidth,
bandwidth gain.
Trend of Displays the trend of the spe- Stack Bypassed Bytes, Bandwidth Savings, Band-
Services cified service over a period graph width Savings Percentage, Bandwidth Gain,
of time. Effective Bandwidth, Client Bytes, Server
Proxies Breaks down the total num- Circle Bypassed Bytes, Bandwidth Savings, Band-
ber of server bytes through graph width Savings Percentage, Bandwidth Gain,
different proxies. Effective Bandwidth, Client Bytes, Server
Intercepted Connection
Proxies Displays bandwidth savings in Table
Detail bytes, actual bandwidth, chart
bandwidth gain.
Trend of Displays the trend of proxies Stack Bypassed Bytes, Bandwidth Savings, Band-
Proxies versus the Server Bytes by graph width Savings Percentage, Bandwidth Gain,
default aggregated across all Effective Bandwidth, Client Bytes, Server
devices. Bytes, New Intercepted Connections, Peak
ADNHistory Displays the number of Line
optimized and unoptimized graph
bytes for different peer IP and
addresses. table
chart
ModifyOptionsforStatisticsMonitoringReports
Bydefault,aStatisticsMonitoringreportdisplaysdataforthelastsevendaysforallProxySGdevicesbutyoucancus-
tomizethereportbychangingthestartdateandinterval,choosingwhichdevicesordevicegrouptoreporton,andadding
overlaysofadditionalstatistics.
2. SelectareportfromDevicesorWANOptimization.See"Reference:StatisticsMonitoringReportsin
ManagementCenter"onpage377fordescriptions.
3. Afteryouselectthereport,thereportopensinanewtab.
4. Besidethereporttitle,clickOptions.TheFiltersdialogdisplays.
380
5. Filterthereportdatausingtheoptionsdescribedinthefollowingtable.
Option Description
Start Date The date and time from which report data begins.
The interval you select is based on the start date. For example, if you specify
the 13th of the month for the start date and an interval of 7 days, the report
shows data from the 13th through the 19th.
Specify the date in MM/DD/YYformat, or click the calendar to pick a date.

Interval The number of hours or days after the start date for which the report shows
data.
Note: The start date and interval in conjunction might result in future days on
the report. For example, if you want data from only the last four days,
selecting a start date from four days ago results in three future days on the
report. To avoid confusion, you can select a start date that is earlier than
required so that future days do not display.
Select the interval from the drop-down list. Intervals can include 60 minutes,
24 hours, 7 days or 31 days.
If you select 60 minutes, the time field is available. Select a time from the
drop-down list. Times are available in one-hour increments.
Filter Select a filter from the drop-down list. If you select Device or Device
Groups , use the to select multiple ProxySG devices or a single device
group.
Field The source for which to show trending data.
(This option is not Select the specific item that you want to report on(by default, the first item
available for all in the drop-down list is displayed when you first open the report). The report
reports) displays the data for your selection.
381
Option Description
Overlays Metrics that you can add to the report to help you interpret the data. You can
add overlay(s) to the report.
(This option is not
When you add overlays, the additional data displays in a legend at the bottom
available for all
of the report.Use the legend to identify the appearance and color of each
reports)
data type.
The following is an example of the legend for the BandwidthSavings(bytes)

report:
6. ClickSave.
ThewebconsoledisplaystheStatisticsMonitoringreportwiththeoptionsyouselected.Thenameandnumberofdevices
willdisplaynexttoDeviceFilteratthetopofthereport.Ifafilterisn'tdefined,theDeviceFilterwillsayAllDevices.
ChangetheScopeofaStatisticsMonitoringReport
Bydefault,StatisticsMonitoringreportsandreportwidgetsdisplaydataforthelastsevendays.Forexample,ifyouselect
areportonApril14th,thereportopenswithL ast7Daysselectedforthedaterangeatthebottomleftcorner.Thestart
dateortimeoftheselectedraterangeisdisplayedbetween<>.Thebottomrightofthereportsindicatesthespecificdate
rangeofthedatashowninthereport,suchasDisplayingdaysfor04/14/15-4/21/15.
Toviewdatafromabroaderornarrowertimeframe,selectanintervalfromtheDateRangedrop-downlist.Thereport
dataupdatesimmediatelytoreflectyourselection.
Refertothefollowingtabletounderstandhowthedaterangeaffectsthereportdata;assumethatthecurrentdateandtime
isTuesday,October15that09:05.
SelectedDate Description Reportshowsdataforthis

Range period
CurrentHour Thecurrenthour. 09:00-10:00

Today Thecurrentday. October15th
CurrentWeek Thecurrentcalendarweek,startingonMonday. October14th-October20th
CurrentMonth Thecurrentcalendarmonth,startingonthe1st. October1st-31st
Yesterday Thepreviousday. October14th
PreviousWeek Thepreviouscalendarweek,startingonMonday. October7th-13th
PreviousMonth Thepreviouscalendarmonth,startingonthe1st. September1st-30th
Last7Days Theperiodoftimestarting7daysagoandending October8th-October15th
today.
Last31Days Theperiodoftimestarting31daysagoandending September14th-October15th
today.
382
Toviewdatafromdifferentpointsintime,usethedaterangeand<>inconjunction.Using<>causesthereporttogoback
andforward,respectively,attheintervalspecifiedinDateRange.Forexample,ifthedaterangeisLast7Daysandthe
reportshowsdatafromOctober8thtoOctober15th,clicking<causesthereporttodisplaydatafromOctober1sttoOcto-
ber8th.IfyouchangethedaterangetoTodayandclick<,thereportdisplaysdatafromthepreviousday.Youcanuse>to
returntomorerecentdatesandtimes.
Formoreinformationaboutreportdates,seeDateFilters.
Itispossibletodisplayfuturedaysinreportsifyouuse>.Ifareportabruptlyshowsnodatawhileyouarechanging
thedatesortimes,checkthedates/timesthathavenodataandexcludethemfromyouranalysis(orchangethedate
rangeagain).
FilteronDevicesorDeviceGroups
Toviewareportofdatafrommultipledevicesorfromaparticulardevicegroup:
1. DisplaythedesiredStatisticsMonitoringreport.
2. ClicktheOptionsbutton.
3. ChangetheStartDateandInterval,ifdesired.
4. UsetheFilterdrop-downlisttoselectindividualdevicesorspecifyadevicegroup.
5. Tochoosefromtheavailabledevicesordevicegroups,click .
n Device:SelectoneormoredevicesandclickOK.
n DeviceGroup:SelectonegroupandclickOK.
6. ClickSave.
Afteryousaveyourchanges,thereportdataupdatesimmediately.TheDeviceFilterdisplaysthenames(orIPaddresses)
ofthedevicesfilteredinthereports.See"ModifyOptionsforStatisticsMonitoringReports"onpage380.
ZoomInandOutonReports
Inreportsthatdisplaychangesovertime,itisusefultoseemoredetailonaspecificdatapoint.Forexample,ifyouarelook-
ingatareportwithCurrentWeekasthedaterange,zoominginonaspecificdaydisplaysthereportforthedayathourly
intervals.Zoominginonaspecifichourdisplaysthereportforthehouratfive-minuteintervals.
1. Inthereport,hoveroverthedatapointyouwanttoseeingreaterdetail.Thedatapointexpandsslightly.
2. ClickthedatapointandselectZoomIn.Thereportdisplaysthedataatthenewlevel.
3. Toreturntothepreviouslevel,clickanydatapointandselectZoomOut.
DisplayaFullReport
Displayafullreportfromastatisticsmonitoringwidget.
1. SelectDashboards>StatisticsMonitoring.ThewebconsoledisplaystheStatisticsMonitoringDashboard.
n Ifthereportyouwanthasawidgetonthedashboard,expandthewidgetifnecessaryandthenclickViewFull
Reportatthebottomofit.
n Ifthereportdoesnothaveawidgetonthedashboard,clickReport>StatisticsMonitoring.Availablereports
aredisplayedintwolists:DevicesandWANOptimization.
3. Selectthereportyouwanttoview.Thereportopensinanewtab.
Ifyouleaveareportopenforanextendedperiodoftime,youcanrefreshittoensurethatnostaledataisdisplayed.
Torefreshareport,click atthebottomofthereport.
383
Learn about different graph types. "Statistics Monitoring Graph Types" below
See the report for different dates or times. "Change the Scope of a Statistics Monitoring Report" on
page382
Change the metrics and other data that display on "Modify Options for Statistics Monitoring Reports" on page380
the report.
View descriptions of the Statistics Monitoring "Reference:Statistics Monitoring Reports in Management
reports. Center" on page377
StatisticsMonitoringGraphTypes
StatisticsMonitoringgraphtypesdependonthetypeofdatarepresentedinthereport.Somereportsconsistofacom-
binationoftheseformats.
n Linegraphsshowhowdataforonedatatypechangesovertime.Youcanhoveroverthelinegraphsforextratool
tipsthatcanincludedatasuchasthedate,percentage,totalnumber,etc.
n Stackgraphsshowchangesinasetofdata,forbothfortheindividualdatatypesandthetotaloftheindividual
items.Eachcolorinastackgraphrepresentsonetypeofdatachangingovertime.
n Circlegraphsshowtheproportionsofspecificdatawithasetofdata.
Example:TheEffectiveBandwidthgraphintheTrafficMixreportshowstheproportion(inpercentage)ofeffective
bandwidthfordifferenttraffictypes.Hoveroverasegmentinthegraphtodisplaythenumberofbytesforeach
traffictype.
n Tablechartsarrangedatainrowstocomparedatafrommultiplesources.
Example:TheDevicesDetailreportwidgetshowstheactualbandwidthversuseffectivebandwidthforalldevices
inthesystem.
WorkwithReports
Reporter
SeethefollowingforinformationaboutworkingwithReporterreports:
384
l "ViewaReporterReport"onpage339
l "CustomizeReporterReportOptions"onpage343
l "ReporterGraphTypesandViews"onpage364
l "DateFilters"onpage1
l "SearchforSpecificReportData(SearchandForensicReport)"onpage360
l "SetTimeZoneforReporterReports"onpage365
StatisticsMonitoring
SeethefollowingforinformationaboutworkingwithStatisticsMonitoringreports:
l "ViewStatisticsMonitoringReports"onpage376
l "ChangetheScopeofaStatisticsMonitoringReport"onpage382
l "StatisticsMonitoringGraphTypes"onthepreviouspage
l "ModifyOptionsforStatisticsMonitoringReports"onpage380
l "DateFilters"onpage1
385
CustomizeReportWidgets
WidgetsontheDashboardandReportstabscanbecustomizedbasedonthetypeofdatathatyouwanttoview.
CollapseReportWidgets
Youcancollapsereportwidgetsifyouhavelimitedroomonthedashboard,orifyouprefernottoseeallofthewidgets
expandedatonce.
n Toexpandareportwidget,clickthedownarrow inthewidgettitlebar.
n Tocollapseacollapsedwidget,clickuparrow theinthewidgettitlebar.
MoveReportWidgets
Youcanmovereportwidgets.Becausewidgetsalignthemselvesautomaticallywhenyoumovethem,youcanputthemin
groups.
1. Hoveroverawidgettitlebar.Thepointerchangestoa .
2. Dragthewidgettoitsnewlocation.
RemoveReportWidgets
Toremoveareportwidget,clicktheXonthetoprightcornerofthewidget.
Toaddthewidgettothedashboardagain,clickAddReportandselectthewidgetfromthelist.
AddReports
Theamountofreportwidgetsthatyoucanaddandcustomizeiswhollydependentuponwhetheryouhaveintegrated
Reporter10.xintoyournetwork.
CloseaReport
Whenyounolongerneedtoviewareport,closeitusingoneofthefollowingmethods.
ClosetheActiveReport
ClickClosetoclosethereport.
Alternatively,closethereportbyclickingtheXonthetabatthebottomofthescreen.
CloseaReportonAnotherWidget
Ifyouhavemultiplereportsopen,youcancloseareportotherthantheactiveonebyclickingtheXontheappropriatetab
atthebottomofthescreen.
ModifyDisplayofTableData
Youcanmodifytheviewoftabledataasdescribedbelow.Eachtablesupportsspecificactions;allactionsmaynotbe
available.
ShowAvailableActions
386
Clickthearrowtotherightofthecolumnheadingstoshowtheavailableactions.
ChangeColumns
HoveroverColumnstochangethedisplayedcolumns.
GroupTableData
SelectGroupbythisfieldtogroupthetabledatainaccordancewiththatcolumnheading.DeselectShowingroupstoput
dataintoaplainlist.
387
Thedataisthengrouped.Intheexamplebelow,theTypecolumnwasgrouped.
388
ViewRawReportData
TheSourceDataViewerdisplaysareportinrawdataformat,whichbreaksdownspecificdatatypesthatManagement
Centercollectsfromdevices.Iftheinteractionofdatainastandardreportseemswrongormisleading,youcanviewthe
datainisolationfromothermetrics.
2. ClickSourceDataViewer.TheSourceDataVieweropensonanewtab.
3. Inthetreeontheleft,browsetothedatayouwanttodisplayandselectit.Thereportopensonanewtabontheright.
389
ManageDashboards
Dashboardsallowyoutoquicklyviewimportantdevicedata.Thisdataisrepresentedbywidgets.Widgetsrepresentdata
frommanageddevices.Dashboardsarehighlycustomizableandcanhelpyouquicklyviewtheinformationyoudeemimport-
ant.
Tomonitordevicesfromasinglescreen,adddashboardsandaddwidgetstothosedashboardsusingtheoptionsonthe
Dashboards>ManageDashboardspage.
Order Name Type Widget Description
1, 2, 3, etc. The order The name of Reporter - dis- Each dashboard can display mul- The description helps
is displayed from left the dash- plays only tiple widgets. For a quick ref- to differentiate the
to right on the dashboard as it Reporter widgets erence of what is displayed on dashboard type, and
board tab beginning appears on on the dashboard. each dashboard, view the widget the widgets within
with 1 on the left. the Dash- count for each dashboard. the dashboard.
WAF Reporter -
board tab.
displays only WAF
widgets on the
dashboard
Mixed - Can dis-
play data from all
widgets on the
dashboard.
Statistics Mon-
itoring - displays
only Statistics
Monitoring wid-
gets on the dash-
board.

Notes
l ReporterEnterpriseServer10.1.xisrequiredtoaccessandviewReporterReportsandDashboards.
l Dashboardsaredependentonthereportsthatyoucangenerateforeachmanageddevice.Togenerateadvanced
reportsandviewadvancedreal-timedatawithindashboards,see"AddReporterasaManagedDevice"onpage338.
AddaDashboard
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethenumberofdashboardsthatdisplay,aswell
asdefinethelayoutofthedashboards.Youmustalsodefinethedashboardtype.Layoutsarrangewidgetsinonetofour
columnsofequalwidth,withthecolumnsexpandingtofitthewidthofthescreen.Whenyouselectalayout,yourchangeper-
sists(beyondthecurrentsession)untilyouchangethelayoutagain.
Althoughyoucanaddmultipledashboards,rememberthatdashboardsdisplaydatafromdatabasesthatmaynotbe
theonlydatabaseavailable.Forexample,aReporterEnterpriseServercanprovidedatafrommultipledatabases.
WhenaddingReporterwidgetstodashboards,youcanchoosefromtheavailabledatabases.
1. FromDashboards>ManageDashboards,clickAddDashboard.Aredasterisk(*)denotesfieldsthatare
mandatory.
2. EnteradescriptiveDashboardNameandDescription.
3. ChooseaType:
IfyouselectReporterasthedashboardType,fromtheTemplatedrop-downlist,selectfromthefollowing
templatestopre-populatewidgets:
n WebApplicationUsage
n ThreatDetection
n ContentFiltering
n WAFReporter-AdashboardthatdisplaysReporterWebApplicationFirewall(WAF)widgets.
391
IfyouselectReporterWAFasthedashboardType,selectWebApplicationFirewalllfromtheTemplate
drop-downlist.
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets.
4. SelecttheLayoutforthedashboard.
5. ClickSave.ThesaveddashboardisdisplayedintheDashboarddrop-downwiththenamethatyougaveit.
Afteryouhavecreatedadashboard,youcannoteditthetype.
ReorderDashboardList
Whenyouaddanewdashboard,themostrecentlyaddeddashboardisappendedtotheendofthelist.Forexampleifyou
havethreedashboardsandaddone,thenewdashboardbecomesthefourthdashboardonthelistandwillappeartothe
rightofthepreviouslyaddeddashboards.Tochangetheorderdashboardsaredisplayed:
1. FromDashboards>ManageDashboards,selectthedashboardyouwanttomove.
2. ClickMoveUporMoveDowntochangetheorder.
DuplicateaDashboard
Touseadashboardasatemplateforadashboardthatyoumaywanttoclone(andperhapseditlater),youcanduplicatea
dashboardthatalreadyexists.Youareunabletochangethetypeofdashboardwhenyouduplicate.
1. FromDashboards>ManageDashboards,clickDuplicate.
2. FromtheDuplicateDashboarddialog,givethedashboardauniquename.
3. ClickDuplicate.TheduplicateddashboardisdisplayedunderManageDashboards.
392
DashboardsandWidgets
Adashboardprovidesasimplifiedviewofdatainwidgets.Awidgetisagraphicalrepresentationofinformation,designedto
provideaquickoverviewofstatisticsorotherimportantinformation.Thevarietyofwidgetsavailabletoaddtodashboardsis
dependentupondashboardType.See"ManageDashboards"onpage390.
ThewebconsoledisplaystheHomedashboardafteruserslogintothewebconsole.ThedashboarddisplaysDevice
HealthandTopProblemDeviceswidgetsbydefault,butyoucanaddandremovewidgetstoanydashboard.
WhenyouopenorviewtheStatisticsMonitoringdashboarditdoesnotdisplayfiltereddatafromthelastsession.
Eachnewsessionopenswithnofiltersapplied.
AddaWidgettotheCurrentDashboard
1. SelecttheDashboardstab.
2. ClickAddWidgets.
Theavailablewidgetsarecontrolledbythereportpermissionsassociatedwithauser'srole.Userscannot
addwidgetsforrestrictedfields.
3. (Optional)Fromthereportgroupsintheleftpane,selectthegroupthatcontainsthereportwidgetyouwanttoadd:
BandwidthUsage,Devices,Health,Security,UserBehavior,WANOptimization,WebApplications.Therightpane
updateswiththelistofreportwidgetsfortheselectedreporttype.
4. Selectthereportwidgetyouwanttoadd.
5. ForReporterwidgets,selecttheRole,Database,andtheLayout.
6. ClickAddWidgetNow.
7. Repeatsteps3to6toaddmorewidgets,andthenclickClose.
393
AddtheBookmarkedDevicesWidget
TheHomedashboarddisplaystheDeviceHealthandtheTopProblemDeviceswidgetsbydefaultafteryoulogin.Toadd
awidgetspecificallytoviewreal-timedataforfavoritedevices,addtheBookmarkedDeviceswidgettoadashboard.
1. FromtheHomeDashboard,selectAddWidgets.ThewebconsoledisplaystheAddWidgetswizard.
2. ScrolltoHealthandselectBookmarkedDevices.
3. SelectAddWidgetNow.ClickClose.Thedashboarddisplaysanemptywidget.
4. SelectAddDevices.Givethewidgetanameandselectthedevicesthatyouwanttomonitorinthedashboard.
394
5. Selectthedevicesthatyouwantto"bookmark"asyourfavoritedevicesandclickOK.Thenewwidgetdisplaysthe
selecteddevices.
EditorDuplicateDashboards
ManagementCenterdisplaysthefollowingdefaultdashboardsafterusers"LogintotheWebConsole"onpage31.
395
Home
Thehomedashboarddisplayswhenyoulogintothewebconsolebydefault.DefaultwidgetsdisplayedaretheDevice
HealthandTopProblemDeviceswidgets.
ThehomedashboarddisplaysDeviceHealthandTopProblemDeviceswidgetsbydefault,butyoucanaddandremove
widgetsbasedon:
n Thetypeofdatathatyouwanttomonitor(suchasstatistics)
n Reporterserverintegration
1. SelecttheDashboardstab.
2. ClickAddWidgets.
StatisticsMonitoringDashboard
ThewebconsoledisplaystheStatisticsDashboardwhenyouselectDashboards>StatisticsMonitoring.Itdisplays
widgetsthatprovideasimplifiedviewofthestatisticsmonitoringdatainafullreport.
TocustomizethelayoutandwidgetsofyourStatisticsDashboard,see"ChangetheDashboardLayout"below.
ChangetheDashboardLayout
Toaccommodateyourscreensizeorpersonalpreference,youcanchangethelayoutofthemainDashboardtaband
definethedashboardtype.Layoutsarrangewidgetsinonetofourcolumnsofequalwidth,withthecolumnsexpandingto
fitthewidthofthescreen.
Whenyouselectalayout,yourchangeissavedbeyondthecurrentsessionuntilyouchangethelayoutagain.
1. SelecttheDashboardtab.Tocustomizethelayoutandtype,clickOptions.ThewebconsoledisplaystheLayout
Optionsdialog.
2. Selectthedesiredlayoutoption.
3. ClickSave.
Afteryouaddadashboard,youcannotchangethedashboardtype.DashboardTypesaredefinedasfollows:
n StatisticsMonitoring-AdashboardthatdisplaysProxySGappliancewidgets
396
AdministrateManagementCenter
n "ConfigureGeneralSystemSettings"below
n "Upgrade/DowngradeSystemImages"onpage406
n "BackUptheManagementCenterConfiguration"onpage408
n "EncryptSensitiveSystemData"onpage409
n "RestoreaManagementCenterBackupConfiguration"onpage410
n "ConfigureManagementCenterFailover"onpage411
ConfigureGeneralSystemSettings
ConfigureManagementCentergeneralsettingsaboutbandwidthcost,thenumberofbackupslotsforManagementCenter
backupsandthemaximumnumberofpolicyandscriptrevisionstostore.Youcanalsocreateapasswordresetemailand
configuresettingstoapplytoManagementCenterusers.
1. SelectAdministration>Settings.Aredasterisk(*)denotesfieldsthataremandatory.
2. FromSystemSettings,selectGeneralontheleft.
3. SpecifyGeneralsettings.
Setting InputValue/Format
BandwidthCostperGB*
See "Set Bandwidth Cost for Reports" on page399
DevicePollingInterval *
See "Set the DevicePolling Interval" on page399
Numberofbackupslots *
"Set the Number of Backup Slots" on page399
Maximumnumberofpolicyrevisionstostore*
"Set the Maximum Number of Policy Versions to Store in
Management Center" on page244
Inactivitytimeout(minutes)*
Specifies the number of minutes before an inactive user
is logged out. Users are warned 30 seconds before they
are logged out.
397
Setting InputValue/Format
Inactivitytimeoutexclusions text: Enter comma-separated usernames
The list of usernames that should be excluded from the
Inactivity timeout setting.
Maximumnumberofscriptrevisionstostore*
"Set the Maximum Number of Script Revisions to Store in
Management Center" on page158
IsResetPasswordenabled?* false|true
See "Reset Password" on page280
ResetPasswordEmailSubject* text: Management Center Reset Password
ResetPasswordEmailMessage* text: Enter the body text of the email
that will be sent upon a user's request of a
password reset.
Click OK.
5. Instructuserstologintothewebconsolewiththeirexistingusernameandpassword.
Afterauserlogsin,youcanmanagetheiraccountinManagementCenter.
398
SetBandwidthCostforReports
StatisticsMonitoringreportsrequirethatyouspecifyabandwidthcosttodisplaydata.Thebandwidthcostisamultiplier
andisthusnotexpressedinaspecificcurrencyunit.Forexample,youcanenteravaluetorepresentonaveragehowyou
paypergigabitfordatausageonyournetwork.
1. SelectAdministration>Settings.SelectGeneral.Generalfieldsdisplayontheright.
2. Enteradecimalvalue.
SettheDevicePollingInterval
YoucanspecifythefrequencywithwhichManagementCenterlooksforupdatesonmanageddevices.Specifyanappro-
priateintervaltoensurethatdevicehealthstatusesdisplayaccurately.Thedefaultintervalis10seconds.
1. Inthewebconsolebanner,selecttheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.Generalfieldsdisplayontheright.
3. SelectDevicePollingInterval(sec).
4. Enteravalueinseconds.
SettheNumberofBackupSlots
Bydefault,ManagementCenterstoresuptofivebackupsperdevice,witheachbackupplacedinaslot.Afterfivebackups,
ManagementCenterprunes(deletes)anunpinnedbackuptomakeroomforthenewbackup.(Backupsthatarepinnedare
preservedandcannotbemanuallydeletedorautomaticallypruned.)IfyouwantManagementCentertostoremoreorfewer
backupsperdevice,youcanadjustthenumberofbackupslots.
1. ClicktheAdministrationtabandselectSettings.
2. SelectGeneralontheleft.
3. IntheNumberofbackupslotsenteranewvalue.
4. ClickSave.
YoucanoverridethedefaultnumberofbackupsthatareretainedforadevicebyenteringaRetentionCountwhen
exportingbackups.See"ExportDeviceBackups"onpage85.
399
SpecifyExplicitProxySettings
Ifyouhaveconfiguredanexplicitproxyserverinyourenvironment,youcanspecifythesettingsinManagementCenter.
ThesesettingsareusedforalloutgoingHTTPrequestsandotherfunctionssuchaslicensing,heartbeats,andsupport
casereports.
1. SelectAdministration>Settings>HTTPProxy.Fieldsmarkedwitharedasterisk(*)arerequiredsettings.
2. Specifyexplicitproxysettings.

Enable* Specify whether an explicit proxy is false|true
configured.
HTTPProxy IP or hostname Specify the IPaddress or hostname of proxy Example:
server.
https://<IP_address>
HTTPProxy Port Specify the port for the proxy server. Example:
8082
Username If necessary, enter the username to Example:
authenticate to the proxy.
admin
Password If necessary, enter the password to Example:
authenticate to the proxy.
admin123
SynchronizetheSystemClockusingNTP
NetworkTimeProtocol(NTP)synchronizestheclocksofcomputersoveranetwork.Toensurethattimestampsdisplayed
inAuditLogrecords,ApplianceMonitoringreports,andothersystemchangesareaccurateandconsistent,youcandefine
NTPserversinManagementCenter.
2. ClickNetworkTimeProtocol.NTPfieldsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. SpecifyNTPsettings.

Is the NTP service enabled* Specify whether to enable the NTPservice. false|true
400

NTPServer You can specify up to five NTPservers. Example: server.ntp.org
Management Center attempts to connect
to the servers in the specified order.
Whenyou"AddaJob"onpage324,rememberthatthescheduleisrunoffoftheserver'stimezone.
4. Performoneofthefollowingtasks.
Ifyouhaveunsavedchanges,theeditedsettingsaremarkedwitharedtriangle.Seethe"Pendingchanges"textat
thetopleftofthedialogasanexample.
ConfigureDiagnosticsLogging
Usethispagetosetthelogginglevels.TheMasterLogincludesalloftheGeneralandDevicePlugindata.Toreducethe
sizeoftheMasterLogortoproduceatargetedlog,configurethelevelsaccordingly.Thelevelyouchoosedeterminesthe
amountofinformationprovidedineachlog.Forexample,debuglogscanlaterbeusedtosenddiagnosticinformationtoSup-
port.Thelogginglevelsaredescribedinthefollowingtable.
Log Description
Level
DEBUG Logs detailed informational events and is most useful when you are attempting to diagnose
problems.
INFO Logs high-level informational messages only.
WARN Logs potentially harmful events.
ERROR Logs all errors that do not cause the system to restart.
OFF Disables logging. The Master Log cannot be disabled.
ALL Logs everything. Applicable only to the Master Log.
Whenyouenablealog,dataiswrittentoaspecificlogfile.Forexample,iftheMasterlogissettoINFOorabove,mes-
sagesarewrittentolog.log.IftheMasterLogissettoDEBUG,allmessagesarewrittentodebug.logandalsoto
log.log(messagesforINFOandabove).Allotherlogssenddatatoalogofthesamename,forexample,secur-
ity.logandnetwork.log.
ConfigureDiagnosticLogging
1. SelectAdministration>Settings>Diagnostics.
ThesystemdisplaystheDiagnosticswindow.Aredasterisk(*)denotesfieldsthataremandatory.
2. SpecifytheMasterLoggingLevel,General,andDevicePluginsettings.
401
ConfigureHousekeepingSettings
Configuregeneralhousekeepingsettings.Whenthesesettingsareactivated,theyaffectwhatisdisplayedintheAudit
LogViewerandhowbigauditlogscangrow.
2. ClickHousekeepingontheleft.
3. Selectthedefaulthousekeepingsettings.Aredasterisk(*)denotesfieldsthataremandatory.
Run every n hours.* Default is 12. The value represents (in hours) numeric using up and down
how often to run a full audit. arrows
Number of days of audit records to keep.* The value represents the number of numeric using up and down
Default is 120. days that audit records are kept. arrows
Number of days of job execution records The value represents the number of numeric using up and down
to keep.* Default is 120. days that job executions records arrows
are kept.
Number of days of closed alert records to The value represents the number of numeric using up and down
keep.* Default is 120. days that alerts are kept after arrows
being closed.
ConfigureMailSettings
Inordertoreceivenotificationsviaemail,youmustconfigureSMTPalerts.ManagementCenterstoresthesettings
sothatSMTPalerts(emails)canbetransmittedandreceivedcorrectly.See"ConfigureSMTPAlerts"onpage318.
2. SelectMailSettings.Mailsettingsdisplayontheright.Aredasterisk(*)denotesfieldsthataremandatory.
3. Specifyemailsettings.
402

Mail Server* The SMTP mail server to use for Example:smtp.organization.com
outgoing mail.
Mail Server Port * The Port that the SMTP mail server Example: 25
uses.
From address* The e-mail address from which e- Example: bccm@organization.com
mails are sent.
Username The User name used to access the Example: joe.admin
SMTP mail server.
Passphrase The password required to access the Example: admin123
SMTP mail server
ConfiguretheSNMPAgentPassword
TheSimpleNetworkManagementProtocol(SNMP)itselfdoesnotdefinewhichvariablesamanagedsystemshouldoffer.
Rather,SNMPusesanextensibledesign,wheretheavailableinformationisdefinedbyManagementInformationBases
(MIBS).
TheMIBsareavailableontheBTODownloadspage.RefertotheBlueCoatManagementCenterReleaseNotesfor
informationonMIBs.
Configuretheagent'spassword:
2. SelectSNMPSettingsontheleft.
3. EnterthepasswordintheCommunitytextfield.Thispasswordmustbeenteredasalpha-numericwithnospecial
characters.
n ClickActivatetocausetheservertoloadandapplythenewpasswordforSNMPagent.SeeCommunityin
"ConfigureSNMPAlerts"onpage319.
ConfigureConsentBanner
ANoticeandConsentbannerprovidesnoticetousersofcomputernetworks,computers,andothersystemsandresources.
403
Usersarerequiredtoacceptthetermsinthebannerpriortoauthentication.Thebannerispresentedtousersbeforealogin
process,anditrequiresuserstoacknowledgeandagreetothemessagebeforetheycanloginoraccessresourcesonthe
network.
Implementtheconsentbannertodosomeorallofthefollowing:
n Obtainusers'noticeof,andconsentto,lawfulmonitoringofusageanddatacollection.
n Notifyusersthattheymustconcedecertainexpectationsofprivacyinordertoaccessthenetwork.
n Ensureusers'compliancewithorganization-specificpolicies.
Thelogodisplays,asisandcentered,abovethebannertext.Thebannertextdisplayswithinatextboxthatisun-editable.
Ablue"Accept"buttondisplaysbelowandtotherightofthebannertext,asshownintheexamplebelow.
Procedure
2. ClickConsentBanner.ConsentBannerfieldsdisplayontheright.
3. InShowconsentbanner,clickthe andselecttrue.
4. IntheConsenttextbox,enterthetexttopresenttousersuponlogintoManagementCenter.
5. ClickintheConsentimagefield.Youcanselectafilefromyourlocalsystemtoupload.
6. Afterselectinganimagefile,clickdownload.
7. (Optional)Clickremovetodeletethedownloadedimage.
404
ConfigureHardwareMonitorSettings
Tobetterunderstandhoweachdeviceisreportingdiskandmemoryusage,configurehardwaremonitorsettingsandthe
DiskandMemoryCriticalandWarningLevels.
2. SelectHardwareMonitorSettings.Hardwaremonitorfieldsdisplayontheright.Aredasterisk(*)denotesfields
thataremandatory.
3. SpecifythehardwareHardwareMonitorthresholdsettings.

Monitor Enabled* Enable or disable hardware monitor true/false
Monitor Interval (min) The threshold at which the hardware 5
monitor polls the device (in minutes).
Disk Usage - Warning The threshold at which the monitor 85
polls the device for disk usage events.

Disk Usage - Critical The threshold at which the monitor 95
polls the device.
Disk Usage - Shutdown on Shuts down the web console when true/false
critical? the threshold for Critical is reached.
Memory Usage - Warning The threshold at which the monitor 95
polls the device for memory usage
events.
Memory Usage - Critical The threshold at which the monitor 99
polls the device for memory usage
events.
IfyouenablethehardwaremonitorandalsoenableDiskUsage-Shutdownoncritical?,theweb
consoleshutsdownwhenthethresholdforcriticalisreached.TheManagementCenterCLIisstill
available.
405
Upgrade/DowngradeSystemImages
WhennewfeaturesandimprovementsaremadetoManagementCenter,youcandownloadasystemimagefromBlue
Coatandupgradetheappliance.Ifyoueverexperienceissueswithanewimage,youcanactivateanolderimagetodown-
gradetheappliance.
ManageSystemImages
ManagementCenterstoresuptofiveimagesonthesystem.Theimagethatismarkedasthedefaultimagewillbeloaded
thenexttimethattheapplianceisrebooted.
Ifthemaximumnumberofimagesarestoredonyoursystemandyoudownloadasixthimage,ManagementCenter
deletestheoldestunlockedimagetomakeroomforthenewimage.Topreventanimagefrombeingdeletedorreplaced,
youcanlocktheimage.
YouperformimagemanagementusingManagementCenterCLIcommands.See"#installed-systems"onpage452fora
descriptionofthecommandsforadding,deleting,locking,unlocking,andviewingimages.
InstallaNewSystemImage
Toinstallanewsystemimage,youfirstdownloadtheimagefromBlueCoat,placethefileonawebservertheMan-
agementCenterappliancecanaccess,thenuseaCLIcommandtoaddthefile.Thefinalstepistoreboottoactivatethe
image.
1. (Optional,butrecommended)"BackUptheManagementCenterConfiguration"onpage408.
2. LogintoBlueTouchOnline(BTO):https://bto.bluecoat.com/
3. DownloadthedesiredimagefromBTO.
a. TransfertheimagedirectlytoManagementCenter.SelectConfiguration>Filesandtransfertheimage
usingtheTransferFilebutton.
b. Downloadtheimagetoalocaldrive,selectConfiguration>Files,anduploadtheimagetoManagement
Center.
Alternatively,youcanstoretheimagefileonawebserverthattheManagementCenterappliancecan
access.TheaddimageprocessworkswithanyHTTPserver,andHTTPSserversconfiguredwithtrusted
certificates.IfyourHTTPSserverdoesnothaveatrustedcertificate,placethefileonaninternalHTTP
server.
4. Addthesystemimageusingthe#installed-systems add <URL>command.
where<URL>isthelocationoftheimageonawebserver,inthefollowingformat:
http://host/path,forexamplehttp://webserver.mycompany.com/images/542386.bcsi
IftheimagewasuploadedtoManagementCenter,dothefollowing:
a. CopythefileURL.IntheConfiguration>Filespage,selecttheimageandclickCopyURL.Thefilewill
haveaformatsimilartothefollowing:
https://10.131.38.36:8082/fs/download/6c80d3a2cc124347aedb2a688da3859e
406
b. ChangetheprotocoltoHTTPandtheportto8080.TheURLshouldnowlooklikethis:
http://10.131.38.36:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
Alternatively,youcanchangetheURLtothefollowing:
http://localhost:8080/fs/download/6c80d3a2cc124347aedb2a688da3859e
c. Executetheinstalled-systems addcommand.
5. Makesurethenewimageisthedefaultimage.(Rebootingwillinstallwhicheverimageismarkedasthedefault.)
# installed-systems view
Aplus(+)signindicatesthedefaultsystemimage.Ifthenewimageisnotthedefault,makenoteoftheindexvalue
nexttotheimageyouwantasthedefault.
6. Ifnecessary,makethenewimagethedefaultsystemimage:
# installed-systems default <index_number>
Replace<index_number>withtheimage'sindexIDvalue.
7. Rebootthehardwareappliancetorunthenewimage:
# restart reboot
Whentheappliancerestarts,thenetworkconnectioncloses.Ifbootfailureoccursuponanupgrade,Management
Centerdowngradestothepreviousversionautomatically.
Viewtheprogressofdownloadsinprogressorthestatusofthelastdownloadusingthe# installed-systems
view-downloadscommand.Ifyouneedtocancelanimagedownload,usethe# installed-systems can-
cel-downloadscommand.
DowngradetoanEarlierManagementCenterVersion
IfyouarerunninganupgradedversionofManagementCenter,youcandowngrade(revert)toapreviousversion.Down-
gradinghasthefollowingspecialguidelinesyoumustfollow:
n Downgradescanbeperformeddowntwodotreleases(e.g.,from1.6to1.4).
n Allmaintenance/patchreleasesofaversionwillbetreatedasequivalent.Forexample,1.6.2.1wouldbethesameas
anyother1.6.xrelease.
n Upondowngrade,newerdata(datafromtheupgradedimagethatisnothandledintheolderversion)islost.
n Upondowngrade,newerconfigurationsettings(settingsfromtheupgradedimagethatarenothandledintheolder
version)arelost.
n Dataandconfigurationsettingsthatarecommontotheupgradedimageanddowngradedimageareseamlessly
maintained,regardlessofschemadifferencesbetweenversions.
n AdministratoraccessandpermissionsareneededtodowngradeManagementCenter.
Todowngrade:
1. "BackUptheManagementCenterConfiguration"onthefacingpage.
2. Decidewhichinstalledimagetorevertto.(Makesuretofollowtheguidelineslistedaboveregardingrelease
numbers.)
407
Makenoteoftheindexvaluenexttotheimageyouwanttorevertto.
3. Makeanolderimagethedefaultimage.(Makesuretofollowtheguidelineslistedaboveregardingrelease
numbers.)
Replace<index_number>withtheimage'sindexIDvalue.
4. Rebootthehardwareappliancetoactivatethedefaultimage:
# restart reboot
5. Beforetryingtousetheolderversion,restoretheManagementCenterbackupimmediately.See"Restorea
ManagementCenterBackupConfiguration"onpage410.
BackUptheManagementCenterConfiguration
BlueCoatrecommendsthatyoubackuptheManagementCenterconfigurationoften.ThebackupcontainsManagement
Centerdatabase,settings,and,optionally,devicereportingstatistics.Tosavediskspaceontheappliance,youcan
exportthebackuptoanexternalserveraspartofthebackupjob.Exportingbackupstoanexternalserverisrequired
beforeupgradingordowngradingthesoftwareimage.See"Upgrade/DowngradeSystemImages"onpage406.
BackupRequirements
BackinguptheManagementCenterconfigurationrequiresspecificpermissions.See"Reference:UnderstandingJobPer-
missions"onpage261.Additionally,sensitivedatainthebackupwillbeencryptedwithanencryptionkey.Youmusthave
therecoverykeytorestoretheencrypteddatainthebackup.See"EncryptSensitiveSystemData"onthenextpagefor
moreinformation.
BackUpManagementCenter
TobackuptheManagementCenterconfiguration,youmustcreateajobforit.Youcaneitherschedulethejobtorunona
regularbasis,runimmediately,orondemandatatimethatyouwanttocreateabackup.
1. FromJobs>ScheduledJobs,selectNewJob.ThewebconsoledisplaystheNewJobwizard.Aredasterisk(*)
denotesfieldsthataremandatory.
2. EnterauniqueName.
3. EnteraDescription(perhapsthereasonwhyabackupofManagementCenterisneeded).ClickNext.
4. FromtheOperationdrop-downlist,selectBackupManagementCenter.
5. (Optional)SelecttheExcludeStatisticsMonitoringTrendDatacheckboxtoexcludedevicereportingstatistics.
Byexcludingthesestatistics,thebackupwillbesubstantiallysmaller(perhapsbyhundredsofgigabytes).Keepin
mind,however,thattherestoredbackupwillnothaveanystatisticsdata.
6. IfyouwantthebackupfiletobeexportedtoanexternalHTTP,FTP,orSCPserver,selecttheExporttoServer
checkboxandfillintheserverdetails:
n ServerURL:Entertheprotocol(SCP,FTP,FTPS,HTTP,HTTPS)andservernameandpath.For
example:ftp://mycompany.com/backups
n EncryptionPhrase:Thisisrequiredforexportingthearchive.
n Username
n Password
408
7. IntheTargetsscreen,clickNext.(Notargetsarerequiredforthisoperation.)
8. IntheSchedulescreen,defineascheduleforthejob.See"JobSchedulingOptions"onpage328forexplanationsof
eachoption.ClickFinish.
ManagementCenterretainsonlyfivebackups.Whenthesixthbackupoccurs(suchasinarecurringjob),theoldest
backupisdeleted.Thisisarollingfivebackupretentionandcannotbeconfigured.Toretainadditionalbackupcon-
figurations,youcanexportthebackuptoanexternalserveraspartofthebackupjob,oryoucanexportbackupslater
usingthebackup exportCLIcommand.
BackUpManagementCenterUsingtheCLI
1. LogintotheCLI.See"AccesstheManagementCenterCLI"onpage439
2. Enterprivilegedmode.See"PrivilegedModeCommands"onpage446.
3. Atthecommandprompt,typethefollowingcommandandpressEnter:
# backup create
TheCLIindicatesthatthebackupisbeingcreated.Youshouldseearesponsesimilartothefollowing:
Creating backup ...
Backing up runtime configuration and plugins ...
Backing up database ..
Completed backup, Wed Jun 3 11:01:33 CMT 2015.
EncryptSensitiveSystemData
InManagementCenter1.6andlater,eachdevicehasauniqueencryptionkeythatisusedtoencryptdatainthesystem.
TheadministratorgeneratesthiskeyintheAdministration>DataProtectionpage.Whenthekeyisgenerated,arecovery
keyisalsogeneratedincaseyoulaterneedtorestoretheencryptionkey.Makesuretosavetherecoverykeyinasafe
place.
PotentialDataLoss
n Aspartofthisprocess,youshouldkeeptherecoverykeyinasafeplaceintheeventthatyouneedtorestorethe
encryptionkeylater.DONOTLOSETHEKEY.Ifyoulosethekey,youwillnotbeabletorecoveryourencrypted
data.
n Youshouldnotrecoverakeyunlessyouarecertainthatyouneedto.IfyouusetheRestorepreviouskeyfeature
andthecurrentdatainthedatabasewasnotencryptedwiththatkey,thatdatawillnotbeabletobedecryptedand
youwillhavetoreenterallofthedevicepasswords.
NewManagementCenterApplianceRecommendations
Uponreceivinganewappliance,youshoulddothefollowing:
409
5. Configuretheappliance.
Thisprocessensuresthatyoucanrestoreyourconfigurationasnecessary.
UpgradeRecommendations
IfyouareupgradingManagementCenter,BlueCoatrecommendsregeneratinganewkeyandthentakinganewbackup.
Doingsowillensurethatyouhavethelatestprotectionschemesandavalidbackupthatcanberestoredtothedeviceif
necessary.
Thisprocessensuresthatyouwillbeabletorestorethepreviousconfigurationiftheupgradehasissues.
RestoreaManagementCenterBackupConfiguration
Youcanrestoreaconfigurationbackupafterreinstalling,upgrading,ordowngradingManagementCenterorifyouwantto
reverttoapreviousconfiguration.Youperformthisoperationusingthecommand-lineinterface.
Restoringabackuprequiresshuttingdownservices;youshouldperformtherestoreduringoff-hours.
RestoreManagementCenterBackup
Beforeyourestoreabackup,youshouldviewthebackupfilescurrentlystoredonthesystemtomakesurethatyou
restorethecorrectversion.Ifthebackupyouwanttorestorewasexportedtoanexternalserver,youshouldimportthe
backupfilebeforetherestoreprocess.
2. Enterprivilegedmode.See"PrivilegedModeCommands"onpage446.
3. Atthecommandprompt,typethefollowingcommandandpressEnter:
# backup view
TheCLIdisplaysalistofallthebackupsthatwerecreatedforthisinstanceofManagementCenter.Youshouldsee
aresponsesimilartothefollowing:
Available Backups:
Timestamp Version
1 | 2015-May-29 03:33:00 UTC 1.4.1.1 (555156)
2 | 2015-Apr-15 09:02:00 UTC 1.3.3.1 (555000)
Thebackupsarelistedindescendingchronologicalorder;forexample,thebackupwithindexnumber1ismore
410
recentthanindex2.Eachbackupindicatesthedateandtimewhenthebackupwascreated,thebuildversion,andin
parentheses,thebuildnumber.
4. Onceyouidentifythebackupyouwant,makenoteoftheindexnumber.
5. (Optional)Ifthebackupyouwanttorestorewasexportedtoaserverandisnotonthelistofbackupsstoredonthe
appliance,youcanimportittoManagementCenter.
#backup import <URL>
<URL>istheURLoftheserverandpathtothebackupfile.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,
andSCP.
6. Atthecommandprompt,typetheappropriatecommand.
l Torestorethelatestversion(thebackupwiththemostrecenttimestamp):
# backup restore latest
l Torestoreaspecificversion:
# backup restore <index_number>
where<index_number>istheindexnumberofthebackup.
7. PressEnter.TheCLIindicatesthatyouareabouttorestoreabackupandasksyoutoconfirmtheaction:
Warning, restoring a backup replaces all Management Center configuration.
Do you wish to proceed with restoring the backup taken on 2015-May-29 03:33:00
UTC? [Y/N]
8. TypeYtoproceed.TheCLIdisplaystheprogressoftherestore:
Restoring backup ...
Decompressing ...
Verifying backup contents ...
Shutting down services ...
Restoring database ...
Restoring configuration ...
Restarting services ...
Completed restoring backup.
ConfigureManagementCenterFailover
ManagementCentersupportsfailoverusingtwophysicalappliances.Oneapplianceisdelegatedastheprimaryandthe
otherasthesecondary.Afterfailoverisconfigured,thesecondaryreplicatesdatafromtheprimaryappliance.Duringcon-
tinuousreplication,userscanperformallnormaloperationsontheprimaryfailoverpartner.Userscannotaccessthesec-
ondaryfailoverpartneritssolepurposeistoreplicateactionsoccurringontheprimarynodesothatitcantakeoverif
somethinghappenstoprimarynode.
Licensinginformationandsystemsettingsarenottransferredduringfailoverreplication.
Becausethesecondaryfailoverpartnerreplicatestheprimarypartner'sdata,itisreadytotakeoveratanytime.Whenthe
primaryfailoverpartnerbecomesunresponsive,youconfigurethesecondarytotakeoverandstartservicingrequests.
Forsystemssetupinfailover,thedataencryptionkeyiskeptinsyncbetweentheprimaryandsecondarydevices.
411
ConfigurationLimitations
Duringreplication,configurationforboththeprimaryandsecondaryfailoverpartnersislimited.Replicationrequiresthat
boththeprimaryandsecondarypartnersrunthesameversionofManagementCenter.Toenforcethis,theinstalled-
systemsCLIcommandisdisabledonbothfailoverpartners(todenyinstallingandchangingsystemimages).If,forany
reason,thesystemimagesdonotmatchontheprimaryandsecondarypartnersreplicationispauseduntiltheproblems
areresolved.
Thesecondaryfailoverpartnerhasstricterrestrictionsonwhatcanbeconfigured.Inadditiontonotbeingabletomanage
systemimages,thefollowingCLIcommandsaredisabledonthesecondarypartner:
backup(allcommands)
license(allcommands)
http-proxy(allcommands)
service db-maintenance
service purge-vpm-cache
snmp(allcommands)
statistics-monitoring(allcommands)
FailoverPrerequisites
Toprepareforfailover:
l IdentifyaManagementCenterappliancetoactastheprimaryfailoverpartner.RecordtheIPaddressand
passwordofthe"admin"accountofthisdevice.
l IdentifyaManagementCenterappliancetoactasthesecondaryfailoverpartner.RecordtheIPaddressofthis
device.
l Ensurethatport22isopenbetweentheprimaryandsecondarypartners.ManagementCenterfailoveremploysan
SSHconnection.
ConfigureFailover
YoumustenablefailoverusingtheCLI.
Step1ConfigurethePrimaryAppliance
1. UseanSSHclienttologintotheCLIoftheManagementCenterappliancethatistobetheprimaryfailoverpartner.
2. EnterEnablemode:
#enable
3. Confirmthatfailoverhasnotalreadybeenconfiguredontheappliance:
#failoverview
Failover:
Status: Disabled
4. Makethisappliancetheprimaryfailoverpartner:
412
#failovermake-primary
Atthispoint,thesecondaryisnotconfiguredsothecommandoutputissimilartothefollowing:
Failover
Status: ERROR: Secondary not configured
Primary*: 198.51.100.20
Secondary: not configured
Last status update 1 second(s) ago
(*) this Management Center
Becausethesecondaryfailoverpartnerhasnotbeenconfigured,thefailovericondisplayswithanexclamationmark
asshownbelow:
Thisiconalsodisplaysiffailoverhasbeenconfiguredandthesecondaryisunresponsive.

Step2ConfiguretheSecondaryAppliance
Beforebeginningthisprocedure,completealltasksrequiredforthesecondaryappliancetoservicerequests(setup
authentication,etc.).
1. UseanSSHclienttologintotheCLIoftheManagementCenterappliancethatistobethesecondaryfailover
partner.
2. EnterEnablemode:
#enable
3. Confirmthatfailoverhasnotalreadybeenconfiguredontheappliance:
#failoverview
Failover:
Status: Disabled
4. Makethisappliancethesecondaryfailoverpartner:
Duringthisprocess,theservicesonboththeprimaryandsecondaryappliancesareunavailable.
#failovermake-secondary
Enter the IP address for primary server []:198.51.100.20

Warning: Initial failover data transfer may take a long time to complete. To
complete the failover
setup, allow for transfer to finish and do not disable failover on 10.169.21.81
(primary) or
10.169.21.82 (secondary) during this operation. Services on 10.169.21.81 (primary)
413
will not be
available while initial failover setup is performed.
Are you sure you want to continue?y
Please authenticate to primary server...

admin@198.51.100.20's password:
Shelving operational data on secondary...done.
Stopping services on secondary...done.
Stopping services on primary...done.
Retrieving snapshot of primary's data...
Thepasswordisnotsavedandisnotreusedforfurtherreplicationprocess.
5. Verifythatfailoverhasbeensuccessfullyconfigured:
#failoverview
Failover:
Status: Healthy (0 second replication delay)
Primary: 198.51.100.20
Secondary*: 198.51.100.24
Iffailoverhasbeensuccessfullyconfigured,thefailovericondisplaysinthewebUIbannerasshownbelow.
Youcanalsomouseoverthefailovericontoreviewthefailoverstatus.
SwitchtoSecondaryWhenthePrimaryisUnresponsive
Iftheprimaryfailoverpartnerisunresponsive,youmustdothefollowing:
1. Makethesecondaryfailoverpartneractive.Dothisbyenteringthefollowingcommand:
2. Reactivatestatisticsmonitoring.
Atthispoint,thesecondaryisactiveandisnowtheprimaryfailoverpartner.
3. Fixtheproblemswiththeoriginalprimarydevice.
414
4. Maketheoriginalprimarydevice(thedevicethatwasunresponsive)thenewsecondaryfailoverpartner:
Failoverisnowsuccessfullyreconfigured.
Step1MakeSecondaryPartnerActive
Issuethefailover make-primarycommandtomakethesecondaryappliancetheprimaryfailoverpartner.Iftheori-
ginalprimarydevicelaterbecomesresponsive,youcanmakeitthesecondaryfailoverpartner,thuspreservingthefailover
capability.
System is configured as secondary, promoting state to primary will break replication.
Are you sure you want to promote state to primary? [y/N]
Restoring operational data...done.

Failover:
Status: ERROR: Secondary not configured
Primary*: 198.51.100.24
Secondary: not configured

Step2ReactivateStatisticsMonitoring
Aftermakingthesecondaryfailoverpartneractive,youmustreactivethestatisticsmonitoringjob.Thisjobinstructs
devicesthathavePDMExport(statisticsmonitoring)enabledtosendupdatestothenewprimarydevice.
1. SelectJobs>ScheduledJobs.
2. ClickNewJob.ThesystemdisplaystheNewJob:BasicInfodialog.
3. IntheBasicInfodialog,enteranameforyourjob.Aredasterisk(*)denotesfieldsthataremandatory.
4. Enteradescriptionofthejob.Gooddescriptionshelptodifferentiatejobswhentheyhavesimilarnames.
5. ClickNext.
6. IntheOperationdialog,selectReactivateStatisticsMonitoring.
7. ClickNext.
ThesystemdisplaystheTargetsdialog.ManagementCenterautomaticallyfindsallapplicabletargets.
8. ClickNext.
ThesystemdisplaystheScheduledialog.Optionally,enteraschedule.
9. ClickFinish.
DisableFailover
Usethefailover deletecommandtodisablefailover.
#failoverdisable
415
Failover:
Primary: 198.51.100.20
Secondary*: 198.51.100.24

Are you sure you want to disable failover? [y/N]
Restoring operational data...done.

Failover:
Status: Disabled
416
UpdatetheManagementCenterLicense
TheManagementCenterlicensecontainsallofthefeaturesforwhichyouhavepurchasedasubscription.Thedoc-
umentationcoversallfeatures,includingonesthatyoumaynothavepurchased.
YoucanupdateyourexistinglicensefromBTO,downloadthelicensefromawebserverorworkstation,orinstallitmanu-
ally.
1. Toviewlicensestatusortoupdateorinstallalicense,selectAdministration>License.
2. Toviewdetailedlicensecomponentinformation,selecttheLicenseComponentstab.
Usethepassphrasefieldwhenyouareinstallingalicenseyougeneratedwithapassphrase;thepassphrase
isrequiredforVAOfflinelicensing.
3. Todeterminehowyouwillinstallthelicense,selecttheInstallNewLicensetab.Seethefollowingsectionsfor
instructions.
4. (Optional)Totroubleshootthelicenseinstallation,dothefollowing:
n Tocheckthestatusofalicense,runtheCLIcommand#license view.
n Toverifynetworksettings,runtheCLIcommand#show interface.
n Toverifysiteaccessibility,runtheCLIcommand>pingwiththefollowingsites:
o ping bto-services.es.bluecoat.com
o ping validation.es.bluecoat.com
n Toupdatethelicense,runtheCLIcommand#license get-from-bluecoat.
n Trytoupdatethelicenseagain,afterrunningtheCLIcommand#restart reboot.
5. (Optional)Fromawebbrowser,logintoManagementCenter.Ifthewebconsoleloads,thelicensewasinstalled
successfully.
Ifthewebconsoledoesnotload,runtheCLIcommand# license viewtodetermineifthelicensewasinstalled
andisvalid.
InstallthelicensefromBTO
YoumustinstallthelicensefromBTOusingthe#license get-from-bluecoatCLIcommandatleastonce
beforeyoucaninstallitfromBTOusingthewebconsole.
1. SelectInstallfromBTO.
2. EnteryourBTOUserIDandBTOPassword.
3. ClickInstallLicense.
4. ClickRefreshtodisplaytheupdatedlicenseinformationintheLicenseComponentstable.
InstallfromURL
Beforeyoucaninstallyourlicenseyoumustfirstgetthelicensefile(*.bin)andsaveittoalocationonawebserverorwork-
stationthattheVAcanaccess.
1. SelectInstallfromURL.Thewebconsoledisplaysatextfield.
2. Enterthelocation(avalidURL)ofthelicensefileintothefield.
417
Pastelicensetextfromatexteditor
Beforeyoucaninstallyourlicenseyoumustfirstgetthelicensefile(*.bin)andsaveittoalocaldirectory.Openthelicense
fileinatexteditor(suchasNotepad)andmakesureyousavethefile.
1. SelectPastelicensetext.Thewebconsoledisplaysatextbox.
2. Copyandpastethelicensefromthetexteditortothebox.
VerifyLicenseComponentsfromtheWebConsole
ManagementCenterhasaflexiblelicensemodel.Componentscanbelicensed,andareexposeddependentuponthe
licensetypeandcomponentname.Youcanviewthevalidityoflicensedcomponents,addmoredevicestoyourlicense,
andviewtheserialnumberandappliancemodelofthehardwareappliance.Installorupdateyourlicensesdirectlyfrom
BTOwhileloggedintothewebconsole.
1. Toverifythelicensecomponents,typeandstatus,logintothewebconsole.
2. SelectAdministration>License.FromtheLicenseComponenttabyouverifythefollowingGeneral
Informationaboutthelicense:
n Manufacturer(BlueCoatSystemsInc.)
n NumberofMaximumDevicesallowed
n SerialNumber
n ApplianceModel
n Status
n ComponentName
n Activationdate
n Expirationdate
n LicenseType
418
TroubleshootandResolveIssues
ThissectiondiscussestroubleshootingstepsandadvancedproceduresforManagementCenter.
Thefollowingtopicsprovideinformationforresolvingcommonissues:
l "ResetorRestoreAdminAccountPasswords"onpage283
l "Upgrade/DowngradeSystemImages"onpage406
l "EncryptSensitiveSystemData"onpage409
l "BackUptheManagementCenterConfiguration"onpage408
l "RestoreaManagementCenterBackupConfiguration"onpage410
AuditTransactions
ToaccesstheAuditLogViewer,clicktheAuditingtab.
Bydefault,recenttransactionsaredisplayedonthefirstpageofrecords.Iftheyarenotonthefirstpage,orifyouarelook-
ingforhistoricaldata,youcannavigatetodifferentpagesorlimitthenumberofrecordstolocatethecorrectones.For
instructions,see"CustomizetheAuditLog"onpage423.
RecordsdonotdisplayintheAuditLogViewerimmediatelyaftertransactionsoccur;refreshthewebconsoleto
seemostrecentrecords.YoucanclicktheRefreshiconatthebottomofthescreentoupdatethemostrecent
entries.
Tounderstandandanalyzethedatarecordedforeachtransaction,refertothefollowingtable.
Column Description
Operation The date (in YYYY-MM-DD format) and time (in 24-hour notation) the transaction was com-
Time pleted.
420
Column Description
Operating The user who performed the operation. If no user is associated with the operation, SYSTEM is
User displayed.
Record Type The transaction level: AUDIT or EVENT. An audit record is a system-level transaction; an
event record is a user-level transaction. For more information, see "Understand Transaction
Types" on the next page.
This column is hidden by default.
Object Type The type of object on which the operating user performed the action.
Operation The operation that was completed.
Type
Info 1 - Info 5 Additional reference fields for the record. Not all transaction types have additional inform-
ation.
Columns Info 3 through Info 5 are hidden by default.
421
UnderstandTransactionTypes
TheAuditLogrecordstwolevelsoftransactions:
n EventHigh-leveltransactionsthatoccurasaresultofauseraction,suchasaddingordeletingadevice
n AuditLow-levelinternalsystemactions,suchasdeletingconnectioninformation
Eachrecordcontainsthetargetoftheoperation,theoperationdetected,theuserwhoexecutedtheoperation,andadditional
datadependingupontransactiontype.
Inthepreviousexample,theObjectTypeisRoleandtheAUDITtransactionsarechangesatthesystemandadminlevels.
Youmightfindthatinmostcases,EVENTrecordsprovideenoughdetailabouttransactionsandtheireffectsonthesys-
tem.Filterswereappliedtotherecordtype.
422
CustomizetheAuditLog
BecausetheAuditLogrecordsalltransactionsonmultiplelevels,thelogcangrowveryquicklyespeciallyifyoumany
devicesaremanagedinManagementCenterandthereisahighlevelofuseractivity.AlthoughtheAuditLogisdesigned
tomakeiteasyforyoutolocatetherecordsyouwant,youcancustomizethedisplayfurthertohelpyoulocatespecific
records,isolaterecordsfromacertaindateortime,filterrecordspertainingtospecificusersorobjects,andmore.
UsethefollowingmethodsinconjunctiontocustomizetheAuditLogdisplaytosuityourpurposes.
WhenyoumakethefollowingchangesintheAuditLogViewer,thechangesdonotpersistbeyondthecurrent
browsersession;thenexttimeyoulogintothewebconsole,youmustgothroughthesamestepstochangethe
vieweragain.
Showorhidecolumns
Youcanshowcolumnsthatyouhid,orcolumnsthatarenotvisiblebydefault,suchasRecordTypeandInfo3through
Info5.Youcanhidesomecolumnsifyouwantamoregenerallookatthelogorifyourscreensizeislimited.
ToseeallinformationavailableintheAuditLogandensurethatyoucanseeanappropriatelevelofdetail,youcanshowall
columnsfirstandthenchoosewhichones,ifany,youwanttohide.
1. Onanycolumnheader,clickthearrow.Thewebconsoledisplaysalistofoptions.
2. Selectanoptiontoshowthecolumn.
Clearanoptiontohidethecolumn.
3. Clickanywhereoutsideofthelisttocloseit.
TheAuditLogshows/hidesthecolumnsyouspecified.
Sortcolumns
BecausetheAuditLogdisplaysrecordsindescendingchronologicalorderbydefault,youcanre-arrangethemtoanalyze
thedatamoreeffectively.Bydefault,therecordsaresortedindescendingorderofOperationTime(latesttoearliest).
1. Clicktheheaderofthecolumnyouwanttosort.
n Iftheheaderdisplaysanuparrow,thedataisarrangedinascendingorder(A-Z,earliesttolatest).
n Iftheheaderdisplaysadownarrow,thedataisarrangedindescendingorder(Z-A,latesttoearliest).
2. Clicktheheaderagaintoreversethesortorder.
InthefollowingexamplethecolumnsaresortedbyOperationType,soallAuthenticationsaredisplayedfirst.
Filterrecords
Tolimittheamountthedatathatthelogdisplaysandfocusonlyonspecificrecords,applyfiltersusingthedrop-downlists
ontheright.Dependingonthetransactionlevel,youmayneedtofilterpagesofrecords.Thefilterslimittherecordtype.To
narrowthesearch,applyoneormorefilters.
423
Ifapplyingafilterresultsintoofewrecordsornottherightrecords,removeorchangesomefilters.Toresetthefiltersto
default,clickClear.
424
ConfigureHousekeepingSettings
Configuregeneralhousekeepingsettings.Whenthesesettingsareactivated,theyaffectwhatisdisplayedintheAudit
LogViewerandhowbigauditlogscangrow.
2. ClickHousekeepingontheleft.
3. Selectthedefaulthousekeepingsettings.Aredasterisk(*)denotesfieldsthataremandatory.
Run every n hours.* Default is 12. The value represents (in hours) numeric using up and down
how often to run a full audit. arrows
Number of days of audit records to keep.* The value represents the number of numeric using up and down
Default is 120. days that audit records are kept. arrows
Number of days of job execution records The value represents the number of numeric using up and down
to keep.* Default is 120. days that job executions records arrows
are kept.
Number of days of closed alert records to The value represents the number of numeric using up and down
keep.* Default is 120. days that alerts are kept after arrows
being closed.
ConfigureDiagnosticsLogging
Usethispagetosetthelogginglevels.TheMasterLogincludesalloftheGeneralandDevicePlugindata.Toreducethe
sizeoftheMasterLogortoproduceatargetedlog,configurethelevelsaccordingly.Thelevelyouchoosedeterminesthe
amountofinformationprovidedineachlog.Forexample,debuglogscanlaterbeusedtosenddiagnosticinformationto
Support.Thelogginglevelsaredescribedinthefollowingtable.
Log Description
Level
DEBUG Logs detailed informational events and is most useful when you are attempting to diagnose
problems.
INFO Logs high-level informational messages only.
WARN Logs potentially harmful events.
ERROR Logs all errors that do not cause the system to restart.
425
Log Description
Level
OFF Disables logging. The Master Log cannot be disabled.
ALL Logs everything. Applicable only to the Master Log.
Whenyouenablealog,dataiswrittentoaspecificlogfile.Forexample,iftheMasterlogissettoINFOorabove,mes-
sagesarewrittentolog.log.IftheMasterLogissettoDEBUG,allmessagesarewrittentodebug.logandalsoto
log.log(messagesforINFOandabove).Allotherlogssenddatatoalogofthesamename,forexample,secur-
ity.logandnetwork.log.
ConfigureDiagnosticLogging
1. SelectAdministration>Settings>Diagnostics.
ThesystemdisplaystheDiagnosticswindow.Aredasterisk(*)denotesfieldsthataremandatory.
2. SpecifytheMasterLoggingLevel,General,andDevicePluginsettings.
426
RequiredPorts,Protocols,andServices
ManagementCenterusesthefollowingportswhileoperating.EnsurethatyouallowtheseportswhensettingupMan-
agementCenter.
System Ports InitiatedBy Function
Management Center 9009 ProxySG appliance ProxySG appliance Performance Stat-

TCP istics
Management Center 22 Management Center ProxySG appliance monitoring and

TCP management

Management Center 22 Management Center Management Center communication
TCP with failover partner

Management Center 22 User's Client Management Center CLI
TCP

Management Center 8080 User's Client Management Center's UI (web con-
8082 sole)
TCP
Management Center 389 Management Center Authentication via

636 AD/LDAP/LDAPS
TCP
Management Center 80 Management Center bto.bluecoat.com
443 License activation, the latest release
TCP information and documentation
SMTP 25 Management Center Email
SNMP 162 Management Center SNMP
NTP 123 Management Center Time sync to customer-configured

UDP NTPtime server
EnsureconnectivitytothefollowingURLs.
427
URL Protocol Notes

validation.es.bluecoat.com/phs.cgi HTTPS Validates the license every 5 minutes. After successful val-
TCP 443 idation, validation occurs every hour.
bto-services.es.bluecoat.com HTTPS Validates the license.
TCP 443
device-services.es.bluecoat.com HTTPS License related.
TCP 443
services.es.bluecoat.com HTTPS License related.
TCP 443
abrca.bluecoat.com HTTPS Blue Coat CA.
TCP 443
appliance.bluecoat.com HTTPS Trust package downloads.
TCP 443
subscription.es.bluecoat.com HTTPS Subscription services.
TCP 443
upload.bluecoat.com HTTPS Upload diagnostic reports to BlueCoat support.
TCP 443
DetermineWhichVersionYouareUsing
Toaidintroubleshooting,youmightneedtodeterminetheversionandbuildofManagementCenterthatiscurrentlyrunning.
RefertotheManagementCenterReleaseNotestoidentifyissuesorlimitationsthatyourbuildmightinclude.
1. Inthewebconsolebanner,click?>About.ThewebconsoledisplaystheManagementCenter-Aboutdialog.
ThedialogdisplaysinformationabouttheManagementCenterversion.Seethetablefollowingthisprocedure.
428
2. ClickClosetoclosethedialog.
BuildInformationFields
Field Description
Version TheManagementCenterversion.
Build Thenumberoftheinstalledbuild.
SerialNumber The serial number of the appliance.
AutomatePasswordResetProcess
AsanadministratoronManagementCenter,youneedtoconfiguresettingssothatuserscanrequestapasswordresetif
theyforgettheirpassword.
1. SelectAdministration>Settings>General.
2. SettheIsResetPasswordenabled?fieldtotrue.
3. ForResetPasswordEmailSubject,modifytheemailsubjectline,ifdesired.
4. ForResetPasswordEmailMessage,modifythebodyoftheemailthatisautomaticallysenttouserswhenthey
clicktheResetPasswordlink.Forexample,youcanaddaperson'snametothesignatureinsteadofthegeneric
BlueCoatManagementCenter.
429
Themessagecontainstwosubstitutionvariables:{fullname}and{password}.ManagementCenter
automaticallyreplaces{fullname}withtheuser'sfirstandlastnameandreplaces{password}witha
temporarypassword.
5. ClickSavetostorethesettingsontheserver.
6. Makesureanemailserverisconfigured.See"ConfigureMailSettings"onpage402.
Whentheemailissentwiththetemporarypassword,theuser'saccountismarkedsotheadministratorsknowthat
thepasswordisonlytemporary.Thetemporarypasswordwillexpire.
430
PreventLicensingIssuesonaVirtualAppliance
Topreventlicensingissues,ensurethattheVAisallowednetworkaccesstothelicensevalidationserverathttps://val-
idation.es.bluecoat.com.See"VerifyWebConsoleAccess"onpage35.
Ifcommunicationwiththeserverfails,thelicensemaybesuspended.UnlessyouhavepurchasedaVAofflinelicense,
constantInternetconnectionisrequiredforManagementCentertocommunicateregularlywiththelicensevalidation
servertoconfirmthattheserialnumberisvalid.
DuplicateSerialNumbers
Ifthelicensevalidationserverdetectsduplicateserialnumbers,yourlicenseisinvalidatedandthelicensehealthstatus
goestoacriticalstate.VerifyyourlicenseinBCLPandcontactBlueCoatSupportifyoucontinuetohaveproblems.
ExpiringLicenses
ManagementCenterhealthgoesintoaWarningstatewhenthelicenseis15daysfromexpiring.Forexample,ifthe
licensewillexpireonJanuary30th,theMessagesoptioninthewebconsolebannerdisplaysWarning-levelalerts,suchas
thefollowing,startingonJanuary15th.
Thewebconsolebannerdisplaysanalertforeachlicensedcomponent.
Oncethelicenseexpires,ManagementCentergoesintoanErrorstateandremainsinthatstateforanother15daysor
untilthelicenseisupdated(whicheveroccursfirst).Forexample,startingonJanuary30th,theMessagesoptioninthe
webconsolebannerdisplaysWarning-levelalertsforeachlicensedcomponentuntilthelicenseisrenewed.
Ifyoudonotrenewthelicensewithin15daysaftertheexpirationdate,youwillbeunabletoloadthewebconsole.You
mustrenewthelicensethroughtheCLIusing# license get-from-bluecoat or# license get-from-url.
RestartServices
Totroubleshootsomeissues,youmightneedtorestartManagementCenterservices.Youwillneedtorestarttheservices
afteryouinstallorupdateaManagementCenterlicense.
2. Enterprivilegedmodebytypingenableatthecommandprompt.
3. EnteryourenablepasswordandpressEnter.
4. Atthe#prompt,typerestart servicesandpressEnter.
TheCLIdisplaysthecommandprompt.
431
Youcannotaccessthewebconsolewhiletheservicesarerestarting;however,youcantryaccessingthewebcon-
soleafewminutesafterissuingthecommand.
TestNetworkConnectivity
VerifythatyournetworkissetupcorrectlybyusingthepingcommandorthetracepathcommandintheCLI.Besureto
specifyahostnameorIPaddressthatyouknowisreachableandworking.
2. EnterPrivilegedmode."PrivilegedModeCommands"onpage446.
3. PinganIPaddress:
# ping <hostname or IP address>
4. TracethepathbetweenthehostandadestinationIPaddress:
# tracepath <destination>
Ifyoureceiveanerrormessage,checkyournetworkconfiguration.
432
UploadSystemDiagnostics
TohelpBlueCoatTechnicalSupporttroubleshootaManagementCenterissue,youcansenddiagnosticsinformationto
anexternalserverusingasupportedprotocol(FTP,HTTP,HTTPS,orSCP).
1. LogintotheCLI.See"AccesstheManagementCenterCLI"onpage439.
2. (Ifrequired)EntertheprivilegedmodepasswordandpressEnter.
3. Entertheappropriatecommandtouploadthediagnostics:
UsingFTP
# service upload-diagnostics ftp://<username:password>@host/path
where<username:password>istheusernameandpasswordtoauthenticatetotheserverand
host/pathisthepathtowhereyouwanttosavethefile.
UsingHTTP
# service upload-diagnostics http://host/path
wherehost/pathisthepathtowhereyouwanttosavethefile.
UsingHTTPS
# service upload-diagnostics https://host/path
wherehost/pathisthepathtowhereyouwanttosavethefile.
UsingSCP
# service upload-diagnostics scp://<username:password>@host/path
where<username:password>istheusernameandpasswordtoauthenticatetotheserverand
host/pathisthepathtowhereyouwanttosavethefile.
ViewHardwareDiagnosticsandMemoryResources
UsetheHardwareDiagnosticsscreentocheckonhowmuchmemoryandstoragespaceisbeingusedbyManagement
Centersystemcomponentsandprocesses.Inaddition,youcanmonitorvarioushardwaresensorstospotpotentialprob-
lemswithCPUs,fans,powersupplies,andsoforth(notapplicabletovirtualappliances).
n SystemMetricsDetailsaboutmemoryusageoftheCPUsandManagementCenterprocesses
n StorageUsageAdditionalmemorysettings
n DataStorageAmountofdatausedbyeachfeature
n DatabaseStorageAmountofstorageusedforeachdatabase(ManagementCenter,DeviceStatistics,
Reporter)
n TemperatureSensorsTheresultsoftemperaturemonitoringforthechassis,CPU,andothercomponentsthat
produceheatintheappliance
n RPMSensorsReportsthespeedatwhichthefansontheappliancespin
n VoltageSensorsReportsthevoltage,statusandstateofcomponentsforwhichtheappliancehasavoltage
433
sensorsuchasCPUcores,powersupply,andothers
n OtherSensorsReportsstatusofoptionalhardwarecomponents,suchasextrapowersupplies
Bytecountsformemoryusageareapproximations,notprecisevalues.
Toviewhardwarediagnosticsforyourappliance:
1. SelectAdministration>HardwareDiagnostics.
2. ClickRefreshtoviewthemostcurrentappliancestatustotalsandusage.
434
ProblemsandErrors
ThefollowingareerrormessagesthatyoumightencounterinManagementCenter.
ReadAlerts
Inthewebconsolebanner,Messagesdisplaysalertstocommunicatethatachangewasmade,suchasaconfirmationof
deviceactivation.Alertsindicatetheseveritylevelofthechange;forexample,MessagesdisplaysagreenMessage-level
alertwhenyouaddadeviceandaredError-levelmessagewhendeviceactivationfails.
Ifyouhaveunreadalerts,theMessageslabelinthebannerdisplaysthenumberofunreadalertsandthestatusofthealert
withthehighestseveritylevel.
Toreadmessages,inthewebconsolebanner,clickMessages.ThewebconsoledisplaystheRecentMessagesdialog.
Tofilteralerts,clickErrors,Warnings,orMessagesatthebottomofthedialog.Tounderstandmoreaboutcolorsand
status,see"AboutColor-CodedStatusIndicators"onpage28.
Whenyounavigatetoanotherscreen,Message-levelalertsareremovedfromtheMessagesdialog,butErrors
andWarningsremainonthedialoguntilyoureadthem.
"Couldnotenablestatisticscollectionduetounexpectedserverfailure"whenactivating
adevice
Problem:Whenyouactivateadevice,youreceivethealert"Statisticscollectionfailed.Couldnotenablestatisticscol-
lectionon<device>duetounexpectedserverfailure".Whenyouaddedthedevice,youhadselectedCollectstatisticsfor
thisdevice.
Resolution1:StatisticscollectionrequiresSGOS6.3.x.IftheProxySGapplianceisnotrunningSGOS6.3.xorlater,dis-
ablestatisticscollectionbyeditingthedevicedetailsandclearingCollectstatisticsforthisdevice.Youcanenablestat-
isticscollectionforthedeviceagainlaterifyouupgradeSGOStoasupportedversion.
Resolution2:Connectionsettingsareincorrect.Verifydeviceconnectionparametersandeditthedevicedetails.
"Importbatchcontainsduplicatedevicenameviolation"whenimportingmultipledevices
Problem:Whenyouimportdevices,youreceivetheerror"Importbatchcontainsduplicatedevicenameviolation."
436
Resolution:Eachdeviceintheimportfilemusthaveauniquename.ManagementCenterdetectsduplicatedevicenames
evenifyouselectonlyoneornoneofthedevicesforimporting,andregardlessoftheirplacementinthehierarchy.
Renameduplicatedevicesintheimportfileandimportthemagain.Alternatively,removedevicesthatyoudonotwantto
addfromthefileandimportdevicesagain.
"LocalChangesDetected"errorwheninstallingpolicy
Problem:WhenyouclickInstallPolicy,thePolicyEditordisplaysa"LocalChangesDetected"message:
ThismessagemeansthatthepolicyonadevicehaschangedoutsideofManagementCenter.Itcouldhavebeenchanged
ontheProxySGapplianceitself,orthroughanoverlayinstallationifyoualsouseBlueCoatDirectortomanagedevices.
Resolution:Toresolvethisconflict,clickComparetoseethedifferencesbetweenthepolicyonthedeviceandthepolicy
youwanttoinstall.See"ComparetheDevicePolicyVersionwithCurrentPolicyVersion"onpage225forinformation.
Then,clickInstallPolicytooverwritetheversiononthedevice,orclickCanceltokeeptheversiononthedevice.
Userhas"accessdenied"errorwhenrunningajob
Problem:Auserrunsajobmanually(throughtheRunNowoption)orusingtheImmediatescheduleoption,butthejob
completeswithan"accessdenied"error.
Resolution:Checktheuser'spermissions;iftheydonothavesufficientpermissionsfortheoperation,theycannotruna
manualorimmediatejobfortheoperation.Formoreinformation,see"Reference:UnderstandingJobPermissions"on
page261.
"Multi-tenantpolicysupportisnotenabledforthisdevice"wheninstallingpolicy
Problem:AttemptstoinstallpolicytoaProxySGappliancefailandyoureceivethemessage"Error:Multi-tenantpolicyis
notenabledforthisdevice".
Resolution1:Multi-tenantpolicywasintroducedinSGOS6.6.x;ifthedeviceisrunninganearlierversionofSGOS,you
cannotinstallmulti-tenantpolicytoit.IfthedeviceisrunningSGOS6.6.x,proceedtothenextresolution.
Resolution2:ThedevicedoesnothavetheMulti-TenantPolicylicenseorthelicenseisinvalid.Ifthisisthecase,con-
tactyourBlueCoatsalespointofcontactorBlueCoatcustomercareforassistance.
Todetermineiftheappliancehasthelicense:
1. LogintotheProxySGManagementConsole.
2. SelectMaintenance>Licensing.
3. InthelistofLicensedComponents,lookforMulti-TenantPolicy.Ifthelicenseisinstalledandvalid,proceedtothe
nextresolution.
Resolution3:Multi-tenantpolicyisnotenabledonthedevice.Toenableit,enterthefollowingcommands:
#(config) general
#(config general) multi-tenant enable
ok
437
CLICommandReference
ManagementCenterincludesacommand-lineinterface(CLI)thatallowsyoutoperformbasicadministrativetasks.APDF
oftheManagementCenterCLIcommanddocumentationisavailableonBlueTouchOnline:
n "AccesstheManagementCenterCLI"onthenextpageDescribeshowtoaccesstheCLIviaanSSHconnection.
n "CLIURLSyntax"onpage440DescribesthevalidsyntaxforcommandsthatrequireaURLpath
n CLICommandReference:ListNavigatelinkstoviewcommanddescriptionsandsyntax.
AccesstheManagementCenterCLI
LogontotheCLIthroughanSSHconnectionorthroughtheManagementCenterVMwareconsole.
Forhardwareappliances,accesstheCLIthroughtheserialconsole.
LogonusingSSH
1. InstallanSSHclient.ThisprocedureusesPuTTYasanexample;yourstepsmightbeslightlydifferent.
2. OpenPuTTYandspecifythefollowinginformation:
n HostName(orIPaddress)TheIPaddressthatyouspecifiedfor
n Port22
3. (Optional)SpecifyanamefortheconnectionandclickSavetosavethesettings.
4. ClickOpen.TheSSHwindowopens,withaloginprompt.
5. Atthelogin as:prompt,typeadminandpressEnter.
6. Attheadmin@IP_address's password:prompt,typeyourpasswordandpressEnter.Theconsoledisplays
theCLIbanner.
LogonthroughtheVMwareconsole
UsetheVMwareconsoleorSSHifyouareloggingintoaVirtualAppliance.
1. IntheVMwareclient,browsetotheVMintheinventory.
2. SelecttheVM,right-click,andselectOpenConsole.
TheconsoledisplaystheCLIconsoleandpromptsyoutopressEnterthreetimes.
3. PressEnterthreetimes.TheconsoledisplaystheCLIbanner.
439
CLIURLSyntax
AllCLIcommandsthatacceptaURLasadownloadsourceoruploaddestinationareformattedas:
protocol://host/path
Forexample,theSCPprotocolmustusetheformat:
scp://host/path
Ifpathisadirectory,itmustendwithaforwardslash(/).
Thefollowingprotocolsaresupported,althoughsomecommandsdonotsupportalloftheprotocols:
n ftp://hostname[:port]/path
n ftps://hostname[:port]/path
n http://hostname[:port]/path
n https://hostname[:port]/path
n scp://hostname[:port]/path
Notes
l URLscannotcontainspaces.Ifthehostnameorpathcontainsaspace,youmustusetheURL-encoded
charactersinstead:%20.
Forexample,enterthefollowingURL
http://yourserver.com/d/backup 2.tgz.gpg
as
http://yourserver.com/d/backup%202.tgz.gpg.
l The@symbolisavailableforuseinservercredentialsforthefollowingcommands:
o backup import
o installed-systems add
o license get-from-url
o service upload-diagnostics
o security ssl import server-certificate
440
StandardModeCommands
StandardmodeisthedefaultmodewhenyoulogontotheCLI.Instandardmode,youcanviewconfigurationsettings,but
notchangethem.
> enable 441
> exit 441
> help 442
> ping 442
> show 443
> tracepath 445
>enable
Usethiscommandtoenterprivilegedmode.Privilegedmodecommandsenableyoutoviewandchangeyourconfiguration
settings.
Bydefault,youarenotrequiredtoenterapasswordforprivilegedmode.Youcanconfigureapasswordforprivilegedmode
usingthe#security enable-passwordCLIcommand.
See"PrivilegedModeCommands"onpage446forinformationoncommandsavailableinprivilegedmode.
Syntax
> enable
Example
Management Center> enable
Management Center#
>exit
ExittheCLIandreturntothebanner,whereyoucanchoosetoentertheCLIorManagementCentersetup.
Syntax
> exit
Example
Management Center> exit
Copyright (c) 2015, Blue Coat Systems, Inc.
Welcome to the Blue Coat Management Center CLI

Version: 1.3.0.2 Release id: 655010
--------------------MENU--------------------
1) Command Line Interface
2) Setup
--------------------------------------------
Enter option:
>help
Displayalistofallcommandsandabriefdescriptionofeach.Alternatively,use?todisplaythelist.
Thiscommandisalsoavailableinprivilegedmode.
Syntax
> help
or
>?
Example
Management Center> help
enable Turn on privileged commands
exit Exit command line interface
help (or ?) Display this help
ping Ping utility
show Show system information
tracepath Trace path utility
>ping
VerifywhetheraparticulardestinationexistsandisrespondingtorequestsbysendingICMPechopackets.
Syntax
> ping <hostname or IP address>
442
Example
Management Center> ping 192.0.2.0
PING 192.0.20.0 (192.0.20.0) 56(84) bytes of data

64 bytes from 192.0.20.0: icmp_seq=1 ttl=125 time=6.43 ms
--- 192.0.20.0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 2.319/3.454/6.437/1.729 ms
>show
Displaysysteminformation.
Syntax
> show [subcommands]
Subcommands
> show http-proxy
DisplaysHTTPproxystatus(enabledornot)andconfiguration(host,port,username,password).
> show installed-systems
Liststheimagesthatarecurrentlyinstalledonthesystemandeachimage'ssoftwareversionnumber,releasebuildnum-
ber,andwhentheimagewaslastbooted.
> show interface
Displaysinterfaceandnetworksettings,includingIPaddress,subnetmask,gateway,andDNSservers.
> show license
Liststhecomponentnamesofalllicensesinstalledonthesystemand,foreachlicense,displaysthestatus(Valid,Invalid,
Expired,Unknown),datethelicensewasactivated,expirationdate,andtype(suchasSubscriptionorDemo).
> show setupinfo
Displaysystemconfiguration,suchasIPaddressandDNSservers.Thisreflectsthesettingsspecifiedduringinitialcon-
figurationofManagementCenter.
> show snmp
Displaysthecommunitystringandwhetherremotereadaccessisenabledordisabled.
> show status
#showstatus
Displaysthefollowingsystemstatistics(exampleonly):
443
l Configuration
l General status
l RAID status(displaysforHWappliancesonly)
l Service status
VAexample:
Management Center> show status

Configuration:
Memory installed: 7858 megabytes
Memory free: 4388 megabytes
CPUs installed: 2
MAC: 00:50:56:b5:73:80
General status:
System started: 2015-08-18 15:27:48UTC
CPU utilization: 0
Service status:
BCCM : start/running
Statistics Monitoring : start/running
> show version
Displayinformationsuchassystemversion,buildversion,andserialnumber.
Example
Management Center> show setupinfo
Network settings:
IP address: 10.169.21.51
Subnet mask: 255.255.254.0
IP gateway: 10.169.21.1
DNS server: 10.167.4.55
DNS server: 10.167.4.50
NIC media setting: auto
HTTP Proxy settings:
Enabled: false
HTTP Proxy host:
HTTP Proxy port:
Username:
Password:
444
>tracepath
Identifiestheroutepacketstaketoreachadestination.Thecommandexecutesuntiltheentireroutetothehostistraced;
alternatively,youcanpressyoupressControl+Ctoreturntothecommandpromptwhilethetraceisinprogress.
Syntax
> tracepath <hostname or IP address>
Example
Management Center> tracepath google.com
1: 192.0.2.0 (192.0.2.0) 0.131ms pmtu 1500
1: server1-company.com (192.0.2.1) 0.725ms
2: 172.16.167.17 (172.16.167.17) 0.581ms
3: 216.16.227.26 (216.16.227.26) 2.310ms
4: network.net (216.16.232.121) 2.817ms
5: 216.16.255.193 (216.16.255.193) 2.269ms
6: 24.153.3.141 (24.153.3.141) 3.517ms
7: 64.71.241.97 (64.71.241.97) 6.934ms
8: 69.63.248.89 (69.63.248.89) 19.716ms
9: no reply
445
PrivilegedModeCommands
Privilegedmodeprovidesasetofcommandsthatenableyoutoview,manage,andchangeconfigurationsettings.
Enterprivilegedmodefromstandardmodebyusingtheenablecommand.Thepromptchangesfroma>toa#,indicating
thatyouareinprivilegedmode.
# backup 446
# diagnostic-systems 448
# disable 449
# exit 449
# failover 449
# help 450
# http-proxy 451
# installed-systems 452
# license 453
# pcap 455
# ping 456
# restart 456
# restore-defaults 457
# rsyslog-output 458
# security 459
# service 462
# show 464
# shutdown 466
# snmp 466
statistics-monitoring 466
# subscriptions 467
# tracepath 468
# verify-hardware 469
#backup
BackuptheManagementCenterconfiguration,andview,export,andrestoreexistingbackups.
Syntax
# backup [subcommands]
Subcommands
# backup create
BackupthecurrentManagementCenterconfiguration.
# backup delete <index_number>
Deletethespecifiedconfigurationbackup.
Usethebackup viewcommandtodeterminetheindexnumbertouse.
# backup export <index_number> <URL>
Exportthespecifiedbackuptoadestinationserver.Youmustenterapassphrasetosecurethebackup.
Usethebackup viewcommandtodeterminetheindexnumbertouse.<URL>istheURLofthedestinationserverand
path.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,andSCP.See"CLIURLSyntax"onpage440forinformationon
howtoformattheURL.
# backup import <URL>
Importabackupfromthespecifiedserver.Toimportthebackup,youmustenterthepassphrasethatwasspecifiedduring
thebackupexport.
<URL>istheURLoftheexternalserverandpath.SupportedprotocolsareFTP,FTPS,HTTP,HTTPS,andSCP.See
"CLIURLSyntax"onpage440forinformationonhowtoformattheURL.
# backup restore <index_number>
RestoreaManagementCenterbackup,specifiedbytheindexnumber.
Usethebackup viewcommandtodeterminetheindexnumbertouse.
# backup restore latest
Restorethemostrecentconfigurationbackup.
# backup restore-data <index_number>|latest
Restoretheconfigurationanddatafromabackup.CanbeusedtotransferconfigurationanddatafromoneManagement
Centertoanother.Theserialnumber,license,CLIpassword,andnetworkconfigurationisnotrestoredsincethisisnot
applicablewhentransferringtheconfigurationanddatatoanotherunit.
# backup view
Viewexistingconfigurationbackups.
TransferConfigurationandDatatoAnotherAppliance
TotransferconfigurationanddatafromoneManagementCenterappliancetoanother:
447
1. OnthefirstManagementCenter:usethebackup createcommandtobackuptheconfiguration.
2. Usethebackup exportcommandtouploadthebackuptoaWeb,FTP,orSCPserver.
3. LogintothesecondManagementCenterappliance,andusethebackup importcommandtodownloadthe
backupfromtheserverspecifiedinstep2.
4. Restorethebackupusingthebackup restore-datacommand.
Example
Management Center# backup view
Available Backups:
Timestamp Version
1 | 2015-May-26 03:33:00 UTC 1.4.1.1 (555777)
2 | 2015-Apr-16 09:02:00 UTC 1.3.3.1 (554444)
#diagnostic-systems
Upgradeandmanagediagnosticsystems.Toswitchbetweendiagnosticandsystemimages,presstheSPACEBARdur-
ingthebootcountdown.
UpgradingandmanagingdiagnosticsystemsisforManagementCenterhardwarereleasesonly.
Syntax
# diagnostic-systems [subcommands]
Subcommands
# diagnostic-systems add <URL>
Downloadsandinstallsthespecifieddiagnosticimage.Theuserisshownprogress(bytesdownloaded)whichtheycan
safelystopwatchingbyenteringCtrl+C.Theymayresumewatchingthedownloadprogressbyrunningdiagnostic-
systems view-downloads.
# diagnostic-systems view
Displaysthelistofdiagnosticimagesinstalledontheappliance.
#diagnostic-systems view-downloads
Displaysrunningprogressofthediagnosticimagecurrentlybeingdownloaded.Ifnoimageisbeingdownloaded,itdis-
playsthestatusofthelastdownloadrequest.TheusercanstopwatchingtheprogressbyenteringCtrl+C.
#diagnostic-systems delete <index>
Deletesthespecifieddiagnosticimagefromtheappliance.Lockedsystemscannotbedeleted.
#diagnostic-systems lock <index>
Locksthespecifieddiagnosticimage,preventingitfrombeingdeleted.
#diagnostic-systems unlock <index>
448
Unlocksthespecifieddiagnosticimage,allowingittobedeleted.
#disable
ReturntostandardmodeintheCLI.
Syntax
# disable
Example
ManagementCenter# disable
#exit
ExittheCLIandreturntothebanner,whereyoucanchoosetoentertheCLIorManagementCentersetup.
Toreturntostandardmodefromprivilegedmode,usethedisablecommand.See"#disable"aboveforinformation.
Syntax
# exit
Example
ManagementCenter# exit
Copyright (c) 2015, Blue Coat Systems, Inc.
Welcome to the Blue Coat Management Center CLI
Version: 1.4.1.1 Release id: 555000
--------------------MENU--------------------
1) Command Line Interface
2) Setup
--------------------------------------------
Enter option:
#failover
ConfiguresManagementCenterfailover.ManagementCentersupportsfailoverusingtwophysicalappliances.Oneappli-
anceisdelegatedastheprimaryandtheotherasthesecondary.Afterfailoverisconfigured,thesecondaryreplicatesdata
449
fromtheprimaryappliance.Duringcontinuousreplication,userscanperformallnormaloperationsontheprimaryfailover
partner.Userscannotaccessthesecondaryfailoverpartneritssolepurposeistoreplicateactionsoccurringonthe
primarynodesothatitcantakeoverifsomethinghappenstoprimarynode.See"ConfigureManagementCenterFailover"
onpage411formoreinformation.
Syntax
# failover [subcommands]
Subcommands
# failover view
Displaycurrentfailoversettings.
# failover make-primary
Configurestheappliancetobetheprimarypartnerinthefailovergroup.
# failover make-secondary
Configurestheappliancetobethestandbypartnerinthefailovergroup.
# failover disable
Disablesallfailoversettings.
Example
# failover view
Failover:
Primary: 198.51.100.20
Secondary*: 198.51.100.24
#help
Displayalistofallcommandsandabriefdescriptionofeach.Alternatively,use?todisplaythelist.
Thiscommandisalsoavailableinstandardmode.
Syntax
#help
or
#?
Example
Management Center# help
450
backup Create, view and restore backups
disable Turn off privileged commands
exit Exit command line interface
help (or ?) Display this help
installed-systems Upgrade and manage installed systems
license Install and update the Management Center license
ping Ping utility
restart Restart the system or services
security Manage certificates, passwords and access to privileged commands
service Diagnostic and service support
show Show system information
tracepath Trace path utility
#http-proxy
ConfigureExplicitHTTPProxysettings.
Syntax
# http-proxy [subcommands]
Subcommands
> show http-proxy
DisplaynetworksettingsandHTTPProxysettings,suchasIPaddress,DNSservers,HTTPProxyhostIPaddressand
HTTPProxyportnumber.
# http-proxy enable
Enablesuseoftheproxy.
# http-proxy disable
Disablesuseoftheproxy.
# http-proxy configure
Configuresproxysettings,suchasProxyhost,port,usernameandpassword.
Example
Management Center> http-proxy configure
Network settings:
IP address: 10.169.0.219
451
Subnet mask: 255.255.0.0
IP gateway: 10.168.0.1
DNS server: 1.1.1.1
Enabled: true
HTTP Proxy host: 10.168.0.207
HTTP Proxy port: 8080
Username: user1
Password: *****
#installed-systems
Upgradeandmanageinstalledsystems.
BeforeupgradingtheManagementCenterimage,setthedefaultsystemimagetothecurrentlyrunningimage.
Syntax
# installed-systems [subcommands]
Subcommands
#installed-systems add <URL>
Downloadandinstallasystemimage.
<URL>isthelocationonaserverwhereimageresides,inthefollowingformat:
http://host/path
Specifythedefaultsystemimage.Thedefaultsystemimagewillberunafterthenextreboot.
<index_number>isthenumberoftheimage.Useinstalled-systems viewcommandtodeterminetheimageto
use.
# installed-systems delete <index_number>
Deletethespecifiedsystemimage.
<index_number>isthenumberoftheimage.Useinstalled-systems viewcommandtodeterminetheimageto
use.
452
Displaytheinstalledsystemimages,withversion,buildnumber,andlastboottime.Thecommandalsoindicatestherun-
ningimageanddefaultimage,whichwillberunuponthenextreboot.
# installed-systems view-downloads
Viewtheprogressofdownloadsinprogressorthestatusofthelastdownload.Ifnosystemshavebeendownloaded,the
CLIrespondsNo systems are being downloaded.
#installed-systems cancel-downloads
Canceltheprogressofalldownloadsinprogress.TheCLIdisplaysalistofactivedownload(s),alongwiththemessage
Are you sure you want to cancel image download? [Y/N].Ifthedownloadcancellationisconfirmed,the
CLIrespondsSystem image download canceled.Iftherearenodownloadsinprogress,theCLIrespondsNo
image downloads in progress.
Afterthecancellation,use# installed-systems view-downloadstoverifytheinformationconfirmationtocontinue

withthecancellationorabort.Ifactivedownloadsarecanceled,Ifnosystemshavebeendownloaded,theCLIresponds.
Exampleofcanceledimagedownload:
Management Center#installed-systems cancel-downloads
Are you sure you want to cancel image download? [Y/N] y
System image download cancelled.
Management Center#installed-systems view-downloads

Download URL: <URL>
Download Status: Download cancelled
Download bytes: 0
#installed-systems lock <index_number>
Lockthespecifiedsystemimagesothatitcannotbedeleted.
# installed-systems unlock <index_number>
Unlockthespecifiedsystemimagesothatitcanbedeleted.
Example
Management Center# installed-systems view

Installed System Images:
Version Release Last boot time Attributes
*1 | 1.4.4.1 555770 2015-05-14 19:42:51 UTC Locked
+2 | 1.4.0.1 555000 2015-03-09 11:22:11 UTC Unlocked
(*) running system image

(+) default system image (will be run on next reboot)
#license
InstallaManagementCenterlicenseorviewthestatusofthelastlicensedownload.
453
TheCLIpromptsyoutoenteryourBTOcredentialswhenyouinstallthelicenseforthefirsttime.
Syntax
#license [subcommands]
Subcommands
#license get-from-bluecoat
InstallanewlicenseorupdatetheexistinglicensefromBTO.TheCLIonlypromptsyouforyourBTOusernameandpass-
wordifyouareinstallinganewlicenseonaVAappliance.
Thiscommanddisplaysthedownloadprogressuntildownloadiscomplete.
#license get-from-url <URL>
Updatetheexistinglicensefromalicensefileonalocalserver.Thecommandpromptsforanoptionalpassphrase,which
isusedtodecodebirthcertificatesembeddedinlicensefiles.
Thiscommanddisplaysthedownloadprogressuntildownloadiscomplete.See"CLIURLSyntax"onpage440forinform-
ationonhowtoformattheURL.
#license view
Viewgeneralinformationsuchasapplianceserialnumber,informationonlicensedcomponents,andstatusofthelast
attemptedlicensedownload,includinganydownloadinprogress.
IfyouarerunningaManagementCenterVAandhavenotpurchasedtheOfflineVAsupportoption,issuingthelicense
viewcommandrequiresconnectivitytotheBlueCoatlicensevalidationserver.IfyouissuethecommandwithoutOffline
VAsupportandManagementCenterisunabletocontactthelicensevalidationserver,theCLIdisplaystheerror:
Cannot communicate with license validation server
Formoreinformation,refertotheKBarticleYoureceivea"Cannotcommunicatewithlicensevalidationserver"errorin
ManagementCenter.
IfyouarerunningaversionofManagementCenterthatcontainsfeaturesavailableonlythroughlicensecom-
ponents,contactyoursalesengineertoensurethatyouhavethecorrectlicense.
Example
Management Center# license view
General Information
Manufacturer: Bluecoat Systems Inc.
Serial Number: ##########
Appliance Number: MC-S400-20
License Component Information
454
Status Component Name Activation Expiration License Type
Valid Management Center 2015-05-01 2016-04-30 Subscription
Valid Performance Monitoring 2015-05-01 2016-04-30 Subscription
Valid Device Configuration 2015-05-01 2016-04-30 Subscription
Valid Device Inventory 2015-05-01 2016-04-30 Subscription
Valid Policy Management 2015-05-01 2016-04-30 Subscription

Download Information
Download Date: 2015-05-01 23:34:00
Download Status: Download complete
Install Status: Valid
#pcap
ThePCAPutilityenablesyoutocapturepacketsofEthernetframesenteringorleavingManagementCenter.Packetcap-
turingallowsfilteringonvariousattributesoftheframetolimittheamountofdatacollected.Thecollecteddatacanthenbe
transferredtothedesktopforanalysisviaservicediagnosticupload.
Toviewthecapturedpackets,youmusthaveatoolthatcanreadPacketSnifferPro1.1filessuchasWiresharkorEther-
eal.
Packetcapturesarelimitedto100MB.Thefilesrotateoncethe100MBlimitisreached.
Syntax
# pcap [subcommands]
Subcommands
#pcap filter
SpecifiesfilterstouseforPCAP.IfyousetafilterandsubsequentlychangeitwhilethePCAPisrunning,thechangewill
notbeapplieduntilyourestartthepacketcapture.
Subcommands:
# pcap filter clear
Clearsallpcapfilters.
# pcap filter set-host ipv4_address | hostname
CapturesdataonlybetweenManagementCenterandthespecifiedhost.
# pcap filter set-port port
Capturesdataonlyonthespecifiedport.
# pcap filter view
Displaysthefilterscurrentlyenabled.
455
#pcap info
Reportscurrentstateofthepacketcapture.
#pcap start
Startsthecapture.
#pcap stop
Stopsthecapture.
Example
Management Center#pcap info

Packet capture information:
Current state: Running
Filtering: port 80
Packets captured: 15020
#ping
VerifywhetheraparticulardestinationexistsandisrespondingtorequestsbysendingICMPechopackets.
Syntax
# ping <hostname or IP address>
Example
Management Center# ping 192.0.2.0
PING 192.0.20.0 (192.0.20.0) 56(84) bytes of data

--- 192.0.20.0 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3007ms
rtt min/avg/max/mdev = 2.319/3.454/6.437/1.729 ms
#restart
RestarttheManagementCenterVAorservices.
Syntax
# restart [subcommands]
456
Subcommands
# restart reboot
Rebootthevirtualappliance.Whentheapplianceshutsdown,thenetworkconnectionclosesandyoumuststartanewCLI
session.
# restart services
RestartManagementCenterservices.
Example
Management Center#restart reboot
Management Center#
Broadcast message from admin@bccm_main-6-x86_64.localdomain
(/dev/pts/0) at 23:27 ...
The system is going down for reboot NOW!
#restore-defaults
Restorefactorydefaultsontheappliance/devicerunningManagementCenter.Thiscommandisonlyavailableusingthe
serialconsole.
Syntax
# restore-defaults [subcommands]
Subcommands
# restore-defaults factory-defaults
Rebootstheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults factory-defaults-halt
Haltstheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults factory-defaults-shutdown
Powersofftheappliance/deviceafterrestoringfactorydefaultsiscomplete.
# restore-defaults reset-admin
ResetstheUIadminpasswordtoadmin/admin.
# restore-defaults configuration
ResetstheUIconfigurationbacktodefaults.Retainsallotherdata.
457
Example
Management Center #restore-defaults reset-admin
This operation will restore admin password on UI to default. Management Center service
will be unavailable during this operation.
Are you sure you want to restore UI admin password? [y/N]
#rsyslog-output
Configuretheremoteserverswhereremotesyslogoutputcanbesent.
Syntax
# rsyslog-output [subcommands]
Subcommands
# rsyslog-output add
Addnewsyslogserverconfiguration.
# rsyslog-output configure
Configureexistingsyslogserver.
# rsyslog-output delete
Deletesyslogserverconfiguration.
#rsyslog-output disable
Disableuseofremotesyslogoutput.
# rsyslog-output enable
Enableuseofremotesyslogoutput.
# rsyslog-output view
Viewconfiguredsyslogservers.
Examples
Management Center# rsyslog-output add
Enter syslog server host []: my-remote-host
Enter syslog server port [514]:
Enter syslog server protocol (TCP|UDP) [TCP]:
Management Center# rsyslog-output disable
Management Center# rsyslog-output view
Warning - Remote syslog server output is disabled.
458
Host Port Protocol

1 | my-remote-host 514 UDP
Management Center# rsyslog-output delete 1
Remove syslog server configuration (Host "my-remote-host", Port 514, Protocol

UDP)? [y/N] y
#security
SpecifysecurityoptionsforManagementCenterincludingbasiccertificatemanagementusingssl.
Syntax
# security [subcommands]
# security ssl [subcommands]
Subcommands
# security enable-password
Turnsonthepasswordforprivilegedcommands.Ifyouturnonthepassword,youmustenteranenablepass-
wordtoenterprivilegedmode.
<password>istheenablepasswordyouspecify.
# security generate-ssl-certificate
GenerateanewSSLcertificateforManagementCenter.WhenanSSLcertificateexpires,youcanusethis
commandtogenerateanewone.
# security http
Subcommands:
# security http enable
# security http disable
# security http view
EnablesofdisablesHTTPaccesstoManagementCenter.Bydefault,HTTPisdisabled.Youmustenable
HTTPtoinstallsystemimageswithoutasecureconnectiononmanageddevices.
# security icmp
Subcommands:
# security icmp enable
# security icmp disable
EnablesordisablesICMPecho.Bydefault,ICMPisdisabled.ManagementCenterwillrespondtopingsafter
ICMPisenabled.
# security password
459
ChangethepasswordusedtoaccesstheCLI.Tochangethepassword,youmustenterthecurrentpass-
word,andthenspecifyandconfirmthenewpassword.
# security reset-password
ResetsthepasswordusedtoaccesstheCLIfortheadminaccount.Thiscommandisonlyavailablethrough
theserialconsole.TorestorethedefaultpasswordfortheadminUIaccount,see"#restore-defaults"on
page457.
# security unset-enable-password
Turnsoffthepasswordforprivilegedcommands.Ifyouturnoffthepassword,youcanenterprivilegedmode
withouthavingtoenteranenablepassword.
# security ssl
Subcommands:
# security ssl client-authentication disable
DisableX.509clientauthentication.
# security ssl client-authentication set-mandatory
UsersmustuseX.509clientauthentication.IfX.509clientauthenticationfails,noconnection
isestablished.
Whenconfigured,alltrafficrequiresacertificate.Forexample,toaccessfileservicerequests
andAPI's,clientauthenticationismandatory.
#security ssl client-authentication set-optional
IfX.509clientauthenticationfails,userscanloginusingthestandardManagementCenter
loginpage.IssuingthiscommandrequiresManagementCentertorestart.
# security ssl client-authentication set-regex
Setstheregexcommandusedtoextractthecertificate'sname;thedefaultisCN=(.*?),.
Subcommand:
default
Resetstheprincipleregextothedefault.
# security ssl client-authentication view
ViewcurrentX.509clientauthenticationsettings.
# security ssl import external-certificate <name> <URL>
DownloadsthecertificatefromthespecifiedURLandinstallsittothetruststorewiththespe-
cifiedname.Certificatesarenotcasesensitive.See"CLIURLSyntax"onpage440forinform-
ationonhowtoformattheURL.
# security ssl import server-certificate <URL>
DownloadsthecertificatefromthespecifiedURLandinstallsittothekeystore,replacingthe
460
appliancesSSLcertificateifitexists.ThiscommanddoesnotrestarttheMCservices;users
mustdosomanuallybyrunningrestart services.See"CLIURLSyntax"onpage440for
informationonhowtoformattheURL.
# security ssl list external-certificates all
Displaysthenamesofallcertificatesinthetruststore.Certificatenamesarenotcasesens-
itive.
# security ssl list external-certificates system
Displaysthenamesofallsystemcertificatesinthetruststore.Certificatenamesarenotcase
sensitive.
# security ssl list external-certificates user
Displaysthenamesofalluseraddedcertificatesinthetruststore.Certificatenamesarenot
casesensitive.
# security ssl list server-certificates
Displaysthenamesofallservercertificatesinthekeystore.Currently,therewillonlyeverbe
one,anditwillbenameddefaultcertkey.
# security ssl delete external-certificate <name>
Deletethespecifiedcertificatefromthetruststore.Systemcertificatescannotbedeleted.
# security ssl delete server certificate
DeletestheappliancescertificatebeingusedforSSL.ThiscommanddoesnotrestarttheMC
services;usersmustdosomanuallybyrunningrestart services.
# security ssl view external-certificate <name>
Displaysdetailsofthecertificateinthetruststorewiththegivenname.Detailsincludeowner,
issuer,expirationdateandfingerprints.Certificatenamesarenotcasesensitive.
# security ssl view server-certificate
Displaysdetailsofthecertificateinthekeystorewiththegivenname.Detailsincludeowner,
issuer,expirationdateandfingerprints.Certificatenamesarenotcasesensitive.
# security ssl-protocols
BeginninginManagementCenter1.5.3.2,TLSv1.1isdisabledbydefault.ThiscommandenablesyoutomanageTLSv1.1
operation.
Subcommands:
# security ssl-protocols disable TLSv1.1
DisablesTLSv1.1tprotocol.
# security ssl-protocols enable TLSv1.1
EnablesTLSv1.1tprotocol.
461
# security ssl-protocols view
DisplaystheenabledSSLprotocols.
Example
Management Center # security unset-enable-password
Management Center #security ssl import external-certificate < name> <URL>
1. Importanexternalcertificatefromaserverusingthepublickey.ThisallowsManagementCentertoconnecttoan
externalserverwithoutusingausernameorpasswordforauthentication.
2. Namethecertificate.
3. GototheURLoftheserver,andcopyandpastetheURLintothesubcommand.
4. ClickReturn.Whilethecertificatedownloads,theCLIdisplaysthedetailsoftheconnectiontotheserverand
inspectsthecertificatefordetailssuchas:
l Owner
l Issuer
l Serial Number
l Valid from date
l Valid until date
l Certificate fingerprints
l Extensions
Whenthedownloadiscomplete,theCLIqueries:
Are you sure you want to import this as a trusted certificate? [y/N]
#service
Theservicecommandallowsyoutoviewdiskusageandtroubleshootthefollowing:
l Diskspaceorpossiblefilecorruptionissues
l Enableverboselogging
l UploaddiagnosticdatatoBlueCoatusinganopensupportcase
l PossibleVPMcachecorruptionissues
ViewDiskUsage
Viewyourcurrentdiskusagebeforeperformingdiskmaintenance.
Syntax
#service disk-usage
462
PerformDiskMaintenance
Cleanyourdiskbyusingthe#service db-maintenancecommandandsubcommand.Thisisusedformanualdata-
basecleanupandre-indexing.Whilerunningthismaintenancecommand,bothManagementCenterandstatisticsmon-
itoringareunavailable.
Syntax
#service db-maintenance
AutomateddiskspacecleanupoccurswhenManagementCenterreaches85%ofdiskutilization.Thisautomated
cleanupremovesbackedupdumpfilesandallbutthelatestManagementCenterbackup.Thisautomatedcleanupis
notasthoroughasperformingdiskmaintenancemanually.ManagementCenterandstatisticsmonitoringremain
availableandrunning.
EnableVerboseLogging
Toenableverbosedebuglogging,executethecommand#service enable-verbose-logging.W henyouhavecom-
pletedcapturingwhatyouwant,stoptheloggingbyexecutingthecommand#service disable-verbose-logging.
Youcanthenexportthedebuglogfromthewebconsoleorincludetheloginasupportcaseupload.
Syntax
#service enable-verbose-logging
#service disable-verbose-logging
Youshouldenableverboseloggingtoincludemoredebug-leveldetailsinsystemlogs,whichcanbeusedto
troubleshootissuesyoumayhaveencountered.Becausethesystemlogisincludedinthediagnosticsuploadto
BlueCoatSupport,enablingverboseloggingincludesdebug-levellogsinthediagnosticsarchive.
UploadDiagnosticsData
UploaddiagnosticsdatatoadestinationserverordirectlytoBlueCoatifyouhaveanopensupportcase.
Syntax
#service upload-diagnostics[subcommands]
Subcommands
# service upload-diagnostics [subcommands]
SCP:scp://<host>/<path>
FTP:ftp://<host>/<path>
FTPS:ftps://<host>/<path>
HTTP:http://<host>/<path>
HTTPS:https://<host>/<path>
463
# service upload-diagnostics <case_number>
UploadthediagnosticstoBlueCoatSupportwithyourexistingcasenumber.
<case_number>isthenumberforyouropenBlueCoatSupportcase.
PurgeVPMCache
IfyoureceiveamessagewhenstartingtheVisualPolicyManagerEditorfromthewebconsolethatajarmismatchexists,
youwillneedtopurgetheVPMcache.Thishappensrarely,suchasifthereisanetworkfailurewhilejarsarebeingtrans-
ferredbetweendevices.
PurgeallVisualPolicyManager.jarfilesbyusing#purge-vpm cachecommand.
Syntax
#purge-vpm cache
#show
Displaysysteminformation.
Syntax
# show [subcommands]
Subcommands
# show http-proxy
DisplaysHTTPproxystatus(enabledornot)andconfiguration(host,port,username,password).
# show installed-systems
Liststheimagesthatarecurrentlyinstalledonthesystemandeachimage'ssoftwareversionnumber,releasebuildnum-
ber,andwhentheimagewaslastbooted.
# show interface
Displaysinterfaceandnetworksettings,includingIPaddress,subnetmask,gateway,andDNSservers.
# show license
Liststhecomponentnamesofalllicensesinstalledonthesystemand,foreachlicense,displaysthestatus(Valid,Invalid,
Expired,Unknown),datethelicensewasactivated,expirationdate,andtype(suchasSubscriptionorDemo).
# show setupinfo
Displaysystemconfiguration,suchasIPaddressandDNSservers.Thisreflectsthesettingsspecifiedduringinitialcon-
figurationofManagementCenter.
# show snmp
Displaysthecommunitystringandwhetherremotereadaccessisenabledordisabled.
464
# show status
Displaysthefollowingsystemstatistics(exampleonly):
l Configuration
l General status
l RAID status(displaysforHWappliancesonly)
l Service status
VAexample:
Management Center> show status

Configuration:
Memory installed: 7858 megabytes
Memory free: 4388 megabytes
CPUs installed: 2
MAC: 00:50:56:b5:73:80
General status:
System started: 2015-08-18 15:27:48UTC
CPU utilization: 0
Service status:
BCCM : start/running
Statistics Monitoring : start/running
# show version
Displayinformationsuchassystemversion,buildversion,andserialnumber.
Example
Management Center# show setupinfo
Network settings:
IP address: 10.169.21.51
Subnet mask: 255.255.254.0
IP gateway: 10.169.21.1
DNS server: 10.167.4.55
DNS server: 10.167.4.50
Enabled: false
HTTP Proxy host:
HTTP Proxy port:
Username:
Password:
465
#shutdown
Shutthehardwareorvirtualappliancedown.
Syntax
# shutdown
Example
Management Center#shutdown
Are you sure you want to shutdown the system? [y/N]
#snmp
Enablesyoutodisallowremotereadaccessoronlyallowread-onlyremoteaccess.Youcansetthecommunitystringand
viewtheSNMPsettingsforSNMPtraps.
YoucanviewSNMPsettingsinthestandard">show"onpage443command.
Syntax
# snmp [subcommands]
Subcommands
# disable-remote-read-access
Disallowsremotereadaccess
# enable-remote-read-access
Allowsread-onlyremoteaccess.
# set-community
Setthecommunitystring(youcannotusethedefault).
# view
ViewSNMPsettings.
Example
Management Center# snmp view
Community String: 2cc72a6160
Remote Read Access: Disabled
statistics-monitoring
Shutthehardwareorvirtualappliancedown.
466
Syntax
# statistics-monitoring [subcommands]
Subcommands
# statistics-monitoring set-per-hour-lifetime
Setperhourtrenddatalifetime.Mustbeenteredinnumberofdays.
#statistics-monitoringset-per-minute-lifetime
Setperhourtrenddatalifetime.Mustbeenteredinnumberofdays.
#statistics-monitoringview
Viewcurrentstatisticsmonitoringlifetimesettings,recordstatistics,anddiskusagedata.
Example
#statistics-monitoring view
Total devices: 2
Reporting devices: 1
Data characteristics:
Lifetime Records Disk Usage
minute 7 days 131240 113 MB
hour 366 days 50927 26 MB
#subscriptions
DownloadandviewthecurrentstatusofBlueCoatsubscriptions.
InManagementCenter1.6.1.1,thesubscriptionscommandcontrolsonlytheWebApplicationProtection
(WAP)subscription.TouseWebApplicationFirewall(WAF)features,youmustensurethatManagementCenter
canconnecttohttps://subscription.es.bluecoat.comtodownloadtheWAPsubscriptionbundle.IftheWAPsub-
scriptioncannotbedownloaded,theBlacklistandAnalyticsFilterrulestableintheSecurityProfilewillnotbeavail-
able.However,allotherWAFfeaturesshouldstillbeavailableandfunctioning.TheWAPsubscriptioncannot
currentlybeloadedwhenManagementCenterisinofflinemode.
Syntax
#subscriptions [subcommands]
Subcommands
#subscriptions application-protection
# subscriptions application-protection download
Downloadstheapplication-protectionsubscriptionupdate.
# subscriptions application-protection download-force
Downloadstheapplication-protectionsubscriptionupdate,evenifaninstanceoftheidenticalupdatealreadyexists.
467
# subscriptions application-protection view
Viewtheapplication-protectionstatus.
Example
Management Center# subscriptions application-protection view
ManagementCenter#subscriptionsapplication-protectionview
License Type: Subscription

Licensed Until: 2017-01-05
Subscription Validity: Valid
Data Validity: Valid
Last Download Information:
Time: 2016-03-08T14:54:30.944+0000
URL: https://subscription.es.bluecoat.com/application-protection/database
Status: Success
ThedownloadURLisnotconfigurable.
#tracepath
Identifiestheroutepacketstaketoreachadestination.
Thecommandexecutesuntiltheentireroutetothehostistraced;alternatively,youcanpressyoupressControl+Cto
returntothecommandpromptwhilethetraceisinprogress.
Syntax
# tracepath <hostname or IP address>
Example
Management Center# tracepath google.com
1: 10.169.21.52 (10.169.21.52) 0.131ms pmtu 1500
2: 172.16.167.17 (172.16.167.17) 0.581ms
3: 216.16.227.26 (216.16.227.26) 2.310ms
4: network.net (216.16.232.121) 2.817ms
5: 216.16.255.193 (216.16.255.193) 2.269ms
6: 24.153.3.141 (24.153.3.141) 3.517ms
7: 64.71.241.97 (64.71.241.97) 6.934ms
468
8: 69.63.248.89 (69.63.248.89) 19.716ms
9: no reply
#verify-hardware
DisplaysallhardwaresysteminformationfortheappliancerunningManagementCenter.Thiscommandhelpswhendia-
gnosinganyproblemsencounteredduringinstallationorinitialconfiguration.
Syntax
# verify-hardware [subcommands]
Todiagnoseproblemswiththehardware,see"#diagnostic-systems"onpage448
Example
Management Center #verify-hardware
Serial number: 4313320063
System model: Blue Coat 1000
RAM:
16384 MB
CPU0_DIMM_A1 8192 MB DDR3
CPU0_DIMM_A2 8192 MB DDR3
Number of physical CPUs: 1
Number of cores: 4
CPU Type: Intel(R) Xeon(R) CPU E5-2418L 0 @ 2.00GHz
Storage:
sda 7 GB ATP IG SlimSATA
sdb 7 GB ATP IG SlimSATA
sdc 1000 GB ST91000640SS
sdd 1000 GB ST91000640SS
sde 1000 GB ST91000640SS
sdf 502 MB ATP IG eUSB
Network: nic0_0 Intel Corporation I350 Gigabit Network Connection (00:d0:83:09:6b:c4)
469

MCCMG161

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

MCCMG161

Diunggah oleh

Hak Cipta:

Format Tersedia

Configuration &

Management Center v1.6.1.1

Management Center Configuration &Management

Advanced Reporting provides visibility and a control point between

Status Color Howitappliestodevices Howitappliestoalerts

Status Color Howitappliestodevices Howitappliestoalerts

System Ports InitiatedBy Function

Management Center 9009 ProxySG appliance ProxySG appliance Performance Stat-

Management Center 22 Management Center ProxySG appliance monitoring and

Management Center 389 Management Center Authentication via

SNMP 162 Management Center SNMP

NTP 123 Management Center Time sync to customer-configured

URL Protocol Notes

Ifthewebconsoledoesnotload,runthe# license viewCLIcommandtodetermineifthelicensewasinstalled

Add and Monitor Devices 39

Create and Manage Jobs 40

Upload Files to Management Center 41

Add Users and Grant Permissions 45

Monitor Device Health 47

Integrate Reporter into Management Center 53

View Consolidated Reports 53

Migrate Device Metadata in Director as Management Center Scripts 55

View Audit Log 61

Regularly Back Up a Group of Devices 62

Order Name Type Widget Description

LinuxExample:tar -cvzf myjsondata.tgz data.json

LinuxExample:echo 'password' | /usr/bin/gpg --batch --yes --no-tty --compress-

(config)# mc-migration generate

Change device information "Edit a Device" on page72

name deploymentStatus host port userName password enablePass- col-

#security http enable

depicted by the icon.

MetricDescription Status CurrentValue WarningThreshold CriticalThreshold

CPU Utilization OK 3% 80% 95%

Name Info State UP/DOWN

Name Description Date/Time Device OSVersion Exported Restored Pinned

Device Name SG in Dallas 7/3/15 8:05 PM ProxySG SGOS

Export device backups to an external server. "Export Device Backups" on page85

Condition AvailableQualifiers Example

Condition AvailableQualifiers Example

1. The#(config general) multi-tenant criterioncommandspecifiesasubstitutionexpressionthatis

Step Overview References

;;exit configure mode

;;re-enter configure mode

View existing script information. "View Script Information" on page157

${policy.name} Text in the Name field in policy properties

${policy.referenceId} Text in the Reference Id field in policy properties

where name is the attribute name

${fragment.name} Text in the Name field in policy fragment properties

where name is the attribute name

where name is the attribute name

Orderofpolicysec- Howpolicyisevaluated Resultingbehavior

Orderofpolicysec- Howpolicyisevaluated Resultingbehavior

${policy.name} Text in the Name field in policy properties

where name is the attribute name

${fragment.description} Text in the Description field in policy fragment properties

${fragment.name} Text in the Name field in policy fragment properties

where name is the attribute name

where name is the attribute name

1. The#(config general) multi-tenant criterioncommandspecifiesasubstitutionexpressionthatis

Whatdoyouwanttoaccomplish? Whatyoucando Refertothistopic

Type Location Notes

All operations Performallfunctionsinallareasofthewebconsole. None

All operations Add,delete,andeditattributes. None