Cisco Cisco Web Security Appliance S170 Guía Del Usuario
Chapter 8 Access Policies
Evaluating Access Policy Group Membership
8-4
Cisco IronPort AsyncOS 7.1 for Web User Guide
OL-23207-01
Note
When a control setting matches Monitor and the transaction is ultimately allowed,
the Web Proxy logs the monitored setting in the access logs. For example, when
a URL matches a monitored URL category, the Web Proxy logs the URL category
in the access logs.
the Web Proxy logs the monitored setting in the access logs. For example, when
a URL matches a monitored URL category, the Web Proxy logs the URL category
in the access logs.
shows the order that the Web Proxy uses when evaluating
control settings for Access Policies. The flow diagram shows that the only actions
applied to a transaction are the final actions: Allow, Block, and Redirect.
applied to a transaction are the final actions: Allow, Block, and Redirect.
Note
shows the order the Web Proxy uses when evaluating
control settings for Decryption Policies and
shows the
order when evaluating control settings for IronPort Data Security Policies.
Evaluating Access Policy Group Membership
After the Web Proxy assigns an Identity to a client request, the Web Proxy
evaluates the request against the other policy types to determine which policy
group it belongs for each type. When the HTTPS Proxy is enabled, it applies
HTTP and decrypted HTTPS requests against the Access Policies. When HTTPS
Proxy is not enabled, by default, it evaluates HTTP and all HTTPS requests
against the Access Policies.
evaluates the request against the other policy types to determine which policy
group it belongs for each type. When the HTTPS Proxy is enabled, it applies
HTTP and decrypted HTTPS requests against the Access Policies. When HTTPS
Proxy is not enabled, by default, it evaluates HTTP and all HTTPS requests
against the Access Policies.
The Web Proxy applies the configured policy control settings to a client request
based on the client request’s policy group membership.
based on the client request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy
follows a specific process for matching the group membership criteria. During
this process, it considers the following factors for group membership:
follows a specific process for matching the group membership criteria. During
this process, it considers the following factors for group membership:
•
Identity. Each client request either matches an Identity, fails authentication
and is granted guest access, or fails authentication and gets terminated. For
more information about evaluating Identity group membership, see
and is granted guest access, or fails authentication and gets terminated. For
more information about evaluating Identity group membership, see
.
•
Authorized users. If the assigned Identity requires authentication, the user
must be in the list of authorized users in the Access Policy group to match the
policy group. The list of authorized users can be any of the specified groups
or users or can be guest users if the Identity allows guest access.
must be in the list of authorized users in the Access Policy group to match the
policy group. The list of authorized users can be any of the specified groups
or users or can be guest users if the Identity allows guest access.