AMP – Advanced Malware Protection
WSA – Web Security Appliance ( Aka – Ironport)
SMA – Security Management Appliance ( Centralised Management to push policies geographically located WSA)
Background Story – One of the Client place – having major impact due to Webroot, keep having issue with proxy, not able to process some request due to Webroot bug, Cisco not have much influence here, The Only Option leave as a Cisco customer- AMP is the solution, where cisco have Full control to diagnosis the issue.
SMA – 11.5.1-115 – Current running version
WSA – 11.5.2-020 for Web – Current Running version
Step 1 : Get the AMP License – either from smart License, only higher version only support smart license, so i have to contact cisco Licnese team to get feature keys.
Step 2 : Apply the Feature keys individual kit. ( this only by login to each kit)
Step 3 – now you can see the feature keys for AMP ( due to confidential i have removed other information)
Step 4 – Disable WebRoot and Enable AMP on WSA
Click Submit and commit the changes.
Step 5 : we going to enable same on SMA – Enable AMP and Disable Webroot.
Click Submit and commit the changes.
Step 6 : Make sure you configure AMP Enginer get updates from Internet automatically.
Navigate to Security Services > FileReputation and Analysis Under “AdvancedMalwareProtection,”click“ Edit the GlobalSettings”
Note: By default, it will be – on port tcp/32137 (if you have External Perimeter blocking this port AMP will not get updates). – so change the port accordingly, i have changed to 443 port
Save and commit the changes
You can view the AMP in Global Policy Under Access Polices
Web Security Manager>Access Policies you will need to configure Advanced Malware Protection under the Anti-Malware and Reputation Column. Click on the blue “Advanced Malware Protection”
Block instead of Monitoring ( Monitor not going to block)
Step 7 : you can view the reports on SMA
Sample report like below :
You can view-blocking from the user
I hope you enjoyed the document —-!
Happy Labbbbbbbbbing!