Cisco Systems and the ASA Services Module Manual De Usuario
25-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Configuring Cisco Cloud Web Security
hostname(config-pmap-p)# https
hostname(config-pmap-p)# default group2 default_group2
hostname(config-pmap-p)# class whitelist1
hostname(config-pmap-c)# whitelist
(Optional) Configuring the User Identity Monitor
When you use IDFW, the ASA only downloads user identity information from the AD server for users
and groups included in active ACLs; the ACL must be used in a feature such as an access rule, AAA rule,
service policy rule, or other feature to be considered active. Because Cloud Web Security can base its
policy on user identity, you may need to download groups that are not part of an active ACL to get full
IDFW coverage for all your users. For example, although you can configure your Cloud Web Security
service policy rule to use an ACL with users and groups, thus activating any relevant groups, it is not
required; you could use an ACL based entirely on IP addresses.The user identity monitor feature lets you
download group information directly from the AD agent.
and groups included in active ACLs; the ACL must be used in a feature such as an access rule, AAA rule,
service policy rule, or other feature to be considered active. Because Cloud Web Security can base its
policy on user identity, you may need to download groups that are not part of an active ACL to get full
IDFW coverage for all your users. For example, although you can configure your Cloud Web Security
service policy rule to use an ACL with users and groups, thus activating any relevant groups, it is not
required; you could use an ACL based entirely on IP addresses.The user identity monitor feature lets you
download group information directly from the AD agent.
Restrictions
The ASA can only monitor a maximum of 512 groups, including those configured for the user identity
monitor and those monitored through active ACLs.
monitor and those monitored through active ACLs.
Detailed Steps
Configuring the Cloud Web Security Policy
After you configure the ASA service policy rules, launch the ScanCenter Portal to configure Web content
scanning, filtering, malware protection services, and reports.
scanning, filtering, malware protection services, and reports.
Detailed Steps
Go to:
For more information, see the Cisco ScanSafe Cloud Web Security Configuration Guides:
http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h
tml
tml
Command
Purpose
user-identity monitor
{user-group
[domain-name\\]group-name | object-group-user
object-group-name}
Example:
ciscoasa(config)# user-identity monitor user-group
CISCO\\Engineering
Downloads the specified user or group information from the AD
agent.
agent.
•
user-group—Specifies a group name inline. Although you
specify 2 backslashes (\\) between the domain and the group,
the ASA modifies the name to include only one backslash
when it sends it to Cloud Web Security, to comply with Cloud
Web Security notation conventions.
specify 2 backslashes (\\) between the domain and the group,
the ASA modifies the name to include only one backslash
when it sends it to Cloud Web Security, to comply with Cloud
Web Security notation conventions.
•
object-group-user—Specifies an object-group user name.
This group can include multiple groups.
This group can include multiple groups.