Cisco Cisco Web Security Appliance S170 Guía Del Usuario
13-5
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 13 Data Security and External DLP Policies
Evaluating Data Security and External DLP Policy Group Membership
The Web Proxy applies the configured policy control settings to a client request based on the client
request’s policy group membership.
request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a specific process
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
•
Identity. Each client request either matches an Identity, fails authentication and is granted guest
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
.
•
Authorized users. If the assigned Identity requires authentication, the user must be in the list of
authorized users in the Data Security or External DLP Policy group to match the policy group. The
list of authorized users can be any of the specified groups or users or can be guest users if the Identity
allows guest access.
authorized users in the Data Security or External DLP Policy group to match the policy group. The
list of authorized users can be any of the specified groups or users or can be guest users if the Identity
allows guest access.
•
Advanced options. You can configure several advanced options for Data Security and External DLP
Policy group membership. Some options (such as proxy port and URL category) can also be defined
within the Identity. When an advanced option is configured in the Identity, it is not configurable in
the Data Security or External DLP Policy group level.
Policy group membership. Some options (such as proxy port and URL category) can also be defined
within the Identity. When an advanced option is configured in the Identity, it is not configurable in
the Data Security or External DLP Policy group level.
The information in this section gives an overview of how the Web Proxy matches upload requests to both
Data Security and External DLP Policy groups. For more details about exactly how the Web Proxy
matches client requests, see
Data Security and External DLP Policy groups. For more details about exactly how the Web Proxy
matches client requests, see
The Web Proxy sequentially reads through each policy group in the policies table. It compares the upload
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
If they do not match, the Web Proxy compares the upload request to the next policy group. It continues
this process until it matches the upload request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the upload
request to a policy group or the global policy group, it applies the policy settings of that policy group.
this process until it matches the upload request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the upload
request to a policy group or the global policy group, it applies the policy settings of that policy group.
Matching Client Requests to Data Security and External DLP Policy Groups
shows how the Web Proxy evaluates an upload request against the Data
Security and External DLP Policy groups.