Cisco Cisco Web Security Appliance S680 Guía Del Usuario
10-15
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 10 Create Policies to Control Internet Requests
Time Ranges and Quotas
Time and Volume Quotas
Quotas allow individual users to continue accessing an Internet resource (or a class of Internet resources)
until they exhaust the data volume or time limit imposed. AsyncOS enforces defined quotas on HTTP,
HTTPS and FTP traffic.
until they exhaust the data volume or time limit imposed. AsyncOS enforces defined quotas on HTTP,
HTTPS and FTP traffic.
As a user approaches either their time or volume quota, AsyncOS displays first a warning, and then a
block page.
block page.
Please note the following regarding use of time and volume quotas:
•
If AsyncOS is deployed in transparent mode and HTTPS proxy is disabled, there is no listening on
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
When HTTPS proxy is enabled, possible actions on a request are pass-through, decrypt, drop, or
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
With pass-through, you will also have the option to set quotas for tunnel traffic. With decrypt, this
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
•
If URL Filtering is disabled or if its feature key is unavailable, AsyncOS cannot identify the category
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
•
Many websites such as Facebook and Gmail auto-update at frequent intervals. If such a website is
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
•
A proxy restart will cause quotas to be reset, potentially allowing much more access than planned.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
•
Your EUN pages (both warning and block) cannot be displayed for HTTPS even when
decrypt-for-EUN option is enabled.
decrypt-for-EUN option is enabled.
Note
The most restrictive quota will always apply when more than one quota applies to any given user.
•
•
•
Volume Quota Calculations
Calculation of volume quotas is as follows:
•
HTTP and decrypted HTTPS traffic – The HTTP request and response body are counted toward
quota limits. The request headers and response headers will not be counted toward the limits.
quota limits. The request headers and response headers will not be counted toward the limits.
•
Tunnel traffic (including tunneled HTTPS) – AsyncOS simply shuttles the tunneled traffic from the
client to the server, and vice versa. The entire data volume of the tunnel traffic is counted toward
quota limits.
client to the server, and vice versa. The entire data volume of the tunnel traffic is counted toward
quota limits.
•
FTP – The control-connection traffic is not counted. The size of the file uploaded and downloaded
is counted toward quota limits.
is counted toward quota limits.