Cisco Cisco Web Security Appliance S170 Guida Utente
10-3
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 10 Access Policies
Evaluating Access Policy Group Membership
Note
When a control setting matches Monitor and the transaction is ultimately allowed, the Web Proxy logs
the monitored setting in the access logs. For example, when a URL matches a monitored URL category,
the Web Proxy logs the URL category in the access logs.
the monitored setting in the access logs. For example, when a URL matches a monitored URL category,
the Web Proxy logs the URL category in the access logs.
shows the order that the Web Proxy uses when evaluating control settings for
Access Policies. The flow diagram shows that the only actions applied to a transaction are the final
actions: Allow, Block, and Redirect.
actions: Allow, Block, and Redirect.
Note
shows the order the Web Proxy uses when evaluating control settings for
shows the order when evaluating control settings for
Cisco IronPort Data Security Policies.
Evaluating Access Policy Group Membership
After the Web Proxy assigns an Identity to a client request, the Web Proxy evaluates the request against
the other policy types to determine which policy group it belongs for each type. When the HTTPS Proxy
is enabled, it applies HTTP and decrypted HTTPS requests against the Access Policies. When HTTPS
Proxy is not enabled, by default, it evaluates HTTP and all HTTPS requests against the Access Policies.
the other policy types to determine which policy group it belongs for each type. When the HTTPS Proxy
is enabled, it applies HTTP and decrypted HTTPS requests against the Access Policies. When HTTPS
Proxy is not enabled, by default, it evaluates HTTP and all HTTPS requests against the Access Policies.
The Web Proxy applies the configured policy control settings to a client request based on the client
request’s policy group membership.
request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a specific process
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
for matching the group membership criteria. During this process, it considers the following factors for
group membership:
•
Identity. Each client request either matches an Identity, fails authentication and is granted guest
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
access, or fails authentication and gets terminated. For more information about evaluating Identity
group membership, see
.
•
Authorized users. If the assigned Identity requires authentication, the user must be in the list of
authorized users in the Access Policy group to match the policy group. The list of authorized users
can be any of the specified groups or users or can be guest users if the Identity allows guest access.
authorized users in the Access Policy group to match the policy group. The list of authorized users
can be any of the specified groups or users or can be guest users if the Identity allows guest access.
•
Advanced options. You can configure several advanced options for Access Policy group
membership. Some options (such as proxy port and URL category) can also be defined within the
Identity. When an advanced option is configured in the Identity, it is not configurable in the Access
Policy group level.
membership. Some options (such as proxy port and URL category) can also be defined within the
Identity. When an advanced option is configured in the Identity, it is not configurable in the Access
Policy group level.
The information in this section gives an overview of how the Web Proxy matches client requests to
Access Policy groups. For more details about exactly how the Web Proxy matches client requests, see
Access Policy groups. For more details about exactly how the Web Proxy matches client requests, see
.
The Web Proxy sequentially reads through each policy group in the policies table. It compares the client
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
request status to the membership criteria of the first policy group. If they match, the Web Proxy applies
the policy settings of that policy group.
If they do not match, the Web Proxy compares the client request to the next policy group. It continues
this process until it matches the client request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the client request
to a policy group or the global policy group, it applies the policy settings of that policy group.
this process until it matches the client request to a user defined policy group. If it does not match a user
defined policy group, it matches the global policy group. When the Web Proxy matches the client request
to a policy group or the global policy group, it applies the policy settings of that policy group.