Cisco Cisco Web Security Appliance S160 Guía Del Usuario
11-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Decryption Policies
query portion removed. However, even when you choose to strip the query from the URI, personally
identifiable information may still remain. configure how much URI text is stored in the logs using the
identifiable information may still remain. configure how much URI text is stored in the logs using the
advancedproxyconfig
CLI command and the
HTTPS
subcommand. You can log the entire URI, or a
partial form of the URI with the query portion removed. However, even when you choose to strip the
query from the URI, personally identifiable information may still remain.
query from the URI, personally identifiable information may still remain.
Decryption Policies
Decryption policies define the handling of HTTPS traffic within the web proxy:
•
When to decrypt HTTPS traffic.
•
How to handle requests that use invalid or revoked security certificates.
The appliance can perform any of the following actions on an HTTPS connection request:
•
Monitor. Monitor is an intermediary action that indicates the Web Proxy should continue evaluating
the transaction against the other control settings to determine which final action to ultimately apply.
the transaction against the other control settings to determine which final action to ultimately apply.
•
Drop. The appliance drops the connection and does not pass the connection request to the server.
The appliance does not notify the user that it dropped the connection. You might want to drop
connections to third party proxies that allow users on the network to bypass the organization’s
acceptable use policies.
The appliance does not notify the user that it dropped the connection. You might want to drop
connections to third party proxies that allow users on the network to bypass the organization’s
acceptable use policies.
•
Pass through. The appliance passes through the connection between the client and the server
without inspecting the traffic content. You might want to pass through connections to trusted secure
sites, such as well known banking and financial institutions.
without inspecting the traffic content. You might want to pass through connections to trusted secure
sites, such as well known banking and financial institutions.
•
Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts the traffic
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. By
decrypting the connection and applying Access Policies, you can scan the traffic for malware. You
might want to decrypt connections to third party email providers, such as gmail or hotmail. For more
information about how the appliance decrypts HTTPS traffic, see
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. By
decrypting the connection and applying Access Policies, you can scan the traffic for malware. You
might want to decrypt connections to third party email providers, such as gmail or hotmail. For more
information about how the appliance decrypts HTTPS traffic, see
All actions except Monitor are final actions the Web Proxy applies to a transaction. A final action is an
action that causes the Web Proxy to stop evaluating the transaction against other control settings.
action that causes the Web Proxy to stop evaluating the transaction against other control settings.
For example, if a Decryption Policy is configured to monitor invalid server certificates, the Web Proxy
makes no final decision on how to handle the HTTPS transaction if the server has an invalid certificate.
If a Decryption Policy is configured to block servers with a low web reputation score, then any request
to a server with a low reputation score is dropped without considering the URL category actions.
makes no final decision on how to handle the HTTPS transaction if the server has an invalid certificate.
If a Decryption Policy is configured to block servers with a low web reputation score, then any request
to a server with a low reputation score is dropped without considering the URL category actions.
Task
Notes
Enable the HTTPS proxy
Selecting Enable HTTPS proxy enables decryption and processing of
HTTPS traffic. When you enable the HTTPS proxy,
HTTPS traffic. When you enable the HTTPS proxy,
Generate or upload certificate
and private key
and private key
Your certificate and private key provide the trust necessary to decrypt
content.
content.
Manage trusted and blocked
certificates
certificates
Manage lists of trusted and blocked certificates over time.
Configure invalid and revoked
certificate handling
certificate handling
Specify whether to drop, decrypt, or monitor HTTPS connections
that use invalid or revoked certificates.
that use invalid or revoked certificates.
Create decryption policies
Specify when to monitor, drop, pass through, or decrypt HTTPS
connections.
connections.