Cisco Cisco Web Security Appliance S670 User Guide
10-5
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 10 Create Policies to Control Internet Requests
Policies
Each policy type uses a policy table to store and manage its policies. Each policy table comes with a
predefined, global policy, which maintains default actions for a policy type. Additional, user-defined
policies are created and added to the policy table as required. Policies are processed in the order in which
they are listed in the policy table.
predefined, global policy, which maintains default actions for a policy type. Additional, user-defined
policies are created and added to the policy table as required. Policies are processed in the order in which
they are listed in the policy table.
Individual policies define the user-request types they manage, and the actions they perform on those
requests. Each policy definition has two main sections:
requests. Each policy definition has two main sections:
•
Identification Profiles and Users – Identification Profiles are used in policy membership criteria
and are particularly important as they contain many options for identifying web transaction. They
also share many properties with policies.
and are particularly important as they contain many options for identifying web transaction. They
also share many properties with policies.
•
Advanced – The criteria used to identify users to which the policy applies. One or more criteria can
be specified in a policy, and all must be match for the criteria to be met.
be specified in a policy, and all must be match for the criteria to be met.
–
Protocols – Allow the transfer of data between various networking devices such as http, https,
ftp, etc.
ftp, etc.
–
Proxy Ports – the numbered port by which the request accesses the web proxy,
–
Subnets – The logical grouping of connected network devices (such as geographic location or
Local Area Network [LAN]), where the request originated
Local Area Network [LAN]), where the request originated
–
Time Range – Time ranges can be created for use in policies to identify or apply actions to web
requests based on the time or day the requests were made. The time ranges are created as
individual units.
requests based on the time or day the requests were made. The time ranges are created as
individual units.
–
URL Categories – URL categories are predefined or custom categories of websites, such as News,
Business, Social Media, etc. These can be used to identify or apply actions to web requests.
Business, Social Media, etc. These can be used to identify or apply actions to web requests.
–
User Agents – These are the client applications (such as updaters and Web browsers) used to
make requests. You can define policy criteria based on user agents, and you can specify control
settings based on user agents. You can also exempt user agents from authentication, which is
useful for applications that cannot prompt for credentials. You can define custom user agents
but cannot re-use these definitions other policies.
make requests. You can define policy criteria based on user agents, and you can specify control
settings based on user agents. You can also exempt user agents from authentication, which is
useful for applications that cannot prompt for credentials. You can define custom user agents
but cannot re-use these definitions other policies.
Outbound
Malware
Scanning
Malware
Scanning
•
HTTP
•
Decrypted HTTPS
•
FTP
Block, monitor, or allow requests to upload
data that may contain malicious data.
data that may contain malicious data.
Prevent malware that is already present on
your network from being transmitted to
external networks.
your network from being transmitted to
external networks.
Routing
•
HTTP
•
HTTPS
•
FTP
Direct web traffic through upstream proxies
or direct it to destination servers. You might
want to redirect traffic through upstream
proxies to preserve your existing network
design, to off-load processing from the Web
Security appliance, or to leverage additional
functionality provided by 3rd-party proxy
systems.
or direct it to destination servers. You might
want to redirect traffic through upstream
proxies to preserve your existing network
design, to off-load processing from the Web
Security appliance, or to leverage additional
functionality provided by 3rd-party proxy
systems.
If multiple upstream proxies are available,
the Web Security appliance can use load
balancing techniques to distribute data to
them.
the Web Security appliance can use load
balancing techniques to distribute data to
them.
Policy Type
Request Type
Description
Link to task