Which interface does Updates/Upgrade/DNS traffic originate from?
Environment: Cisco Web Security appliance (WSA), AsyncOS versions 6.0+, Multiple interfaces configured on WSA
The interface which Web Security Appliance (WSA) uses for fetching updates/upgrades or for making DNS requests would depend on how routing configured on WSA.
WSA has the ability to create two routing tables if enabled. Please login to your WSA via WebUI and navigate under GUI > Network > Interfaces.You would see the option - "Separate Routing for Management Services"
When this option is set to "No separate routing", WSA would use one routing table for all traffic.
If this option is set to "Separate routing", WSA would have two routing tables. (referred to as split mode)
When separate routing is enabled, below are the two "Routing Tables" available on WSA
"Routes for Management Traffic"
"Routes for Data Traffic"
"Data Traffic" is considered to be traffic relating to proxy. Below are some examples of what is considered as "Data Traffic":
The default gateway/interface which WSA would use to send outbound HTTP requests (proxied requests)
HTTP responses from WSA to client
WCCP negotiation packets would also be considered to be "Data Traffic".
Other traffic, typically originating from WSA itself, is considered to be "Management Traffic". User can selectively set which routing table should be used for some of these requests. DNS requests,updates and upgrades are an example of these types of traffic.
We can configure the routing table to be used for DNS traffic under GUI -> Network -> DNS.
For updates and upgrades, we can configure the routing table under GUI -> System Administration -> Upgrade and Update Settings
If no static routes are configured, WSA would use the interface closest to the default gateway on the selected "Routing Table" to make the outgoing request.