Blue+Coat代理服务器配置说明v1.3

BluecatDNSUserGuideV1.0.1 Bluecat DNS User GuideBluecat DNS⽤户配置⼿册Document No: Bluecat-20140620VERSION: 1.0Modify Date: 2014/06/202014-8-12 Bluecat机密，未经许可不得扩散第1页, 共70页⽬录⽬录 (2)1 DNS简介 (5)1.1DNS概述 (5)1.2DNS组⽹ (6)1.2.1 主辅DNS组⽹（Master & Slave） (6)1.2.2 Cache DNS组⽹ (8)1.2.3 DNS Anycast⽅式组⽹ (9)1.2.4 DNS XHA组⽹ (10)1.3Bluecat版本信息 (12)2 硬件安装 (13)2.1认识硬件 (13)2.1.1 Adonis系列前⾯板 (13)2.1.2 Adonis系列后⾯板 (13)2.1.3 Proteus系列前⾯板 (13)2.1.4 Proteus系列后⾯板 (14)接⼝说明 (14)2.22.3BlueCat DDI解决⽅案简介 (15)2.3.1 DDI架构 (15)2.3.2 Proteus 对象结构说明 (15)2.3.3 防⽕墙端⼝设定： (17)3 CLI基础配置 (18)2014-8-12 Bluecat机密，未经许可不得扩散第2页, 共70页CLI概述 (18)3.13.2IP/Network配置 (19)3.3时间配置 (20)3.4设备名称配置 (21)Adonis no-proteus-control设置 (21)3.53.6Proteus管理平台的HTTPS/HTTP配置 (22)3.7开启独⽴⽹管接⼝Eth2 (23)开启Querylog功能 (24)3.83.9其它常⽤CLI配置 (25)4 Proteus常规配置 (28)4.1Proteus 配置过程概述 (28)WEB登录Proteus GUI管理配置接⼝ (28)4.24.3创建配置⽂件 (29)4.4添加Adonis Server (31)4.5开启SNMP监控功能 (32)4.6添加DNS View、Zone、资源记录（RR） (35)4.7创建其他常⽤资源记录 (38)4.8更新资源记录以及快速部署（Quick Deploy） (40)4.9指定DNS Deployment Roles (42)添加DNS Deployment Option (43)4.104.11DNS配置部署 (44)4.12DNS 反向解析 (45)5 DNS组⽹配置 (48)5.1组⽹前的配置 (48)5.2主辅DNS组⽹（Master & Slave）配置 (48)5.3Cache DNS组⽹ (49)5.4DNS Anycast⽅式组⽹ (50)5.4.1 前期配置 (50)2014-8-12 Bluecat机密，未经许可不得扩散第3页, 共70页5.4.2 Adonis Anycast配置 (50)5.4.3 路由器Anycast配置 (52)5.5DNS XHA组⽹ (53)6 Proteus系统⽇常管理 (56)6.1My IPAM (56)Adonis Server运⾏情况 (57)6.26.3⽇志查看 (58)6.3.1 ⽤户会话⽇志 (58)6.3.2 管理操作⽇志 (59)6.3.3 查看DNS query历史记录 (60)6.4配置恢复（Data Restore） (60)6.5数据库管理 (61)6.5.1 数据库备份与恢复 (61)6.5.2 历史信息归档 (63)6.5.3 数据库重排序（Re-Index） (64)7 附件1：DNS Deployment Options (65)2014-8-12 Bluecat机密，未经许可不得扩散第4页, 共70页2014-8-12Bluecat 机密，未经许可不得扩散第5页, 共70页1DNS 简介DNS 概述1.1 DNS 是域名系统 (Domain Name System) 的缩写，它是由解析器和域名服务器组成的。

Blue Coat 产品配置及使用入门北京东华合创数码科技股份有限公司李东2007年12月目录一、ＳＧ初始化配置 (3)1.1使用console线登录ＳＧ (3)1.2配置SG端口属性 (4)1.3console 管理SG (6)二、SG注册 .....................................................错误！未定义书签。

2.1登录webpower ..........................................................错误！未定义书签。

2.2产品注册向导............................................................错误！未定义书签。

2.3通过web浏览器导入license ...................................错误！未定义书签。

三、使用WEB 浏览器管理SG (8)3.1Web browser 登录SG (8)3.2认识SG Configuration (10)3.3认识SG Maintenance (13)3.4认识SG Statistics (13)四、SG REPORTER 使用入门 (15)4.1SG 的配置 (15)4.2认识Reporter (19)4.3使用Reporter (20)4.3.1Access-log来源于本地/远地（FTP）硬盘配置 (20)4.3.2进入创建的模板 (23)4.4配置和SG进行实时Access-log通信 (24)4.4.1点击Create New Data Profile ，创建新的模板： (24)4.4.2进入创建的模板 (26)五、SGCLIENT使用入门 ..................................错误！未定义书签。

5.1配置SG ......................................................................错误！未定义书签。

Tech Note--Audit Support for Blue Coat ProxySGSymantec CloudSOC Tech NoteCopyright statementCopyright (c) Broadcom. All Rights Reserved.The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom.The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit w .Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.Table of ContentsIntroductionSupported ProxySG firewall versionSample log formatsConfiguring ProxySG to FTP logs to SpanVA Create a CloudSOC datasource for the ProxySG Enable access loggingConfigure the log formatCreate an access log for SpanVAConfigure the upload clientSchedule the uploadEnable LoggingConfiguring HTTPS file transfer via SpanVA Specifying custom log file headersIgnoring HTTP CONNECT tunnel traffic Detecting Blue Coat ProxySG denied traffic ReferencesRevision historyIntroductionThis Tech Note describes how the CloudSOC Audit application supports log files from Blue Coat ProxySG devices.Supported ProxySG firewall versionProxySG minimum supported version is SGOS 5.5Sample log formatsBlue Coat ProxySG supports logs in either of the following two formats:●Access logs (Default)●Extended Log File Format (Custom)The Audit application supports the “E xtended Log File Format” (ELFF)for the Blue Coat ProxySG. The delimiter for the log fields is a blank space (\s) and the fields are sometimes wrapped in double quotes as shown in the log sample below.#Software: SGOS 5.2.6.1#Version: 1.0#Start-Date: 2014-04-16 00:41:36#Date: 2013-05-24 17:24:46#Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-methodcs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-groups-hierarchy s-supplier-name rs(Content-Type) cs(User-Agent) sc-filter-resultcs-category x-virus-id s-ip s-sitename r-ip#Remark: 0606020157 "DFWDLPBCSG01 - 172.16.111.196 - Blue Coat SG400" "155.17.111.196" "main"2014-04-21 06:42:28 164 155.17.4.168 200 TCP_TUNNELED 498 650 CONNECT tcp 443 / - - - DIRECT os-bo-app05-03.boldchat.c om - - OBSERVED "Technology/Internet" - 155.17.111.196 SG-HTTP-Service 63.251.34.612014-04-21 06:42:28 637 155.17.122.61 200 TCP_TUNNELED 7140 1552 CONNECT tcp 443 / - - - DIRECT - "Moz illa/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" OBSERVED "Web Ads/Analytics" - 155.17.111.196 SG-HTTP-Service98.137.170.332014-04-21 06:42:28 565 155.17.122.61 200 TCP_TUNNELED 5303 2201 CONNECT tcp 443 / - - - DIRECT - "Moz illa/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" OBSERVED "Web Ads/Analytics" - 155.17. 111.196 SG-HTTP-Service 98.138.47.199Configuring ProxySG to FTP logs to SpanVAThis section describes how to configure a ProxySG to FTP logs to a SpanVA instance within your enterprise perimeter. This procedure assumes that you have already installed and configured SpanVA as described in the CloudSOC Tech Note I nstalling and Configuring SpanVA. Perform all of the procedures described in the following subsections.Note:This procedure was developed using SGOS 6.6.3.2 SWG Edition OS on the ProxySG device. Other versions may have different menu paths and options.Create a CloudSOC datasource for the ProxySGIf you have not already done so, use the procedure below to create a CloudSOC datasource for the ProxySG.1.If you have not already done so, login to CloudSOC with your administrator credentials.2.From the CloudSOC nav bar, choose A udit > Device Logs as shown below.3.On the Device Logs page, click N ew Data Source > SpanVA Data Source.4.On the New SpanVA Data Source panel:●Enter a descriptive name for the data source.●For Firewall Type choose B lue Coat ProxySG.●From the SpanVA menu, choose the SpanVA to which the ProxySG sends logs.●For Source Type, choose S CP/SFTP/FTP/HTTPS Server.5.Click C reate Connection.CloudSOC opens a D atasource Details panel to show you information about theconnection as shown below.6.Record the following information from the Datasource Details panel to use in the ProxySGconfiguration:●Host●Destination Directory●Username●Password--Use the password you recorded earlier for your datasources.Note: I f you lose the password, click R eset to receive a new password. If you resetthe password, you must reconfigure your network devices to use the newpassword for subsequent log uploads.Enable access logging1.If you have not already done so, login to the ProxySG management console.2.Click the C onfiguration tab, and navigate to A ccess Logging > General.3.Near the upper left corner of Default Logging tab, make sure the E nable Access Loggingcheckbox is marked, as shown below.Configure the log format1.On the Configuration tab, navigate to A ccess Logging > Formats.2.On the Log Format tab click N ew.The Create Format box opens as shown below.3.Enter a name for the format, for example "Elastica_SpanVA_Format."4.Mark the W3C Extended Log File Format (ELFF) string radio button.5.In the ELFF string text box, enter the header fields, separated by spaces, that you wantexported in your logs. Then click O K. The example above shows a sample set of header fields.Make sure you configure all mandatory fields as listed below. Click T est Format to check if all your fields are valid.Mandatory fieldsThe following fields must be present in the logs uploaded to CloudSOC Audit application.●date and time OR timestamp OR gmttime●c-ip OR cs-username●cs-host OR cs-uri●cs-bytes●sc-bytes●cs-uri-scheme OR cs-protocolOptional fieldsThe following fields provide additional analytics if present.●c-port●s-action●cs(Referer)●cs(User-Agent) OR c-agent●cs-uri-path●r-ip OR s-supplier-ip (required for destinations support)Create an access log for SpanVA1.On the C onfiguration tab, navigate to A ccess Logging > Logs.2.On the Logs tab, click N ew as shown below.3.On the Create Logs box, give the log a name such as "Elastica_SpanVA" and set the LogFormat to E lastica_SpanVA_Format as shown below. You can also give the log adescription if you want.4.Click O K to create the new log.5.On the Management Console, click A pply to commit the new configuration. Configure the upload client1.On the Configuration > Access Logging > Logs tab, click the U pload Client tab.2.From the Logs menu, choose the SpanVA access log you created earlier.3.For Client type, choose F TP Client and click S ettings.4.Configure the following settings as shown on the CloudSOC Datasource Details panel inthe section C reate a CloudSOC datasource for the ProxySG:●Host●Path (Destination Directory)●Username●PasswordNote:If the CloudSOC Datasource Details panel shows you a path of the form"/home/ds_xxxxxxxxxxxxxxxxxxxxxxxxx/datasources/yyyyyyyyyyyyyyyyyyyyyy," you canshorten it to just "datasources/yyyyyyyyyyyyyyyyyyyyyy" in order to stay within thecharacter limit of the ProxySG Path text box. Do not use a preceding "/" in the shortenedpath. This applies to SCP as well as the FTP connections described in this procedure.5.Leave the Filename box as-is.6.Mark the U se secure connections checkbox if you want the ProxySG to send logs usingSSL. If you use this option, make sure that the appropriate certificates are configured onthe SpanVA.7.Click O K, then click A pply to commit your changes.Schedule the upload1.In Management Console, click the U pload Schedule tab.2.From the Log menu, choose the access log you configured in C reate an access log forSpanVA.3.Create an access schedule that meets your needs. We recommend that you configure theProxySG to send logs to SpanVA on 30 minute intervals.4.Click A pply.Enable Logging1.In the ProxySG Management Console, navigate to C onfiguration (tab) > Policy > VisualPolicy Manager.2.Click L aunch.3.In Visual Policy Manager, choose P olicy > Add Web Access Layer. the new layer "Elastica SpanVA" or similar.5.In the one rule row for the new layer, right-click on A ction and choose S et.6.On the Set Action Object box, click N ew and then choose M odify Access Logging.7.On the Add Access Logging Object box, click E nable logging to:and choose the entry forElastica SpanVA.8.Click O K to close the Add Access Logging Object box.9.Click O K to close the Set Action Object box.10.In Visual Policy Manager, click I nstall Policy to commit the changes to the device.Configuring HTTPS file transfer via SpanVAYou can configure the ProxySG to use HTTPS to upload logs to CloudSOC via SpanVA. To do this, you must configure the ProxySG with a CA certificate as described in the following procedure. For more information about SpanVA, see the CloudSOC Tech Note I nstalling and Configuring SpanVA.1.Make sure your SpanVA is version 1.15.2.88.0 or later.2.If you have not already done so, create a certificate and upload it to SpanVA as describedin the CloudSOC Tech Note I nstalling and Configuring SpanVA.3.In the ProxySG management console, navigate to C onfiguration > SSL > CA Certificatesand click I mport Certificate as shown below.4.In the Import CA Certificate box, give the certificate a unique name, then paste the entirebody of the SpanVA certificate as shown below.5.Click O K.6.On the C onfiguration > SSL > CA Certificates page, click the C A Certificate Lists tab.7.Choose b rowser-trusted, then click E dit as shown below.8.On the Edit CA Certificate List box, locate and select the certificate you imported earlier inthe left-hand list.9.Click A dd >>to move the certificate to the trusted list, then click O K.10.On the C onfiguration > SSL > SSL Client page, find the CCL menu and choosebrowser-trusted as shown below.11.In CloudSOC, create a new datasource as described in the section C reate a CloudSOCdatasource for the ProxySG. Use the following settings:New Data Source type SpanVA DatasourceFirewall Type Blue Coat ProxySGSpanVA Choose your SpanVA instance from the listSource Type SCP/SFTP/FTP/HTTPS Server12.Click C reate Connection.13.On the Datasource Details box, record the following information to use in the ProxySGconfiguration:●Host●Destination Directory●Username●Password--Use the password you recorded earlier for your datasources.Note: I f you lose the password, click R eset to receive a new password. If you resetthe password, you must reconfigure your network devices to use the newpassword for subsequent log uploads.14.In the proxySG management console, navigate to C onfiguration > Access Logging >Logs and click the U pload Client tab.15.In the Upload Client box, choose client type H TTP Client, then click S ettings, as shownbelow.16.Apply the settings you recorded from the CloudSOC Datasource Details box, as shownbelow:●Host●Path (Destination Directory)●Username●PasswordNote:If the CloudSOC Datasource Details panel shows you a path of the form"/home/ds_xxxxxxxxxxxxxxxxxxxxxxxxx/datasources/yyyyyyyyyyyyyyyyyyyyyy," you can shorten it to just "datasources/yyyyyyyyyyyyyyyyyyyyyy" in order to stay within thecharacter limit of the ProxySG Path text box. Do not use a preceding "/" in the shortened path.17.For Port, enter 20200.18.Mark the checkbox for U se secure connections (SSL).19.Click O K.20.On the ProxySG Upload Client tab, click T est Upload.21.Navigate to S tatistics > System > Event Logging.22.Check the log for events that show that the test upload succeeded as shown below.Specifying custom log file headersIf your log files do not have the header row as the fourth or fifth row, and the order of the fields in the log files do not match the defaults described below, use the Custom Headers tools in Audit to specify the custom headers that apply to your Blue Coat proxy. Otherwise CloudSOC cannot process the logs correctly for use in the Audit application.The default header sequence that the Audit app expects is:date time time-taken c-ip cs-username cs-auth-group x-exception-idsc-filter-result cs-categories cs(Referer) sc-status s-action cs-methodrs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-querycs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-idYou can also configure the device itself to change the fields and their ordering to match the included fields and their ordering in your log files. See the ProxySG Admin Guide for descriptionsof the various fields available in Blue Coat logs depending on configuration. Remember that thefield names and their order you specify here must exactly match your log file contents.Do not mix log files with different formats in a single CloudSOC datasource. We recommend you create a separate datasource for each firewall. If you need help figuring out the content of this fields, please contact CloudSOC support. You can export Blue Coat Logs as described in the ProxySG Admin guide available at:https:///documentation/All-Documents/ProxySGFor full procedures on uploading device logs to CloudSOC, see the CloudSOC Tech Note Managing Data Sources for the CloudSOC Audit App.Ignoring HTTP CONNECT tunnel trafficWhen you configure ProxySG data sources in Audit, you can configure them to filter out andignore tunnel traffic that uses the HTTP CONNECT method.ProxySG by default makes a CONNECT request to all sites before applying Allow/Denied policies.if you allow Audit to take into consideration CONNECT traffic, then it will misclassify the blocked sites as “Allowed” if those sites have a very low traffic. For this reason, it is generally advisable to ignore CONNECT traffic. The exception to this rule is when all the traffic is tunneled through ProxySG. In this case, all requests are logged as CONNECT only requests, and if you choose to ignore CONNECT traffic, then all the requests will be filtered out.This features works for SCP and SpanVA datasources, but not for file upload datasources.1.In CloudSOC, choose A udit > Device Logs, then either create a new Proxy SG datasource or choose an existing ProxySG data source.2.On the Device Logs page, click A ctions > Edit Datasource for the data source.3.On the panel, mark the checkbox for I gnore CONNECT traffic as shown below. Configureother settings to suit, then create or save the data source.Detecting Blue Coat ProxySG denied trafficAudit detects that traffic was blocked by policies on Blue Coat Proxy SG by evaluating the value in the sc-filter-result field as well as the values in s-action and sc-status. Audit applies the following rules in the given order; when a field is absent it applies the next rule in sequence:1.If sc-filter-result is DENIED, then the traffic is marked as denied.2.If sc-action is DENIED or TCP_DENIED, then the traffic is marked as denied.3.If sc-action is 403, then the traffic is marked as denied.Note: A ll traffic with sc-status == 407 (proxy authentication required) is filtered out (ignored) from Audit processing.References●https:///documentation/All-Documents/ProxySGTech Note--Audit Support for Blue Coat ProxySGRevision historyDate Version Description2014 1.0 Initial release30 October 2015 1.1 Minor revisions30 November 2015 1.2 Minor revisions3 May 2016 1.3 Update supported versions and log formats11 May 2016 1.4 Add procedure for logging to SpanVA, otherminor changes6 October 2016 2.0 Add content on configuring log format18 October 2016 3.0 Add section on detection of denied traffic16 March 2017 3.1 Remove cs-uri-path from list of mandatoryfields8 September 2017 3.2 Add note about shortening datasource path5 December 2017 4.0 Address HTTPS via SpanVA19 December 2018 5.0 Address Ignoring HTTP CONNECT tunneltraffic29 July 2019 5.1 Modified section “Ignoring HTTP CONNECTtunnel traffic”21。