Cisco Cisco Web Security Appliance S690 User Guide
268
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
U R L F I L T E R S O V E R V I E W
AsyncOS for Web allows administrators to control user access based on the web server
category of a particular HTTP or HTTPS request. For example, you can block all HTTP
requests for gambling web sites, or you can decrypt all HTTPS requests for web-based email
websites.
category of a particular HTTP or HTTPS request. For example, you can block all HTTP
requests for gambling web sites, or you can decrypt all HTTPS requests for web-based email
websites.
Using policy groups, you can create secure policies that control access to web sites
containing objectionable or questionable content. The sites that are actually blocked,
dropped, allowed, or decrypted depend on the categories you select when setting up category
blocking for each policy group.
containing objectionable or questionable content. The sites that are actually blocked,
dropped, allowed, or decrypted depend on the categories you select when setting up category
blocking for each policy group.
To control user access based on a URL category, you must enable one of the following URL
filtering engines:
filtering engines:
• Cisco IronPort Web Usage Controls. This is a multi-layered URL filtering engine that uses
domain prefixes and keyword analysis to categorize URLs, and real-time response content
analysis using the Dynamic Content Analysis engine if no category is determined by
prefixes and keywords. It includes over 65 predefined URL categories. This engine also
allows end users and administrators to report to IronPort any miscategorized URLs as well
as uncategorized URLs for future inclusion in the categorization database.
analysis using the Dynamic Content Analysis engine if no category is determined by
prefixes and keywords. It includes over 65 predefined URL categories. This engine also
allows end users and administrators to report to IronPort any miscategorized URLs as well
as uncategorized URLs for future inclusion in the categorization database.
For more information, see “Dynamic Content Analysis Engine” on page 268.
• IronPort URL Filters. This URL filtering engine categorizes URLs in the client request
using domains stored in a database. It includes more than 50 predefined URL categories,
and allows end users and administrators to report to IronPort any uncategorized URLs.
and allows end users and administrators to report to IronPort any uncategorized URLs.
You can use URL categories when performing the following tasks:
• Define policy group membership. You can define policy group membership by the URL
category of the request URL.
• Control access to HTTP, HTTPS, and FTP requests. You can choose to allow or block
HTTP and FTP requests by URL category using Access Policies, and you can choose to
pass through, drop, or decrypt HTTPS requests by URL category using Decryption
Policies. You can also choose whether or not to block upload requests by URL category
using IronPort Data Security Policies. For more information, see “Filtering Transactions
Using URL Categories” on page 272.
pass through, drop, or decrypt HTTPS requests by URL category using Decryption
Policies. You can also choose whether or not to block upload requests by URL category
using IronPort Data Security Policies. For more information, see “Filtering Transactions
Using URL Categories” on page 272.
In addition to the predefined URL categories included with the URL filtering engine, you can
create user defined custom URL categories that specify specific host names and IP addresses.
For more information, see “Custom URL Categories” on page 281.
create user defined custom URL categories that specify specific host names and IP addresses.
For more information, see “Custom URL Categories” on page 281.
Dynamic Content Analysis Engine
The Dynamic Content Analysis engine is a scanning engine called at response time to
categorize a transaction that failed categorization using only the URL in the client request.
You might want to enable Dynamic Content Analysis when your organization’s traffic visits
more of the newer, and therefore not yet categorized, sites on the Internet.
categorize a transaction that failed categorization using only the URL in the client request.
You might want to enable Dynamic Content Analysis when your organization’s traffic visits
more of the newer, and therefore not yet categorized, sites on the Internet.