Cisco Cisco Web Security Appliance S690 User Guide
10-17
AsyncOS 9.1.1 for Cisco Web Security Appliances User Guide
Chapter 10 Create Policies to Control Internet Requests
Time Ranges and Quotas
•
From and To – Define a specific range of hours: enter a start time and end time in HH:MM
(24-hour format).
(24-hour format).
Tip
Each time range defines a start time and an end-time boundary. For example, entering 8:00
through 17:00 matches 8:00:00 through 16:59:59, but not 17:00:00. Midnight must be specified
as 00:00 for a start time, and as 24:00 for an end time.
through 17:00 matches 8:00:00 through 16:59:59, but not 17:00:00. Midnight must be specified
as 00:00 for a start time, and as 24:00 for an end time.
Step 7
Submit and commit your changes.
Time and Volume Quotas
Quotas allow individual users to continue accessing an Internet resource (or a class of Internet resources)
until they exhaust the data volume or time limit imposed. AsyncOS enforces defined quotas on HTTP,
HTTPS and FTP traffic.
until they exhaust the data volume or time limit imposed. AsyncOS enforces defined quotas on HTTP,
HTTPS and FTP traffic.
As a user approaches either their time or volume quota, AsyncOS displays first a warning, and then a
block page.
block page.
Please note the following regarding use of time and volume quotas:
•
If AsyncOS is deployed in transparent mode and HTTPS proxy is disabled, there is no listening on
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
When HTTPS proxy is enabled, possible actions on a request are pass-through, decrypt, drop, or
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
With pass-through, you will also have the option to set quotas for tunnel traffic. With decrypt, this
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
•
If URL Filtering is disabled or if its feature key is unavailable, AsyncOS cannot identify the category
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
•
Many websites such as Facebook and Gmail auto-update at frequent intervals. If such a website is
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
•
A proxy restart will cause quotas to be reset, potentially allowing much more access than planned.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
•
Your EUN pages (both warning and block) cannot be displayed for HTTPS even when
decrypt-for-EUN option is enabled.
decrypt-for-EUN option is enabled.
Note
The most restrictive quota will always apply when more than one quota applies to any given user.
•
•
•