Cisco Cisco Content Security Management Appliance M390 Guía Del Usuario
9-10
AsyncOS 9.5.x for Cisco Content Security Management Appliances User Guide
Chapter 9 Managing Web Security Appliances
Setting Up Configuration Masters to Centrally Manage Web Security Appliances
Tip for Working with Identities/Identification Profiles in Configuration Masters
When creating an Identity/Identification Profile on the Security Management appliance, you have the
option of making it apply only to specific appliances. So for example, if you purchase a Security
Management appliance and want to preserve the existing Web Security appliance configurations and the
policies that were created for each Web Security appliance, you must load one file into the machine, and
then add policies from other machines by hand.
option of making it apply only to specific appliances. So for example, if you purchase a Security
Management appliance and want to preserve the existing Web Security appliance configurations and the
policies that were created for each Web Security appliance, you must load one file into the machine, and
then add policies from other machines by hand.
One way to accomplish this is to make a set of Identities/Identification Profiles for each appliance, then
have policies which refer to those Identities/Identification Profiles. When the Security Management
appliance publishes the configuration, those Identities/Identification Profiles and the policies which
refer to them will automatically be removed and disabled. Using this method, you do not have to
configure anything manually. This is essentially a ‘per-appliance’ Identity/Identification Profile.
have policies which refer to those Identities/Identification Profiles. When the Security Management
appliance publishes the configuration, those Identities/Identification Profiles and the policies which
refer to them will automatically be removed and disabled. Using this method, you do not have to
configure anything manually. This is essentially a ‘per-appliance’ Identity/Identification Profile.
The only challenge with this method is if you have a default policy or Identity/Identification Profile that
differs between sites. For example, if you have a policy set for “default allow with auth” at one site and
a “default deny” at another. At this point you will need to create per-appliance Identities/Identification
Profiles and policies just above the default; essentially creating your own “default” policy.
differs between sites. For example, if you have a policy set for “default allow with auth” at one site and
a “default deny” at another. At this point you will need to create per-appliance Identities/Identification
Profiles and policies just above the default; essentially creating your own “default” policy.
Ensuring that Features are Enabled Consistently
Before you publish a Configuration Master, you should ensure that it will publish and that the intended
features will be enabled and configured as you expect them to be after publishing.
features will be enabled and configured as you expect them to be after publishing.
To do this, do both of the following:
•
•
Note
If multiple Web Security appliances with different features enabled are assigned to the same
Configuration Master, you should publish to each appliance separately, and perform these procedures
before each publish.
Configuration Master, you should publish to each appliance separately, and perform these procedures
before each publish.
Comparing Enabled Features
Verify that the features enabled on each Web Security appliance match the features enabled for the
Configuration Master associated with that appliance.
Configuration Master associated with that appliance.
Access Policies > Web Reputation
and Anti-Malware Settings
and Anti-Malware Settings
Options available on this page depend on whether Adaptive Scanning is enabled for the
relevant configuration master. Check this setting in Web > Utilities > Security Services
Display.
relevant configuration master. Check this setting in Web > Utilities > Security Services
Display.
SaaS Policies
The authentication option “Prompt SaaS users who have been discovered by transparent
user identification” is available only when a Web Security appliance with an
authentication realm that supports transparent user identification has been added as a
managed appliance.
user identification” is available only when a Web Security appliance with an
authentication realm that supports transparent user identification has been added as a
managed appliance.
Table 9-1
Feature Configuration: Differences between Configuration Master and Web Security Appliance
Feature or Page
Details