Cisco Cisco Web Security Appliance S360 User Guide
9-2
AsyncOS 9.0.1 for Cisco Web Security Appliances User Guide
Chapter 9 Classify URLs for Policy Application
Overview of Categorizing URL Transactions
Categorization of Failed URL Transactions
The Dynamic Content Analysis engine categorizes URLs when controlling access to websites in Access
Policies only. It does not categorize URLs when determining policy group membership or when
controlling access to websites using Decryption or Cisco Data Security Policies. This is because the
engine works by analyzing the response content from the destination server, so it cannot be used on
decisions that must be made at request time before any response is downloaded from the server.
Policies only. It does not categorize URLs when determining policy group membership or when
controlling access to websites using Decryption or Cisco Data Security Policies. This is because the
engine works by analyzing the response content from the destination server, so it cannot be used on
decisions that must be made at request time before any response is downloaded from the server.
If the web reputation score for an uncategorized URL is within the WBRS ALLOW range, AsyncOS
allows the request without performing Dynamic Content Analysis.
allows the request without performing Dynamic Content Analysis.
After the Dynamic Content Analysis engine categorizes a URL, it stores the category verdict and URL
in a temporary cache. This allows future transactions to benefit from the earlier response scan and be
categorized at request time instead of at response time.
in a temporary cache. This allows future transactions to benefit from the earlier response scan and be
categorized at request time instead of at response time.
Enabling the Dynamic Content Analysis engine can impact transaction performance. However, most
transactions are categorized using the Cisco Web Usage Controls URL categories database, so the
Dynamic Content Analysis engine is usually only called for a small percentage of transactions.
transactions are categorized using the Cisco Web Usage Controls URL categories database, so the
Dynamic Content Analysis engine is usually only called for a small percentage of transactions.
Enabling the Dynamic Content Analysis Engine
Note
It is possible for an Access Policy, or an Identity used in an Access Policy, to define policy membership
by a predefined URL category and for the Access Policy to perform an action on the same URL category.
The URL in the request can be uncategorized when determining Identity and Access Policy group
membership, but must be categorized by the Dynamic Content Analysis engine after receiving the server
response. Cisco Web Usage Controls ignores the category verdict from the Dynamic Content Analysis
engine and the URL retains the “uncategorized” verdict for the remainder of the transaction. Future
transactions will still benefit from the new category verdict.
by a predefined URL category and for the Access Policy to perform an action on the same URL category.
The URL in the request can be uncategorized when determining Identity and Access Policy group
membership, but must be categorized by the Dynamic Content Analysis engine after receiving the server
response. Cisco Web Usage Controls ignores the category verdict from the Dynamic Content Analysis
engine and the URL retains the “uncategorized” verdict for the remainder of the transaction. Future
transactions will still benefit from the new category verdict.
Step 1
Choose Security Services > Acceptable Use Controls.
Step 2
Enable the Cisco Web Usage Controls.
Step 3
Click to enable the Dynamic Content Analysis engine.
Step 4
Submit and Commit Changes.
Uncategorized URLs
An uncategorized URL is a URL that does not match any pre-defined URL category or included custom
URL category.
URL category.
Note
When determining policy group membership, a custom URL category is considered included only when
it is selected for policy group membership.
it is selected for policy group membership.
All transactions resulting in unmatched categories are reported on the Reporting > URL Categories page
as “Uncategorized URLs.” A large number of uncategorized URLs are generated from requests to web
sites within the internal network. Cisco recommends using custom URL categories to group internal
as “Uncategorized URLs.” A large number of uncategorized URLs are generated from requests to web
sites within the internal network. Cisco recommends using custom URL categories to group internal