Cisco Content Security

Virtual Appliance Installation Guide

Last Updated: September 24, 2020

Contents
• About Cisco Content Security Virtual Appliances, page 1
• System Requirements, page 7
• Prepare the Content Security Image and Files, page 12
• Deploy on Microsoft Hyper-V, page 14
• If DHCP Is Disabled, Set Up the Appliance on the Network (Microsoft Hyper-V), page 15
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19
• If DHCP Is Disabled, Set Up the Appliance on the Network (VMware vSphere), page 22
• Amazon Web Services (AWS) EC2 Deployments, page 22
• Managing Your Cisco Content Security Virtual Appliance, page 25
• Troubleshooting and Support, page 27
• Additional Information, page 30

About Cisco Content Security Virtual Appliances

Cisco content security virtual appliances function the same as physical email security, web security, or
content security management hardware appliances, with only a few minor differences, which are
documented in Managing Your Cisco Content Security Virtual Appliance, page 25.

Cisco Systems, Inc.

www.cisco.com
 About Cisco Content Security Virtual Appliances

Supported Virtual Appliance Models and AsyncOS Releases for Hyper-V

Deployments

AsyncOS Recommended Supported Processor

Product Release Model Disk Size Disk Sizes RAM Cores
Cisco Web AsyncOS 12.5 S100V 250 GB 200 GB 8 GB 3
Security Virtual and later
Appliance 250 GB
S300V 1024 GB 500 GB 12 GB 5
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 12.0 S100V 250 GB 200 GB 8 GB 3
250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB

Cisco Content Security Virtual Appliance Installation Guide

2
 About Cisco Content Security Virtual Appliances

AsyncOS Recommended Supported Processor

Product Release Model Disk Size Disk Sizes RAM Cores
AsyncOS 11.7 S100V 250 GB 200 GB 6 GB 2
and later 250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 11.0 S100V 250 GB - 6 GB 2
and later S300V 1024 GB - 8 GB 4
S600V 1024 GB - 24 GB 12

Supported Virtual Appliance Models and AsyncOS Releases for KVM

Deployments

Recommended Processor
Product AsyncOS Release Model Disk Size RAM Cores
Cisco Email Security AsyncOS 13.0 C000V (For 200 GB 4 GB 1
Virtual Appliance and later evaluation and
demonstration
AsyncOS 12.0 only)
and later
C100V 200 GB 6 GB 2
AsyncOS 11.0
C300V 500 GB 8 GB 4
and later
C600V 500 GB 8 GB 8
AsyncOS 10.0.1
and later

Cisco Content Security Virtual Appliance Installation Guide

3
About Cisco Content Security Virtual Appliances

AsyncOS Recommended Supported Processor

Product Release Model Disk Size Disk Sizes RAM Cores
Cisco Web AsyncOS 12.5 S100V 250 GB 200 GB 8 GB 3
Security Virtual and later
Appliance 250 GB
S300V 1024 GB 500 GB 12 GB 5
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 12.0 S100V 250 GB 200 GB 8 GB 3
250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 11.7 S100V 250 GB 200 GB 6 GB 2
and later 250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 10.1 S600V 1024 GB - 24 GB 12
and later
AsyncOS 8.6 S100V 250 GB - 6 GB 2
and later
S300V 1024 GB - 8 GB 4

Cisco Content Security Virtual Appliance Installation Guide

4
 About Cisco Content Security Virtual Appliances

Virtual Appliance Models for VMWare ESXi Deployments

Note Except as explicitly stated in the AsyncOS documentation, modifications to the ESXi
configurations defined in the OVF are not supported.

Cisco Content Security virtual appliance OVF images have been pre-configured with the values in the
following table.

Processor
Product Model Disk Space Memory Cores
Cisco Email Security Virtual Appliance C000V 200 GB 4 GB 1
(For evaluation and
demonstration only)
C100V 200 GB 6 GB 2
C300V 500 GB 8 GB 4
C600V 500 GB 8 GB 8

Processor
Product Model Disk Space Memory Cores
Cisco Content Security Management Virtual M000V 250 GB 4 GB 1
Appliance
(For evaluation and
demonstration only)
M100V 250 GB 6 GB 2
M300V 1024 GB 8 GB 4
M600V 2032 GB 8 GB 8

Cisco Content Security Virtual Appliance Installation Guide

5
About Cisco Content Security Virtual Appliances

AsyncOS Recommended Supported Processor

Product Release Model Disk Size Disk Sizes RAM Cores
Cisco Web AsyncOS 12.5 S100V 250 GB 200 GB 8 GB 3
Security Virtual and later
Appliance 250 GB
S300V 1024 GB 500 GB 12 GB 5
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 12.0 S100V 250 GB 200 GB 8 GB 3
250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB

Cisco Content Security Virtual Appliance Installation Guide

6
 System Requirements

AsyncOS Recommended Supported Processor

Product Release Model Disk Size Disk Sizes RAM Cores
AsyncOS 11.7 S100V 250 GB 200 GB 6 GB 2
and later
250 GB
S300V 1024 GB 500 GB 8 GB 4
750 GB
1.0 TB
S600V 1024 GB 750 GB 24 GB 12
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 10.1 S600V 1024 GB 750 GB 24 GB 12
and later
1.0 TB
1.5 TB
2.0 TB
2.4 TB
AsyncOS 8.6 S100V 250 GB - 6 GB 2
and later
S300V 1024 GB - 8 GB 4

AsyncOS version requirements are described in Supported VMWare ESXi Hypervisors, page 10.

System Requirements
• Microsoft Hyper-V Deployments, page 8
• KVM Deployments, page 8
• VMWare ESXi Deployments, page 10

Cisco Content Security Virtual Appliance Installation Guide

7
 System Requirements

Microsoft Hyper-V Deployments

Supported Microsoft Hyper-V and host operating systems

AsyncOS Version Hyper-V

AsyncOS 11.0 (Web) and later Hyper-V version 5.0

Hardware Requirements for Microsoft Hyper-V Deployments

Cisco UCS servers blade M3, M4 servers and later are the only supported hardware platforms.

KVM Deployments
The following are the qualified environments for KVM deployments. All deployments use thin
provisioning for disk storage.

Red Hat Enterprise Linux Server

Host OS:
• Red Hat Enterprise Linux Server 7.0
(Red Hat Enterprise Virtualization and Red Hat OpenStack platform are NOT supported.)

Version Info:
• Linux: 3.10.0-123.13.2.el7.x86_64
• libvirt/QEMU:
Compiled against library: libvirt 1.1.1
Using library: libvirt 1.1.1
Using API: QEMU 1.1.1
Running hypervisor: QEMU 1.5.3

Hardware:
• Supported on: UCS C Series 220 and 240 M3 and later
• Redhat 7.0 certified UCS Platforms:
https://catalog.redhat.com/hardware/servers/search?p=1&c_version=Red%20Hat%20Enterprise%
20Linux%207&c_catalog_vendor=Cisco

Cisco Content Security Virtual Appliance Installation Guide

8
 System Requirements

Ubuntu Server
Host OS:
• Ubuntu Server 14.04.1 LTS (latest update)

Version Info:
• Linux: 3.13.0-43-generic
• Virsh/QEMU
Compiled against library: libvirt 1.2.2
Using library: libvirt 1.2.2
Using API: QEMU 1.2.2
Running hypervisor: QEMU 2.0.0

Hardware:
• Supported on: UCS C Series 220 and 240 M3 and later
• Ubuntu 14.04 Certified UCS Platform:
https://certification.ubuntu.com/server/models?query=&vendors=Cisco+UCS&release=14.04+LTS

KVM Drivers
Supported KVM drivers:
• CDROM: IDE CDROM
• Network: E1000, Virtio
• Disk: VirtIO

KVM Packages
Required/related KVM packages to be installed on the host:
• qemu-kvm
• qemu-img
• libvirt
• libvirt-python
• libvirt-client
• virt-manager (requires X-windows)
• virt-install

Cisco Content Security Virtual Appliance Installation Guide

9
 System Requirements

VMWare ESXi Deployments

Supported VMWare ESXi Hypervisors

AsyncOS Version VMWare ESXi Version

AsyncOS 11.8 and later (Web) 6.0, 6.5, and 6.7
AsyncOS 13.5.x (Email) 6.0 and 6.5
AsyncOS 13.x (Management)
AsyncOS 11.7 and later (Web)
AsyncOS 13.0 (Email) 6.0 and 6.5
AsyncOS 13.x (Management)
AsyncOS 11.7 and later (Web)
AsyncOS 12.0 (Email) 6.0 and 6.5
AsyncOS 12.x (Management)
AsyncOS 11.7 and later (Web)
AsyncOS 11.5.1 (Web) 6.0 and 6.5
AsyncOS 11.5.1 (Management) 6.0
AsyncOS 11.1 (Email) 6.0 and 6.5
AsyncOS 11.0 (Email) 6.0
AsyncOS 11.x (Management)
AsyncOS 10.1 and later (Web)
AsyncOS 11.0 (Email) 6.0
AsyncOS 11.x (Management)
AsyncOS 9.x and later (Web)
AsyncOS 10.x (Email) 6.0
AsyncOS 10.x (Management)
AsyncOS 10.1 and later (Web)
AsyncOS 10.x (Email) 6.0
AsyncOS 10.x (Management)
AsyncOS 9.x and later (Web)
AsyncOS 9.x (Email) 6.0
AsyncOS 9.x (Management)
AsyncOS 8.7 and later (Web)

Other VMware hypervisors are supported on a “Best Effort” basis: Cisco will try to help you, but it may
not be possible to reproduce all problems, and Cisco cannot guarantee a solution.

Cisco Content Security Virtual Appliance Installation Guide

10
 System Requirements

Hardware Requirements for VMWare ESXi Deployments

Cisco UCS servers (blade or rack-mounted) are the only supported hardware platform.
Minimum requirements for the server hosting your virtual appliances:
• Two 64-bit x86 processors of at least 1.5 GHz each
• 8 GB of physical RAM
• A 10k RPM SAS hard drive disk
Other hardware platforms are supported on a “Best Effort” basis: we will try to help you, but it may not
be possible to reproduce all problems, and we cannot guarantee a solution.

Note Except as explicitly stated in the documentation, Cisco does not support the alteration of the Cisco
Content Security virtual appliance’s hardware configuration, such as removing IP interfaces or changing
the appliance’s CPU cores or RAM size. The appliance may send alerts if such changes are made.

Note VMWare ESXi 6.7 deployment is supported on Cisco UCS M4 and M5 chassis servers with AsyncOS
11.8.1-023 and later (for Web Security appliances).

(Hosted Email Security Only) Deployment in FlexPod Solutions

For AsyncOS for Email release 8.5 and later:
For more information about deploying a virtual Email Security appliance as part of a FlexPod solution,
see
http://www.cisco.com/c/dam/en/us/products/collateral/security/email-security-appliance/white-paper-c
11-731731.pdf. Your CCO login determines whether you have access to this document.
For general information about FlexPod, see http://www.cisco.com/en/US/netsol/ns1137/index.html.
FlexPod does not apply to virtual Web Security appliance or virtual Content Security Management
appliance deployments.

Cisco Content Security Virtual Appliance Installation Guide

11
 Prepare the Content Security Image and Files

Prepare the Content Security Image and Files

Determine the Best-Sized Virtual Appliance Image for Your Deployment

Determine the best-sized virtual appliance image for your needs. See the data sheet for your products,
available from the following locations:

Appliance Link to Data Sheet

ESA Look for the “Cisco Email Security Appliance Data Sheet” link on this page:
http://www.cisco.com/c/en/us/products/security/email-security-appliance/datashe
et-listing.html.
In the data sheet, look for the table titled “Email Security Virtual Appliance
Specifications.”
WSA Look for the "Cisco Web Security Appliance Data Sheet" link on this page:
http://www.cisco.com/c/en/us/products/security/web-security-appliance/datashee
t-listing.html.
In the data sheet, look for the table titled "Cisco WSAV."
SMA Look for the "Cisco Content Security Management Appliance Data Sheet" link on
this page:
http://www.cisco.com/c/en/us/products/security/content-security-management-ap
pliance/datasheet-listing.html.
In the data sheet, look for the table titled "Cisco SMAV."

Download the Cisco Content Security Virtual Appliance Image

Before You Begin
• Obtain a license from Cisco for your virtual appliance.
• See Determine the Best-Sized Virtual Appliance Image for Your Deployment, page 12.

Step 1 Go to the Cisco Download Software page for your virtual appliance:
• For email security:
https://software.cisco.com/download/release.html?mdfid=284900944&flowid=41782&softwareid
=282975113&release=9.1.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
• For web security:
https://software.cisco.com/download/release.html?mdfid=284806698&flowid=41610&softwareid
=282975114&release=10.1.0&relind=AVAILABLE&rellifecycle=&reltype=latest
• For content security management:
https://software.cisco.com/download/release.html?mdfid=286283259&flowid=72402&softwareid
=286283388&release=9.0&relind=AVAILABLE&rellifecycle=GD&reltype=latest
Step 2 In the left navigation pane, select an AsyncOS version.
Step 3 Click Download for the virtual appliance model image you want to download.
Step 4 Save the image to your local machine.

Cisco Content Security Virtual Appliance Installation Guide

12
 Prepare the Content Security Image and Files

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Prepare the License and Configuration Files to Load at Startup (KVM

Deployments)
This feature was introduced in AsyncOS 8.6 for Cisco Web Security Appliances. It is not available for
other content security appliances or in other AsyncOS releases.
You can automatically load the Cisco Content Security Virtual Appliance license and configuration files
the first time the Cisco appliance starts. (These files will not load after the first startup.)

Step 1 Obtain and name your license and/or configuration files:

• Configuration file: config.xml

• License file: license.xml

Step 2 Create an ISO image that contains one or both of these files.

What To Do Next
When you deploy the AsyncOS.QCOW image, you will attach the ISO as a virtual CD-ROM drive to the
virtual machine instance.
After startup, you can check the status log on your Cisco virtual appliance. Error messages related to this
functionality include the keyword zero. You must log into the appliance, and use the tail command
from the CLI. For more information, see the “Web Security Appliance CLI Commands” topic in the
“Command Line Interface” chapter in the user guide.

Related Topics
• Deploy on KVM, page 15

Cisco Content Security Virtual Appliance Installation Guide

13
 Deploy on Microsoft Hyper-V

Deploy on Microsoft Hyper-V

Action More Information
1. Review the Release Notes for your Release Notes are available from the locations in Additional
AsyncOS release. Information, page 30.
2. Download the virtual appliance You will need the MD5 hash to check the data integrity of the
image and MD5 hash from Cisco. appliance image.
Prepare the Content Security Image and Files, page 12.
3. Deploy the virtual appliance on a. Set up the Windows Server Operating System. Ensure
Hyper-V. that you have installed the required Hyper-V roles. See
System Requirements, page 7 for more information.
b. Download the image as described in Prepare the Content
Security Image and Files, page 12.
c. Using the Hyper-V Manager, install the virtual appliance
image using the New Virtual Machine Wizard.
d. Complete the wizard.
e. Edit the processor settings in the Hyper-V Manager. See
Determine the Best-Sized Virtual Appliance Image for
Your Deployment, page 12 to check for the number of
processors and NICs required.
4. If DHCP is disabled, set up the If DHCP Is Disabled, Set Up the Appliance on the Network
appliance on your network. (Microsoft Hyper-V), page 15
5. Install the license file Install the Virtual Appliance License File, page 22.
6. Log into the web UI of your • For instructions on accessing and configuring the appliance,
appliance and configure the including gathering required information, see the online help
appliance software as you would or user guide for your AsyncOS release, available from the
do for a physical appliance. relevant location in Additional Information, page 30.
For example, you can: • To migrate settings from a physical appliance, see the release
notes for your AsyncOS release.
• Run the System Setup Wizard
• Upload a configuration file Feature keys are not activated until you enable the respective
features.
• Manually configure features
and functionality.

Note The following are the limitations for virtual Web Security appliances (with FreeBSD 10.x) deployed on
Microsoft Hyper-V generation 1 platform:
• It is not possible to modify the virtual appliance interfaces using the etherconfig CLI command.
• The ifconfig CLI command displays the virtual appliance interface status as Unknown or Simplex
even though it runs on Duplex mode.
However, there is no impact on the performance of the appliance due to the above limitations.

Cisco Content Security Virtual Appliance Installation Guide

14
 Deploy on KVM

If DHCP Is Disabled, Set Up the Appliance on the Network (Microsoft Hyper-V)

Note If you cloned the virtual security appliance image, perform the following steps for each image.

Step 1 From the Hyper-V manager console, run interfaceconfig.

Step 2 Write down the IP address of the virtual appliance’s Management port.

Note The Management port obtains its IP address from your DHCP server. If the appliance cannot
reach a DHCP server, it will use 192.168.42.42 by default.

Step 3 Configure the default gateway using the setgateway command.

Step 4 Commit the changes.

Note The hostname does not update until after you have completed the setup wizard.

Deploy on KVM
Action More Information
Step 1 Ensure that your equipment and See System Requirements, page 7 and the documentation for the
software meet all system products and tools that you will use.
requirements.
Step 2 Review the Release Notes for your Release Notes are available from the locations in Additional
AsyncOS release. Information, page 30.
Step 3 Set up the UCS server, host OS, See the documentation for the products and tools you will use.
and KVM.
Step 4 Download the virtual content See Download the Cisco Content Security Virtual Appliance
security appliance image. Image, page 12.
Step 5 Ensure that the Cisco image is See Ensure Virtual Appliance Image Compatibility With Your
compatible with your deployment. KVM Deployment, page 16
Step 6 (Optional) Prepare an ISO file that See Prepare the License and Configuration Files to Load at
includes the license and Startup (KVM Deployments), page 13.
configuration files to
automatically load at startup.
Step 7 Determine the amount of RAM See Supported Virtual Appliance Models and AsyncOS Releases
and the number of CPU cores to for KVM Deployments, page 3.
allocate to your virtual appliance
model.

Cisco Content Security Virtual Appliance Installation Guide

15
 Deploy on KVM

Action More Information

Step 8 Deploy the virtual content security Use one of the following methods:
appliance image. • Deploy the Virtual Appliance Using Virtual Machine
Manager, page 16
• Deploy the Virtual Appliance Using virt-install: Example,
page 17
Step 9 If you will deploy the High See (Optional) Configure the Virtual Interface to Support High
Availability feature introduced in Availability, page 18.
AsyncOS 8.5 for Cisco Web
Security Appliances, configure the
host to support this feature.
Step 10 If you did not configure the system • To install the virtual appliance license file, see Amazon Web
to load license and configuration Services (AWS) EC2 Deployments, page 22
files at first startup: • To install feature licenses and configure the appliance, see
• Install the virtual appliance the User Guide or online help for your AsyncOS release.
license file
• Install feature licenses
• Configure your Cisco content
security virtual appliance.
Step 11 Configure the appliance to send See the online help or user guide for your AsyncOS release.
alerts when license expiration
nears.

Ensure Virtual Appliance Image Compatibility With Your KVM Deployment

The qcow version of our image is not compatible with QEMU versions lower than 1.1. If your QEMU
version is lower than 1.1, you must convert the image to make it compatible with your deployment.

Deploy the Virtual Appliance Using Virtual Machine Manager

Step 1 Launch the virt-manager application.
Step 2 Select New.
Step 3 Enter a unique name for your virtual appliance.
Step 4 Select Import existing image.
Step 5 Select Forward.
Step 6 Enter options:
• OS Type: UNIX.
• Version: FreeBSD 8.X
Step 7 Browse to and select the virtual appliance image that you downloaded.
Step 8 Select Forward.
Step 9 Enter RAM and CPU values for the virtual appliance model you are deploying.

Cisco Content Security Virtual Appliance Installation Guide

16
 Deploy on KVM

See Supported Virtual Appliance Models and AsyncOS Releases for KVM Deployments, page 3.
Step 10 Select Forward.
Step 11 Select the Customize check box.
Step 12 Select Finish.
Step 13 Configure the disk drive:
a. In the left pane, select the drive.
b. Under Advanced options, select options:
• Disk bus:Virtio.
• Storage format: qcow2
c. Select Apply.
Step 14 Configure the network device for the management interface:
a. In the left pane, select a NIC.
b. Select options:
• Source Device: Your management vlan
• Device model: virtIO
• Source mode: VEPA.
c. Select Apply.
Step 15 Configure network devices for four additional interfaces (WSA only):
Repeat the previous set of substeps for each interface you will use.
Step 16 If you prepared an ISO image with the license and configuration files to be loaded at startup:
Attach the ISO as a virtual CD-ROM drive to the Virtual Machine instance.
Step 17 Select Begin Installation.

Related Topics
• Deploy on KVM, page 15

Deploy the Virtual Appliance Using virt-install: Example

Before You Begin
Determine the amount of RAM and number of CPU cores needed for your appliance. See Supported
Virtual Appliance Models and AsyncOS Releases for KVM Deployments, page 3.

Procedure

Step 1 Create the storage pool where your virtual appliance will reside:
v i r s h po o l - d ef i n e - a s - - n a me v m- p o o l - - t y p e d i r - - t a r g e t / h ome / u s er n a me / v m- p o ol
v i r s h po o l - s t a r t v m- p oo l
Step 2 Copy the virtual appliance image to your storage pool:
c d / h o me / y u s er n a me / v m- p o o l

Cisco Content Security Virtual Appliance Installation Guide

17
 Deploy on KVM

t a r x v f ~ / a s y n c o s - 8 - 6 - 0 - 0 0 7 - S1 0 0 V. q c o w2 . t a r . g z
Step 3 Install the virtual appliance:
v i r t - i ns t al l \
- - v i r t - t y pe kv m \
- - o s - t y p e =u n i x \
- - o s - v ar i an t =f r e e b s d 8 \
- - n ame ws a- e xa mpl e \ (This name should be unique)
- - r am 6 1 4 4 \ (Use the value appropriate to your virtual appliance model)
- - v cpu s 2 \ (Use the value appropriate to your virtual appliance model)
- - n o r e bo o t \
- - i mp o r t \
- - di s k
p a t h = / ho me/ u s e r n a me / v m- p oo l / a s y n c o s - 8 - 6 - 0 - 0 0 7 - S1 0 0 V. q c o w2 , f o r ma t = q c o w2 , b u s = v i r t i o \
- - d i s k p a t h = / h o me / u s e r n a me / v m- p o o l / ws a . i s o , b u s = i d e , d e v i c e= c d r o m \ (If you created an ISO
with the license and configuration file to load at startup)
- - n e t wor k t y pe = d i r e c t , s o ur c e = e n p 6 s 0 . 4 8 3 , s o u r c e _ mo d e = v e p a , mod e l = v i r t i o \
- - n e t wor k t y pe = d i r e c t , s o ur c e = e n p 6 s 0 . 4 8 4 , s o u r c e _ mo d e = v e p a , mod e l = v i r t i o \
- - n e t wor k t y pe = d i r e c t , s o ur c e = e n p 6 s 0 . 4 8 5 , s o u r c e _ mo d e= v e p a , mo d e l = v i r t i o \
- - n e t wo r k t y p e = d i r e c t , s o u r c e = en p 6 s 0 . 4 8 6 , s o u r c e _ mo d e = v ep a , mo d e l = v i r t i o \
- - n e t wo r k t y p e = d i r e c t , s o u r c e = e n p 6 s 0 . 4 8 7 , s ou r c e _ mo d e = v e p a , mod e l = v i r t i o
Step 4 Start the virtual appliance:
v i r s h s t a r t ws a - e x a mp l e

Related Topics
• Deploy on KVM, page 15

(Optional) Configure the Virtual Interface to Support High Availability

The high availability feature was introduced in AsyncOS 8.5 for Cisco Web Security Appliances and is
described in detail in the user guide and online help.
If your Web Security appliance will be added to a failover group for high availability, configure the
virtual interface to use promiscuous mode, in order to enable the appliances in the failover group to
communicate with each other using multicasting.
You can make this change at any time.

Step 1 On the host OS, find the ma c v t a p interface associated with the interface with which the multicast traffic
will be associated.
Step 2 Set the ma cv t ap interface to use promiscuous mode:
E n t e r on t h e h o s t : i f co n f i g ma c v t a p X p r o mi s c

Related Topics
• Deploy on KVM, page 15

Cisco Content Security Virtual Appliance Installation Guide

18
 Deploy on VMWare ESXi

Deploy on VMWare ESXi

Action More Information
1. Review the Release Notes for your AsyncOS Release Notes are available from the locations in
release. Additional Information, page 30.
2. Download the virtual appliance image and MD5 You will need the MD5 hash to check the data
hash from Cisco. integrity of the appliance image.
Prepare the Content Security Image and Files,
page 12.
3. Deploy the virtual appliance on your ESXi host or Deploy the Virtual Appliance, page 20.
cluster.

4. (Optional) Clone the image if you want to run (Optional) Clone the Virtual Appliance, page 19.
multiple virtual appliances on your network.
5. Prevent intermittent connectivity issues. Disable unused network interface cards (NICs) on
the virtual machine.
6. Configure synchronization on the virtual machine Important! Prevent Random Failures, page 21
to avoid random failures on your Cisco Content
Security virtual appliance.
7. If DHCP is disabled, set up the appliance on your If DHCP Is Disabled, Set Up the Appliance on the
network. Network (VMware vSphere), page 22
8. Install the license file. Install the Virtual Appliance License File,
page 22.
9. Log into the web UI of your appliance and • For instructions on accessing and configuring
configure the appliance software as you would do the appliance, including gathering required
for a physical appliance. information, see the online help or user guide
For example, you can: for your AsyncOS release, available from the
relevant location in Additional Information,
• Run the System Setup Wizard page 30.
• Upload a configuration file • To migrate settings from a physical appliance,
• Manually configure features and see the release notes for your AsyncOS
functionality. release.
Feature keys are not activated until you enable the
respective features.
10. Configure the appliance to send alerts when See the online help or user guide for your
license expiration nears. AsyncOS release, available from the relevant
location in Additional Information, page 30.

(Optional) Clone the Virtual Appliance

If you will run multiple virtual security appliances in your environment:
• Cisco recommends that you clone the virtual security appliance before you run it the first time.
• Cloning a virtual security appliance after the license for the virtual appliance has been installed
forcefully expires the license. You will have to install the license again.

Cisco Content Security Virtual Appliance Installation Guide

19
 Deploy on VMWare ESXi

• You must shut down the virtual appliance before cloning it.
• If you want to clone a virtual appliance that is already in use, see Clone a Virtual Appliance Already
in Use, page 24 for more information.
For instructions on cloning a virtual machine, see VMWare’s technical documentation at
http://www.vmware.com/support/ws55/doc/ws_clone.html.

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Deploy the Virtual Appliance

Before You Begin
• Set up the ESXi host or cluster on which you will deploy the virtual appliance. See System
Requirements, page 7 for more information.
• Install the VMware vSphere Client on your local machine.
• Download the image as described in Prepare the Content Security Image and Files, page 12.

Step 1 Unzip the .zip file for the virtual appliance in its own directory; e.g., C: \ v ESA\ C1 0 0 V or : \ v WSA\ S3 0 0 V.

Step 2 Open the VMware vSphere Client on your local machine.

Step 3 Select the ESXi host or cluster to which you want to deploy the virtual appliance.
Step 4 Choose File > Deploy OVF template.
Step 5 Enter the path to the OVF file in the directory you created.
Step 6 Click Next.
Step 7 Complete the wizard.
• Thin provisioning for disk storage is supported at the hypervisor layer. Disk space and performance
may be reduced if you select this option.

Note Except as explicitly stated in the AsyncOS documentation, modifications to the ESXi
configurations defined in the OVF are not supported.

Note Do not take backup (snapshot) of the virtual appliance using VMware or any other third-party tools, or
restore a virtual appliance from a snapshot. Alternatively, you can take backup of the configuration using
the System Administration > Configuration File menu in the user interface or using the s a v ec o n f i g
CLI command. You can then load it on another spawned virtual appliance.

Cisco Content Security Virtual Appliance Installation Guide

20
 Deploy on VMWare ESXi

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Important! Prevent Random Failures

Caution It is important that you do not shutdown or restart the virtual appliances using vSphere client or web
client unless advised to do so by Cisco Technical Support. Cisco recommends that you use the shutdown
or reboot command from the CLI, or the Shutdown/Reboot option that is listed in the system
administration tab of the appliance GUI. If you power cycle the appliance (or experience power outage
to the virtual infrastructure), it may lead to lost messages, database corruption, or lost logging data. The
failure to unmount the file system cleanly damages the file system, resulting the system in a broken state.

Virtual machines have inherent timing quirks that you must address in order to avoid random failures on
your Cisco Content Security virtual appliance. To prevent these issues, enable exact time stamp counter
synchronization on your virtual machine.

Before You Begin

• For more information on timekeeping basics, virtual time stamp counters, and exact
synchronization, see VMWare’s Timekeeping in Virtual Machines PDF at
http://www.vmware.com/files/pdf/techpaper/Timekeeping-In-VirtualMachines.pdf.
• Instructions for your version of the vSphere client may vary from the procedure below. Use this as
a general guide and see the documentation for your client as needed.

Step 1 In the vSphere Client, select a virtual appliance from the list of machines.
Step 2 Log in to the CLI, and type the command s hu t d o wn to power off the virtual appliance.
Step 3 Right-click the appliance and select Edit Settings.
Step 4 Click the Options tab and select Advanced > General.
Step 5 Click Configuration Parameters.
Step 6 Edit or add the following parameters:
monitor_control.disable_tsc_offsetting=TRUE
monitor_control.disable_rdtscopt_bt=TRUE
timeTracker.forceMonotonicTTAT=TRUE
Step 7 Close the settings window and run appliance.

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Cisco Content Security Virtual Appliance Installation Guide

21
 Amazon Web Services (AWS) EC2 Deployments

If DHCP Is Disabled, Set Up the Appliance on the Network (VMware vSphere)

Note If you cloned the virtual security appliance image, perform the following steps for each image.

Step 1 From the vSphere client console, run interfaceconfig.

Step 2 Write down the IP address of the virtual appliance’s Management port.

Note The Management port obtains its IP address from your DHCP server. If the appliance cannot
reach a DHCP server, it will use 192.168.42.42 by default.

Step 3 Configure the default gateway using the setgateway command.

Step 4 Commit the changes.

Note The hostname does not update until after you have completed the setup wizard.

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Amazon Web Services (AWS) EC2 Deployments

See the Deploying Cisco Web Security and Security Management Virtual Appliances on Amazon Elastic
Compute Cloud (EC2) on Amazon Web Services (AWS) guide.

Install the Virtual Appliance License File

Note If you cloned the virtual security appliance image, perform the following steps for each image.

Before You Begin

(Optional) FTP into the virtual appliance to upload the license file. If you will paste the license into the
terminal, you do not need to do this.

Procedure

Step 1 Using SSH or telnet in a terminal application, log into the appliance’s CLI as the admin/ironport user.

Cisco Content Security Virtual Appliance Installation Guide

22
 Amazon Web Services (AWS) EC2 Deployments

Note You cannot paste the contents of the license file into the CLI using the vSphere client console.

Step 2 Run the loadlicense command.

Step 3 Install the license file using one of the following options:
• Select option 1 and paste the contents of the license file into the terminal.
• Select option 2 and load the license file in the configuration directory, if you have already
uploaded the license file to the appliance’s configuration directory using FTP.
Step 4 Read and agree to the license agreement.
Step 5 (Optional) Run showlicense to review the license details.

What to Do Next
For Microsoft Hyper-V deployments:
• Return to Deploy on Microsoft Hyper-V, page 14.
For KVM deployments:
• Return to Deploy on KVM, page 15.
For ESXi deployments:
• For more information on the Management interface’s IP address, see Deploy on VMWare ESXi,
page 19.
• If you cloned the virtual security appliance image, repeat the procedure in this topic for each image.
• See remaining setup steps in Deploy on VMWare ESXi, page 19.

Migrate Your Virtual Appliance to Another Physical Host

You can use VMware® VMotion™ to migrate a running virtual appliance to a different physical host.
Requirements:
• Both physical hosts must have the same network configuration.
• Both physical hosts must have access to the same defined network(s) to which the interfaces on the
virtual appliance are mapped.
• Both physical hosts must have access to the datastore that the virtual appliance uses. This datastore
can be a storage area network (SAN) or Network-attached storage (NAS).
• The Email Security virtual appliance must have no mail in its queue.

Step 1 Migrate the virtual machine using the VMotion documentation.

Step 2 After migration, load the license.

Cisco Content Security Virtual Appliance Installation Guide

23
 Amazon Web Services (AWS) EC2 Deployments

Clone a Virtual Appliance Already in Use

Before You Begin
• For instructions on cloning a virtual machine, see VMWare’s technical documentation at
http://www.vmware.com/support/ws55/doc/ws_clone.html.
• For information on how to manage the network settings and security features of your appliance, see
the user guide for your Cisco content security product and release.

Step 1 If you are cloning an Email Security virtual appliance:

Suspend the appliance using the suspend command in the CLI and enter a delay period long enough for
the appliance to deliver all messages in the queue.
Step 2 If you are cloning a Security Management virtual appliance:
Disable centralized services on your managed Email and Web Security appliances.
Step 3 Shut down the virtual appliance using the shutdown command in the CLI.
Step 4 Clone the virtual appliance image.
Step 5 Start the cloned appliance using the VMware vSphere Client and perform the following:
a. If you cloned a configured image rather than the unmodified .OVF image file downloaded from
Cisco.com:
– Install the license file on the cloned virtual appliance.
– Modify the network settings of the cloned virtual appliance.
Network adapters do not automatically connect when powering on. Reconfigure IP address,
Hostname and IP address. Then power on network adapters.
Configurations will not be complete until after you install feature keys.
b. For cloned Email Security virtual appliances:
– Delete all messages in the quarantines.
– Delete the message tracking and reporting data.
c. For cloned Web Security virtual appliances:
– Clear the proxy cache.
– Clear the proxy authentication cache using the authcache > flushall command in the CLI.
– Remove reporting and tracking data with the diagnostic > reporting > deletedb command
in the CLI.
– Run the System Setup Wizard (SSW); a license must be available.
– For Authentication Realms, rejoin the domain.
– For Authentication Settings, modify the redirect hostname.
– If the original virtual appliance was managed by an Security Management appliance, add the
cloned appliance to the Security Management appliance.
Step 6 Start the original virtual appliance using the VMware vSphere Client and resume operation. Make sure
that it is running properly.
Step 7 Resume operation on the cloned appliance.

Cisco Content Security Virtual Appliance Installation Guide

24
 Managing Your Cisco Content Security Virtual Appliance

Managing Your Cisco Content Security Virtual Appliance

IP Address
When the virtual appliance is first powered on, the Management port gets an IP address from your DHCP
host. If the virtual appliance is unable to obtain an IP address from a DHCP server, it will use
192.168.42.42 as the Management interface’s IP address. The CLI displays the Management interface’s
IP address when you run the System Setup Wizard on the virtual appliance.

The Virtual Appliance License

Note You cannot open a Technical Support tunnel before installing the virtual appliance license. Information
about Technical Support tunnels is in the User Guide for your AsyncOS release.

The Cisco Content Security virtual appliance requires an additional license to run the virtual appliance
on a host. You can use this license for multiple, cloned virtual appliances. Licenses are
hypervisor-independent.
For AsyncOS for Web Security 8.5 and later, AsyncOS for Email Security 8.5.x and later, and AsyncOS
for Security Management 8.4 and later:
• Feature keys for individual features can have different expiration dates.
• After the virtual appliance license expires, the appliance will continue to serve as a web proxy (Web
Security appliance), deliver mail (Email Security appliance), or automatically handle quarantined
messages (Security Management appliance) without security services for 180 days. Security
services are not updated during this period. On the Content Security Management appliance,
administrators and end users cannot manage quarantines, but the management appliance continues
to accept quarantined messages from managed Email Security appliances, and scheduled deletion
of quarantined messages will occur.
For AsyncOS for Email Security 8.0 and AsyncOS for Web Security 7.7.5 and 8.0:
• Feature keys are included as part of the virtual appliance license. The feature keys expire at the same
time as the license, even if the feature has not been activated. Purchasing new feature keys will
require downloading and installing a new virtual appliance license file.
• Because feature keys are included in the virtual appliance license, there are no evaluation licenses
for AsyncOS features.

Note For information about the impact of reverting the AsyncOS version, see the online help or user guide for
your AsyncOS release.

Related Topics
• Install the Virtual Appliance License File, page 22

Cisco Content Security Virtual Appliance Installation Guide

25
 Managing Your Cisco Content Security Virtual Appliance

Force Reset, Power Off, and Reset Options Are Not Fully Supported
The following actions are the equivalent of pulling the plug on a hardware appliance and are not
supported, especially during AsyncOS startup:
– In KVM, the Force Reset option.
– In VMWare, the Power Off and Reset options.

CLI Commands on the Virtual Appliance

The Cisco Content Security virtual appliances include updates to existing CLI commands and includes
a virtual appliance-only command, loadlicense. The following CLI command changes have been made:

Supported
on Virtual
Command SMA? Information
loadlicense Yes This command allows you to install a license for your virtual appliance.
You cannot run System Setup Wizard on the virtual appliance without
installing a license using this command first.
etherconfig — The Pairing option is not included on virtual appliances.
version — This command will return all the information about the virtual appliance
except for the UDI, RAID, and BMC information.
resetconfig — Running this command leaves the virtual appliance license and the feature
keys on the appliance.
revert — Beginning with AsyncOS 8.5 for Email Security: Behavior is described in
the System Administration chapter in the online help and user guide for
your appliance.
reload — Running this command removes the virtual appliance license and all the
feature keys on the appliance. This command is available only for the Web
Security appliance.
diagnostic — The following diagnostic > raid submenu options will not return
information:
1. Run disk verify
2. Monitor tasks in progress
3. Display disk verify verdict
This command is only available for the Email Security appliance.
showlicense Yes View license details.
For virtual Email and Web security appliances, additional information is
available via the featurekey command.

Cisco Content Security Virtual Appliance Installation Guide

26
 Troubleshooting and Support

SNMP on the Virtual Appliance

AsyncOS on virtual appliances will not report any hardware-related information and no
hardware-related traps will be generated. The following information will be omitted from queries:
• powerSupplyTable
• temperatureTable
• fanTable
• raidEvents
• raidTable

Troubleshooting and Support

• Troubleshooting: KVM Deployments, page 27
• Troubleshooting: VMWare ESXi Deployments, page 28
• Getting Support for Virtual Appliances, page 28

Troubleshooting: KVM Deployments

Virtual Appliance Hangs on Reboot

Problem The virtual appliance hangs when rebooting.
Solution This is a KVM issue. Perform the following workaround each time you reboot the host:

Step 1 Check the following:

cat /sys/module/kvm_intel/parameters/enable_apicv
Step 2 If the above value is set to Y:
a. Stop your virtual appliances and reinstall the KVM kernel module:
rmmod kvm_intel
modprobe kvm_intel enable_apicv=N
b. Restart your virtual appliance.

For more information, see https://www.mail-archive.com/[email protected]/msg103854.html and

https://bugs.launchpad.net/qemu/+bug/1329956.

Network Connectivity Works Initially, Then Fails

Problem Network connectivity is lost after previously working.
Solution This is a KVM issue. See the section on "KVM: Network connectivity works initially, then
fails" in the openstack documentation at
http://docs.openstack.org/admin-guide-cloud/content/section_network-troubleshoot.html.

Cisco Content Security Virtual Appliance Installation Guide

27
 Troubleshooting and Support

Slow Performance, Watchdog Issues, and High CPU Usage

Problem Appliance performance is slow, watchdog issues occur, and the appliance shows unusually high
CPU usage when running on an Ubuntu virtual machine.
Solution Install the latest Host OS updates from Ubuntu.

General Troubleshooting on Linux Deployments

Problem Any issues with virtual appliances running on KVM deployments.
Solution See the troubleshooting section and other information in the Virtualization Deployment and
Administration Guide, available from
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Virtualization_Depl
oyment_and_Administration_Guide/Red_Hat_Enterprise_Linux-7-Virtualization_Deployment_and_A
dministration_Guide-en-US.pdf.

Troubleshooting: VMWare ESXi Deployments

Intermittent Connectivity Issues

Problem Intermittent connectivity issues.
Solution Ensure that all unused NICs are disabled in ESXi.

Random Failures
Problem Random failures occur that have no obvious cause.
Solution See Important! Prevent Random Failures, page 21

Getting Support for Virtual Appliances

Note To get support for virtual appliances, call Cisco TAC and have your Virtual License Number (VLN)
number ready.

If you file a support case for a Cisco content security virtual appliance, you must provide your contract
number and your Product Identifier code (PID).
You can identify your PID based on the software licenses running on your virtual appliance, by
referencing your purchase order, or from the following lists:
• Product Identifier Codes (PIDs) for Virtual Email Security Appliances, page 29
• Product Identifier Codes (PIDs) for Virtual Web Security Appliances, page 29
• Product Identifier Codes (PIDs) for Virtual Content Security Management Appliances, page 30

Cisco Content Security Virtual Appliance Installation Guide

28
 Troubleshooting and Support

Product Identifier Codes (PIDs) for Virtual Email Security Appliances

Functionality PID Description

Email Security Inbound ESA-ESI-LIC= Includes:
• Anti-Spam
• Anti-Virus
• Outbreak Filters
Email Security Outbound ESA-ESO-LIC= Includes:
• DLP
• Encryption
Email Security Premium ESA-ESP-LIC= Includes:
• Anti-Spam
• Anti-Virus
• Outbreak Filters
• DLP
• Encryption
Cloudmark Anti-Spam ESA-CLM-LIC= —
Image Analyzer ESA-IA-LIC= —
McAfee Anti-Virus ESA-MFE-LIC= —
Intelligent Multi-Scan ESA-IMS-LIC= —
Advanced Malware Protection ESA-AMP-LIC= —
Graymail safe-unsubscribe ESA-GSU-LIC= (A la carte)

Product Identifier Codes (PIDs) for Virtual Web Security Appliances

Functionality PID Description

Web Security Essentials WSA-WSE-LIC= Includes:
• Web Usage Controls
• Web Reputation
Web Security Premium WSA-WSP-LIC= Includes:
• Web Usage Controls
• Web Reputation
• Sophos and Webroot
Anti-Malware signatures
Web Security Anti-Malware WSA-WSM-LIC= Includes Sophos and Webroot
Anti-Malware signatures
McAfee Anti-Malware WSA-AMM-LIC= —
Advanced Malware Protection WSA-AMP-LIC= —

Cisco Content Security Virtual Appliance Installation Guide

29
 Additional Information

Product Identifier Codes (PIDs) for Virtual Content Security Management Appliances

Functionality PID Description

All centralized web security SMA-WMGT-LIC= —
functionality
All centralized email security SMA-EMGT-LIC=
functionality

Cisco TAC
Contact information for Cisco TAC, including phone numbers:
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

Additional Information
For more information, including information about support options, see the Release Notes and User
Guide or online help for your AsyncOS release.

Documentation For Cisco

Content Security Products: Is Located At:
Content Content Security http://www.cisco.com/c/en/us/support/security/content-security-mana
Management appliances gement-appliance/tsd-products-support-series-home.html
Web Security appliances http://www.cisco.com/c/en/us/support/security/web-security-applianc
e/tsd-products-support-series-home.html
Email Security appliances http://www.cisco.com/c/en/us/support/security/email-security-applia
nce/tsd-products-support-series-home.html

Related Topics
• Deploy on Microsoft Hyper-V, page 14
• Deploy on KVM, page 15
• Deploy on VMWare ESXi, page 19

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of
Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The
use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any
examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only.
Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2013-2020 Cisco Systems, Inc. All rights reserved.

Cisco Content Security Virtual Appliance Installation Guide

30