Cisco Cisco Web Security Appliance S160 User Guide

You can use the CLI command 

maxhttpheadersize

 to change the maximum HTTP header size for proxy 

requests. Increasing this value can alleviate Policy Trace failures that can occur when the specified user 
belongs to a large number of authentication groups, or when the response header is larger than the current 
maximum header size. See 

 for more information 

about this command.

Choose System Administration > Policy Trace.

Enter the URL you wish to trace to in the Destination URL field.

(Optional) Enter additional emulation parameters:

Click Find Policy Match.

The Policy Trace output is displayed in the Results pane.

For a Pass Through HTTPS transaction, the Policy Trace tool bypasses further scanning and no Access 
policy is associated with the transaction. Similarly, for a Decrypt HTTPS transaction, the tool cannot 
actually decrypt the transaction to determine the applied Access policy. In both cases, as well as for Drop 
transactions, the trace results display: “Access policy: Not Applicable.”

The client source IP used to make the request.

An IP address in the Client IP Address field.

If an IP address is not specified, AsyncOS 
uses localhost. Also, SGTs (security group 
tags) cannot be fetched and policies based on 
SGTs will not be matched. 

The authentication/identification credentials 
used to make the request.

A user name in the User Name field, and then choose 
Identity Services Engine or an authentication realm 
from the Authentication/Identification drop-down list.

Only enabled option(s) are available. That is, 
authentication options and the ISE option are 
available only if they are both enabled.

For authentication of the user you enter here, the user 
must have already successfully authenticated through 
the Web Security appliance.