How much WSA knowledge do you need for the CCIE Security? Setting up WCCP on WSA

I am slowly starting to get to grips with the WSA, the System Setup Wizard crashes out at the same place every time, but I seem to be making my way around that.

Anyway, I have been thinking about how much you actually need to know about the WSA in the written and lab exams, and I don’t think it’s a huge amount.

Having a look at the written exam topics, its very brief:

5.14 Cisco Web Security Appliance and Cisco Email Security Appliance

As for the lab, well, that’s a little more concise:

  • 3.3 Cisco WSA
  • 3.3.a Implement WCCP
  • 3.3.b Active Directory integration
  • 3.3.c Custom categories
  • 3.3.d HTTPS configuration
  • 3.3.e Services configuration (web reputation)
  • 3.3.f Configure proxy bypass lists
  • 3.3.g Web proxy modes
  • 3.3.h Application visibility and control

The WCCP thing goes together with configuring on a router or firewall endpoint, we’ll come back to AD integration in a moment, but then we have custom categories, HTTPS and the rest of it – all of which are very much point and click.

So, let’s return to AD.

Here’s where the confusing part is. Have a look at the software versions for the v4 CCIE Security:

  • Cisco ISR Series running IOS Software Version 15.1(x)T and 15.2(x)T
  • Cisco Catalyst 3560/3750 Series Switches running Cisco IOS Software Release 12.2SE/15.0(x)SE
  • Cisco ASA 5500 Series Adaptive Security Appliances OS Software Versions 8.2x, 8.4x, 8.6x
  • Cisco IPS Software Release 7.x
  • Cisco VPN Client Software for Windows, Release 5.x
  • Cisco Secure ACS System software version 5.3x
  • Cisco WLC 2500 Series software 7.2x
  • Cisco Aironet 1200 series AP Cisco IOS Software Release 12.4J(x)
  • Cisco WSA S-series software version 7.1x
  • Cisco ISE 3300 series software version 1.1x
  • Cisco NAC Posture Agent v4.X
  • Cisco AnyConnect Client v3.0X

There is a notable exception, and that is any form of Windows server.

This does limit down what is required, and puts the onus back onto locally created accounts, and puts greater weight on configuring WCCP.

While I appreciate that only someone who has actually sat the CCIE Security exams can confirm/deny this, I also appreciate that in doing so they would be in danger of breaking an NDA, but it would be good to find out if I am right or not! Feel free to comment below.

Setting up WCCP is very straight forward on the WSA.

Let’s do this.

So I have my VM running inside of UNetLab, and it points me to use the System Setup Wizard.

We start off with the basics, like hostname and DNS:
Cisco WSA basic configuration for CCIE Security

Next, we tell it where it is in the network (i.e. behind another proxy or not)

Cisco WSA basic configuration for CCIE Security

Then I configure the IP addresses:

Cisco WSA basic configuration for CCIE Security

Then this happens, every time.

Cisco WSA basic configuration for CCIE Security

Switching to the console and grepping the GUIĀ log (type in “grep” and it will list the files you can read, and select by the number), it shows the following:

Critical: An application fault occurred: ('system_setup/ process|290', "", "'Management'", '[util/ screenLoop|409] [util/ inverseExtend|328] [util/ __call__|746] [screen/ __call__|25] [util/ __call__|746] [screen/ __call__|57] [util/ __call__|746] [screen/ __call__|191] [util/ __call__|748] [system_setup/ __call__|33] [screen/ __call__|16] [screen/ callWizard|8] [system_setup/ __call__|103] [screen/ __call__|59] [screen/ run|21] [screen/ executeAction|67] [screen/ doNextAction|52] [screen/ validateAndProcess|79] [system_setup/ process|290]')

No idea what that is all about.

Anyway, once you return to the default screen, you can click on Commit changes, and it seems pretty solid.

So moving on (with fingers crossed), WCCP can be set up in a few steps.

From the Network menu, select Transparent redirection:

Cisco WSA WCCP configuration

The default will be an L4 device, so change it to WCCP v2 router, and then you can click on Add Service:

Cisco WSA WCCP configuration

Fill in the boxes, giving it a profile name, either selecting the standard service (where you’ll have to refer to it as “web-cache” in the router), or give it a service ID. Set the port numbers, and IP address of the WCCP router (very important), and if you want, set a password for the service. I am using “wsawccp” as the password.

Cisco WSA WCCP configuration

Once done, it’ll appear in the WCCP v2 Services list:

Cisco WSA WCCP configuration

Commit the changes:

Cisco WSA WCCP configuration

All looks good.

Cisco WSA WCCP configuration

This is however only half the story, we need to set up the ASA for the service, though.

I’ll cover that in a different post.


  1. Anonymous September 6, 2015
  2. Stuart Fordham September 6, 2015
  3. Jon Major June 16, 2016
  4. Marcus V Morais June 27, 2016
  5. Stuart Fordham June 27, 2016
  6. Stuart Fordham June 27, 2016