Cisco Cisco Web Security Appliance S690 User Guide
C O N F I G U R I N G L 4 T R A F F I C M O N I T O R P O L I C I E S
C H A P T E R 1 7 : L 4 T R A F F I C M O N I T O R
391
3. On the Edit L4 Traffic Monitor Policies page, configure the L4 Traffic Monitor policies
described in Table 17-1.
Table 17-1 L4 Traffic Monitor Policies
Property
Description
Allow List
Enter zero or more address to which the L4 Traffic Monitor should
always allow clients to connect.
Separate multiple entries with a space or comma. For a list of valid
address formats you can use, see “Valid Formats” on page 392.
Note: Entering a domain name such as example.com also matches
www.example.com and hostname.example.com.
Connections to all destinations in this list are always allowed and the
traffic is not logged. The appliance does not check the destinations
against the L4 Traffic Monitor anti-malware rules or the additional
suspected malware addresses listed on the same page.
For example, if IP address 10.1.1.1 appears in both the Allow List and
the Additional Suspected Malware Addresses fields, then the L4
Traffic Monitor always allows requests for 10.1.1.1.
always allow clients to connect.
Separate multiple entries with a space or comma. For a list of valid
address formats you can use, see “Valid Formats” on page 392.
Note: Entering a domain name such as example.com also matches
www.example.com and hostname.example.com.
Connections to all destinations in this list are always allowed and the
traffic is not logged. The appliance does not check the destinations
against the L4 Traffic Monitor anti-malware rules or the additional
suspected malware addresses listed on the same page.
For example, if IP address 10.1.1.1 appears in both the Allow List and
the Additional Suspected Malware Addresses fields, then the L4
Traffic Monitor always allows requests for 10.1.1.1.
Actions for Suspected
Malware Addresses
Malware Addresses
Choose whether to monitor or block traffic destined for a known
malware address. For a definition of known malware address, see
“How the L4 Traffic Monitor Works” on page 387.
• Monitor. Scans all traffic for domains and IP addresses that match
malware address. For a definition of known malware address, see
“How the L4 Traffic Monitor Works” on page 387.
• Monitor. Scans all traffic for domains and IP addresses that match
entries in the L4 Traffic Monitor database. The Monitor option does
not block suspicious traffic. This setting is useful for identifying
infected clients without affecting the user experience.
not block suspicious traffic. This setting is useful for identifying
infected clients without affecting the user experience.
• Block. Scans all traffic for domains and IP addresses that match
entries in the appliance administrative lists and the block list
database and then blocks any traffic it finds. This setting is useful
for identifying infected clients and stopping malware attempts
through non-standard ports.
database and then blocks any traffic it finds. This setting is useful
for identifying infected clients and stopping malware attempts
through non-standard ports.
When you choose to block suspected malware traffic, you can also
choose whether or not to always block ambiguous addresses. By
default, ambiguous addresses are monitored.
For a definition of ambiguous address, see “How the L4 Traffic
Monitor Works” on page 387.
choose whether or not to always block ambiguous addresses. By
default, ambiguous addresses are monitored.
For a definition of ambiguous address, see “How the L4 Traffic
Monitor Works” on page 387.