Cisco Systems ASA 5585-X Manual De Usuario

Cisco Cloud Web Security provides web security and web filtering services through the 
Software-as-a-Service (SaaS) model. Enterprises with the ASA in their network can use Cloud Web 
Security services without having to install additional hardware.

When Cloud Web Security is enabled on the ASA, the ASA transparently redirects selected HTTP and 
HTTPS traffic to the Cloud Web Security proxy servers. The Cloud Web Security proxy servers then scan 
the content and allow, block, or send a warning about the traffic based on the policy configured in Cisco 
ScanCenter to enforce acceptable use and to protect users from malware.

The ASA can optionally authenticate and identify users with Identity Firewall (IDFW) and AAA rules. 
The ASA encrypts and includes the user credentials (including usernames and/or user groups) in the 
traffic it redirects to Cloud Web Security. The Cloud Web Security service then uses the user credentials 
to match the traffic to the policy. It also uses these credentials for user-based reporting. Without user 
authentication, the ASA can supply an (optional) default username and/or group, although usernames 
and groups are not required for the Cloud Web Security service to apply policy.

You can customize the traffic you want to send to Cloud Web Security when you create your service 
policy rules. You can also configure a “whitelist” so that a subset of web traffic that matches the service 
policy rule instead goes directly to the originally requested web server and is not scanned by Cloud Web 
Security.

You can configure a primary and a backup Cloud Web Security proxy server, each of which the ASA 
polls regularly to check for availability.

This feature is also called “ScanSafe,” so the ScanSafe name appears in some commands.