Cisco Cisco Web Security Appliance S660 Guida Utente
182
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
For information about creating and using policy groups, see “Working with Policies” on
page 105.
page 105.
Note — The next two sections contain information about digital cryptography and HTTPS for
reference only.
reference only.
Personally Identifiable Information Disclosure
If you choose to decrypt an end-user’s HTTPS session, then the Web Security appliance
access logs and reports may contain personally identifiable information. IronPort
recommends that Web Security appliance administrators take care when handling this
sensitive information.
access logs and reports may contain personally identifiable information. IronPort
recommends that Web Security appliance administrators take care when handling this
sensitive information.
You also have the option to configure how much URI text is stored in the logs using the
advancedproxyconfig
CLI command and the
HTTPS
subcommand. You can log the entire
URI, or a partial form of the URI with the query portion removed. However, even when you
choose to strip the query from the URI, personally identifiable information may still remain.
choose to strip the query from the URI, personally identifiable information may still remain.
Understanding the Monitor Action
When the Web Proxy evaluates the control settings against a transaction, it evaluates the
settings in a particular order. Each control setting can be configured to one of the following
actions for Decryption Policies:
settings in a particular order. Each control setting can be configured to one of the following
actions for Decryption Policies:
• Monitor
• Drop
• Pass through
• Decrypt
All actions except Monitor are final actions the Web Proxy applies to a transaction. A final
action is an action that causes the Web Proxy to stop evaluating the transaction against other
control settings.
action is an action that causes the Web Proxy to stop evaluating the transaction against other
control settings.
Monitor is an intermediary action that indicates the Web Proxy should continue evaluating
the transaction against the other control settings to determine which final action to ultimately
apply.
the transaction against the other control settings to determine which final action to ultimately
apply.
For example, if a Decryption Policy is configured to monitor invalid server certificates, the
Web Proxy makes no final decision on how to handle the HTTPS transaction if the server has
an invalid certificate. If a Decryption Policy is configured to block servers with a low web
reputation score, then any request to a server with a low reputation score is dropped without
considering the URL category actions.
Web Proxy makes no final decision on how to handle the HTTPS transaction if the server has
an invalid certificate. If a Decryption Policy is configured to block servers with a low web
reputation score, then any request to a server with a low reputation score is dropped without
considering the URL category actions.
Figure 10-9 on page 209 shows the order the Web Proxy uses when evaluating control
settings for Decryption Policies. Looking at the flow diagram, you can see that the only
actions applied to a transaction are the final actions listed above: Drop, Pass Through, and
Decrypt.
settings for Decryption Policies. Looking at the flow diagram, you can see that the only
actions applied to a transaction are the final actions listed above: Drop, Pass Through, and
Decrypt.