Managing Your Cisco Secure Virtual Appliance

IP Address

When the virtual appliance is first powered on, the Management port gets an IP address from your DHCP host. If the virtual appliance is unable to obtain an IP address from a DHCP server, it will use 192.168.42.42 as the Management interface’s IP address. The CLI displays the Management interface’s IP address when you run the System Setup Wizard on the virtual appliance.

The Virtual Appliance License


Note


You cannot open a Technical Support tunnel before installing the virtual appliance license. Information about Technical Support tunnels is in the User Guide for your AsyncOS release.


The Cisco Secure virtual appliance requires an additional license to run the virtual appliance on a host. You can use this license for multiple, cloned virtual appliances. Licenses are hypervisor-independent.

For AsyncOS for Web Security 8.5 and later:

  • Feature keys for individual features can have different expiration dates.

  • After the virtual appliance license expires, the appliance will continue to serve as a web proxy without security services for 180 days. Security services are not updated during this period. On the Cisco Secure Web appliance, administrators and end users cannot manage quarantines and scheduled deletion of quarantined messages will occur.


Note


For information about the impact of reverting the AsyncOS version, see the online help or user guide for your AsyncOS release.


Install the Virtual Appliance License File


Note


If you cloned the virtual security appliance image, perform the following steps for each image.


Before you begin

(Optional) FTP into the virtual appliance to upload the license file. If you will paste the license into the terminal, you do not need to do this.

Procedure


Step 1

Using SSH or telnet in a terminal application, log into the appliance’s CLI as the admin/ironport user.

Note

 

You cannot paste the contents of the license file into the CLI using the vSphere client console.

Step 2

Run the loadlicense command.

Step 3

Install the license file using one of the following options:

  • Select option 1 and paste the contents of the license file into the terminal.

  • Select option 2 and load the license file in the configuration directory, if you have already uploaded the license file to the appliance’s configuration directory using FTP.

Step 4

Read and agree to the license agreement.

Step 5

(Optional) Run showlicense to review the license details.


What to do next

For Microsoft Hyper-V deployments:

For KVM deployments:

For ESXi deployments:

  • For more information on the Management interface’s IP address, see Deploy on VMWare ESXi.

  • If you cloned the virtual security appliance image, repeat the procedure in this topic for each image.

  • See remaining setup steps in Deploy on VMWare ESXi.

Migrate Your Virtual Appliance to Another Physical Host

You can use VMware® VMotion™ to migrate a running virtual appliance to a different physical host.

Requirements:

  • Both physical hosts must have the same network configuration.

  • Both physical hosts must have access to the same defined network(s) to which the interfaces on the virtual appliance are mapped.

  • Both physical hosts must have access to the datastore that the virtual appliance uses. This datastore can be a storage area network (SAN) or Network-attached storage (NAS).


Note


Migrate the virtual machine using the VMotion documentation. Automatic VMotion is currently not supported in Secure Web Appliance.


Clone a Virtual Appliance Already in Use

Before you begin

  • For instructions on cloning a virtual machine, see VMWare’s technical documentation at http://www.vmware.com/support/ws55/doc/ws_clone.html.

  • For information on how to manage the network settings and security features of your appliance, see the user guide for your Cisco Secure product and release.

Procedure


Step 1

Disable centralized services on your Web Security appliances.

Step 2

Shut down the virtual appliance using the shutdown command in the CLI.

Step 3

Clone the virtual appliance image.

Step 4

Start the cloned appliance using the VMware vSphere Client and perform the following:

  1. If you cloned a configured image rather than the unmodified. OVF image file downloaded fromCisco.com:

    — Install the license file on the cloned virtual appliance.

    — Modify the network settings of the cloned virtual appliance.

    Network adapters do not automatically connect when powering on. Reconfigure IP address, Hostname and IP address. Then power on network adapters.

    Configurations will not be complete until after you install feature keys.

  2. For cloned Web Security virtual appliances:

    — Clear the proxy cache.

    — Clear the proxy authentication cache using the authcache > flushall command in the CLI.

    — Remove reporting and tracking data with the diagnostic > reporting > flushall > deletedb command in the CLI.

    — Run the System Setup Wizard (SSW); a license must be available.

    — For Authentication Realms, rejoin the domain.

    — For Authentication Settings, modify the redirect hostname.

    — If the original virtual appliance was managed by an Security Management appliance, add the cloned appliance to the Security Management appliance.

Step 5

Start the original virtual appliance using the VMware vSphere Client and resume operation. Make sure that it is running properly.

Step 6

Resume operation on the cloned appliance.


Force Reset, Power Off, and Reset Options Are Not Fully Supported

The following actions are the equivalent of pulling the plug on a hardware appliance and are not supported, especially during AsyncOS startup:

— In KVM, the Force Reset option.

— In VMWare, the Power Off and Reset options.

CLI Commands on the Virtual Appliance

The Cisco Secure Web virtual appliances include updates to existing CLI commands and includes a virtual appliance-only command, loadlicense. The following CLI command changes have been made:

Command

Information

loadlicense

This command allows you to install a license for your virtual appliance. You cannot run System Setup Wizard on the virtual appliance without installing a license using this command first.

etherconfig

The Pairing option is not included on virtual appliances.

version

This command will return all the information about the virtual appliance except for the UDI, RAID, and BMC information.

resetconfig

Running this command leaves the virtual appliance license and the feature keys on the appliance.

reload

Running this command removes the virtual appliance license and all the feature keys on the appliance.

showlicense

View license details.

For Secure Web Appliance, additional information is available via the featurekey command.

SNMP on the Virtual Appliance

AsyncOS on virtual appliances will not report any hardware-related information and no hardware-related traps will be generated. The following information will be omitted from queries:

  • powerSupplyTable

  • temperatureTable

  • fanTable

  • raidEvents

  • raidTable