Cisco Cisco Web Security Appliance S670 User Guide
16-4
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 16 Prevent Loss of Sensitive Data
Evaluating Data Security and External DLP Policy Group Membership
Step 3
When an upload request matches an External DLP Policy, the Web Proxy sends the upload request to the
DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning. The DLP system scans
the request body content and returns a block or allow verdict to the Web Proxy. The allow verdict is
similar to the Allow action for Cisco Data Security policies in that the upload request will be compared
to the Access Policies. The final action the Web Proxy takes on the request is determined by the
applicable Access Policy.
DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning. The DLP system scans
the request body content and returns a block or allow verdict to the Web Proxy. The allow verdict is
similar to the Allow action for Cisco Data Security policies in that the upload request will be compared
to the Access Policies. The final action the Web Proxy takes on the request is determined by the
applicable Access Policy.
Related Topics
•
•
Evaluating Data Security and External DLP Policy Group
Membership
Membership
Each client request is assigned to an Identity and then is evaluated against the other policy types to
determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against
the Data Security and External DLP policies. The Web Proxy applies the configured policy control
settings to a client request based on the client request’s policy group membership.
determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against
the Data Security and External DLP policies. The Web Proxy applies the configured policy control
settings to a client request based on the client request’s policy group membership.
Matching Client Requests to Data Security and External DLP Policy Groups
To determine the policy group that a client request matches, the Web Proxy follows a specific process
for matching the group membership criteria. It considers the following factors for group membership:
for matching the group membership criteria. It considers the following factors for group membership:
•
Identity. Each client request either matches an Identification Profile, fails authentication and is
granted guest access, or fails authentication and gets terminated.
granted guest access, or fails authentication and gets terminated.
•
Authorized users. If the assigned Identification Profile requires authentication, the user must be in
the list of authorized users in the Data Security or External DLP Policy group to match the policy
group. The list of authorized users can be any of the specified groups or users or can be guest users
if the Identification Profile allows guest access.
the list of authorized users in the Data Security or External DLP Policy group to match the policy
group. The list of authorized users can be any of the specified groups or users or can be guest users
if the Identification Profile allows guest access.
•
Advanced options. You can configure several advanced options for Data Security and External DLP
Policy group membership. Some options (such as proxy port and URL category) can also be defined
within the Identity. When an advanced option is configured in the Identity, it is not configurable in
the Data Security or External DLP Policy group level.
Policy group membership. Some options (such as proxy port and URL category) can also be defined
within the Identity. When an advanced option is configured in the Identity, it is not configurable in
the Data Security or External DLP Policy group level.
The information in this section gives an overview of how the Web Proxy matches upload requests to both
Data Security and External DLP Policy groups.
Data Security and External DLP Policy groups.
The Web Proxy sequentially reads through each policy group in the policies table. It compares the upload
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
If they do not match, the Web Proxy compares the upload request to the next policy group. It continues
this process until it matches the upload request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the upload
request to a policy group or the global policy group, it applies the policy settings of that policy group.
this process until it matches the upload request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the upload
request to a policy group or the global policy group, it applies the policy settings of that policy group.