Cisco Cisco Web Security Appliance S690 User Guide
7-7
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 7 Policies
Policy Group Membership
•
Policy group control settings. Define how users in the group can use the Internet. The control
settings you can define depend on the policy type. For example, for Routing Policies, you define
from which proxy group to fetch the content, and for Access Policies, you can use the Web Security
appliance features, such as Web Reputation, anti-malware scanning, and more to determine whether
or not to allow the client request.
settings you can define depend on the policy type. For example, for Routing Policies, you define
from which proxy group to fetch the content, and for Access Policies, you can use the Web Security
appliance features, such as Web Reputation, anti-malware scanning, and more to determine whether
or not to allow the client request.
Click the link in the policy group row under the control setting you want to configure, such as URL
Categories or Routing Destination. When you click a link in the table, a page is displayed where you
can configure settings for that policy group.
Categories or Routing Destination. When you click a link in the table, a page is displayed where you
can configure settings for that policy group.
For more information on configuring control settings for each policy type, see the following
sections:
sections:
–
–
–
–
–
Policy Group Membership
All policy groups define which transactions apply to them. When a client sends a request to a server, the
Web Proxy receives the request, evaluates it, and determines to which policy group it belongs. The Web
Proxy applies the configured policy control settings to a client request based on the client request’s
policy group membership.
Web Proxy receives the request, evaluates it, and determines to which policy group it belongs. The Web
Proxy applies the configured policy control settings to a client request based on the client request’s
policy group membership.
Transactions belong to a policy group for each type of policy that is enabled. If a policy type has no user
defined policy groups, then each transaction belongs to the global policy group for that policy type.
defined policy groups, then each transaction belongs to the global policy group for that policy type.
Policy group membership for a Routing, Decryption, Access, Data Security, and External DLP Policies
is based on an Identity and optional additional criteria. That means that the Web Proxy evaluates Identity
groups before the other policy types. The Web Security appliance allows you to define some membership
criteria at either the Identity level or the non-Identity policy level. For more information, see
is based on an Identity and optional additional criteria. That means that the Web Proxy evaluates Identity
groups before the other policy types. The Web Security appliance allows you to define some membership
criteria at either the Identity level or the non-Identity policy level. For more information, see
Suppose you define an Identity by subnet 10.1.1.0/24 and then create an Access Policy using that
Identity. The Access Policy membership applies to all IP addresses specified in the Identity by default.
You can then choose to configure the Access Policy membership so that it applies to a subset of the
addresses defined in the Identity, such as addresses 10.1.1.0-15.
Identity. The Access Policy membership applies to all IP addresses specified in the Identity by default.
You can then choose to configure the Access Policy membership so that it applies to a subset of the
addresses defined in the Identity, such as addresses 10.1.1.0-15.
For more information defining membership for each policy type, see the following sections:
•
•
•
•
•
Authenticating Users versus Authorizing Users
The Web Security appliance separates where it authenticates users from where it authorizes users.