All Collections
Integration Guide
Cisco WSA Integration
Cisco WSA Integration

About Cisco WSA

Ali Murtaza avatar
Written by Ali Murtaza
Updated over a week ago

About Cisco WSA

The Cisco WSA appliance can be deployed as a physical or virtual appliance and can integrate with other Cisco security solutions such as Firepower Threat Defense and Identity Services Engine. It uses a variety of security technologies, such as anti-malware, web reputation, and intrusion prevention, to provide comprehensive protection for web traffic.

By integrating WSA with SIRP, security teams can use playbooks to automate incident response workflows and accelerate the time to detect and respond to threats, faster and more accurately. It also provides a unified view of security events across the organization's web applications and infrastructure. By automating incident response workflows, security teams can work more closely with other teams, such as IT operations, to resolve security incidents quickly and effectively.

Supported Actions

1

Block IP

Push IP on WSA External List

2

Block Domain

Push Domain on WSA External List

3

Block URL

Push URL on WSA External List

4

Unblock IP

Push out IP on WSA External List

5

Unblock Domain

Push out Domain on WSA External List

6

Unblock URL

Push out URL on WSA External List

Enable the WSA EDL App in SIRP

  • Log into SIRP, and go to Apps from the left navigation bar.

  • Locate the app named Web Security Appliance.

  • Enable the app by clicking on the toggle button under the Status

  • Once enabled, click the wheel on the left side and add configuration details.

  • Execute all the supported actions one by one:

    • block_ip

    • block_domain

    • block_url

  • Each action will give a unique URL for you to configure in the Cisco WSA For example:

    • https://<sirp-ip>/1/WSA/ip_list.txt

    • https://<sirp-ip>/1/WSA/domain_list.txt

    • https://<sirp-ip>/1/WSA/ip_list.txt

  • You should be able to access and verify these files by pasting the URLs in your browser. The text file for the URL list will look something like this:\

  • The text file for the IP list will look something like this:

  • The text file for the Domain list will look something like this:

  • The text file for the URL list will look something like this:

    Enable the WSA EDL App in SIRP

  • Open your WSA instance. Select Web Security Manager > Custom and External URL Categories.

Click Add Category, and

  • Add Category Name

  • Set Category Type to External Live Feed Category

  • Set format to Cisco Feed Format

  • Set protocol to HTTPS and URL the respective EDL

  • Click Get File to check if WSA is syncing with EDL, it should give you the message "Test completed successfully."

  • Set Auto Update the Feed to Hourly and set time interval in HH: MM format.

  • And click Submit

  • Remember to click Commit Changes, on the left-hand side of the screen.

  • Repeat the same steps, for the Domain and URL EDL.

The pushed entries can be viewed by clicking View, in the Feed Content column

Did this answer your question?