Cisco Cisco Web Security Appliance S170 Guía Del Usuario
16-3
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 16 URL Filters
URL Filters Overview
Dynamic Content Analysis Engine
The Dynamic Content Analysis engine is a scanning engine called at response
time to categorize a transaction that failed categorization using only the URL in
the client request. You might want to enable Dynamic Content Analysis when
your organization’s traffic visits more of the newer, and therefore not yet
categorized, sites on the Internet.
time to categorize a transaction that failed categorization using only the URL in
the client request. You might want to enable Dynamic Content Analysis when
your organization’s traffic visits more of the newer, and therefore not yet
categorized, sites on the Internet.
Enable the Dynamic Content Analysis engine when you enable Cisco IronPort
Web Usage Controls on the Security Services > Acceptable Use Controls page.
Web Usage Controls on the Security Services > Acceptable Use Controls page.
After the Dynamic Content Analysis engine categorizes a URL, it stores the
category verdict and URL in a temporary cache. This allows future transactions
to benefit from the earlier response scan and be categorized at request time instead
of at response time, and it improves overall performance.
category verdict and URL in a temporary cache. This allows future transactions
to benefit from the earlier response scan and be categorized at request time instead
of at response time, and it improves overall performance.
The Dynamic Content Analysis engine categorizes URLs when controlling access
to websites in Access Policies only. It does not categorize URLs when
determining policy group membership or when controlling access to websites
using Decryption or IronPort Data Security Policies. This is because the engine
works by analyzing the response content from the destination server, so it cannot
be used on decisions that must be made at request time before any response is
downloaded from the server.
to websites in Access Policies only. It does not categorize URLs when
determining policy group membership or when controlling access to websites
using Decryption or IronPort Data Security Policies. This is because the engine
works by analyzing the response content from the destination server, so it cannot
be used on decisions that must be made at request time before any response is
downloaded from the server.
Enabling the Dynamic Content Analysis engine can impact transaction
performance. However, most transactions are categorized using the Cisco
IronPort Web Usage Controls URL categories database, so the Dynamic Content
Analysis engine is usually only called for a small percentage of transactions.
performance. However, most transactions are categorized using the Cisco
IronPort Web Usage Controls URL categories database, so the Dynamic Content
Analysis engine is usually only called for a small percentage of transactions.
Note
It is possible for an Access Policy, or an Identity used in an Access Policy, to
define policy membership by a predefined URL category and for the Access
Policy to perform an action on the same URL category. In this case, it is also
possible for the URL in the request to be uncategorized when determining Identity
and Access Policy group membership, but to be categorized by the Dynamic
Content Analysis engine after receiving the server response. In this scenario,
Cisco IronPort Web Usage Controls ignores the category verdict from the
Dynamic Content Analysis engine and the URL retains the “uncategorized”
verdict for the remainder of the transaction. However, future transactions still
benefit from the new category verdict.
define policy membership by a predefined URL category and for the Access
Policy to perform an action on the same URL category. In this case, it is also
possible for the URL in the request to be uncategorized when determining Identity
and Access Policy group membership, but to be categorized by the Dynamic
Content Analysis engine after receiving the server response. In this scenario,
Cisco IronPort Web Usage Controls ignores the category verdict from the
Dynamic Content Analysis engine and the URL retains the “uncategorized”
verdict for the remainder of the transaction. However, future transactions still
benefit from the new category verdict.