Cisco Cisco Web Security Appliance S170 Guía Del Usuario
7-9
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 7 Policies
Working with Time Based Policies
Working with All Identities
You can create a policy group that specifies “All Identities” as the configured Identity group. “All
Identities” applies to every valid client request because by definition, every request either succeeds and
has a user defined or global Identity assigned to it or is terminated because it fails authentication (and
no guest access was provided for users failing authentication).
Identities” applies to every valid client request because by definition, every request either succeeds and
has a user defined or global Identity assigned to it or is terminated because it fails authentication (and
no guest access was provided for users failing authentication).
When you create a policy group that uses All Identities, you must configure at least one advanced option
to distinguish the policy group from the global policy group.
to distinguish the policy group from the global policy group.
Typically, you use All Identities in a policy while also configuring an advanced option, such as a
particular user agent or destination (using a custom URL category). This allows you to create a single
rule that makes an exception for a specific case instead of creating multiple rules to make the exception
for the specific case. For example, you can create an Access Policy group whose membership applies to
All Identities and a custom URL category for all intranet pages. Then you can configure the Access
Policy control settings to disable anti-malware filtering and Web Reputation scoring.
particular user agent or destination (using a custom URL category). This allows you to create a single
rule that makes an exception for a specific case instead of creating multiple rules to make the exception
for the specific case. For example, you can create an Access Policy group whose membership applies to
All Identities and a custom URL category for all intranet pages. Then you can configure the Access
Policy control settings to disable anti-malware filtering and Web Reputation scoring.
Policy Group Membership Rules and Guidelines
Consider the following rules and guidelines when defining policy group membership:
•
The Web Proxy evaluates Identity groups before the other policy types.
•
Subnet membership criteria defined in the Identity group can be further narrowed down in the policy
group using the Identity group.
group using the Identity group.
•
Advanced membership criteria (proxy ports, URL categories, and user agents) defined in the
Identity group cannot be defined in the policy group using the Identity group.
Identity group cannot be defined in the policy group using the Identity group.
•
Define Identity groups as broadly as possible. Then you can use the Identity groups in other policy
types and further narrow down membership as necessary.
types and further narrow down membership as necessary.
•
Define fewer, more generic Decryption and Routing Policies as much as possible.
•
If you need to define membership by URL category, only define it in the Identity group when you
need to exempt from authentication requests to that category. For other purposes, define membership
by URL category in the Access, Decryption, Routing, Data Security, or External DLP Policy group.
This can increase performance in most cases.
need to exempt from authentication requests to that category. For other purposes, define membership
by URL category in the Access, Decryption, Routing, Data Security, or External DLP Policy group.
This can increase performance in most cases.
Working with Time Based Policies
The Web Security appliance provides the means to create time based policies by specifying time ranges,
such as business hours, and using those time ranges to define access to the web. You can define policy
group membership based on time ranges, and you can specify actions for URL filtering based on time
ranges.
such as business hours, and using those time ranges to define access to the web. You can define policy
group membership based on time ranges, and you can specify actions for URL filtering based on time
ranges.
You might want to use time ranges to accomplish the following tasks:
•
You can block access to high bandwidth sites, such as streaming media, or distracting sites, such as
games, during business hours.
games, during business hours.
•
You can route transactions to a particular external proxy after midnight when the other proxies are
being serviced.
being serviced.
•
You can allow larger files to be downloaded on the weekends.