Cisco Cisco Web Security Appliance S390 ユーザーガイド
10-12
AsyncOS 8.7 for Cisco Web Security Appliances User Guide
Chapter 10 Create Policies to Control Internet Requests
Time Ranges and Volume Quotas
Exempting Client Applications from Authentication
Time Ranges and Volume Quotas
Apply time and volume quotas to access policies and decryption policies to restrict a user’s connection
time or data volume (also referred to as a “bandwidth quota”). Quotas allow individual users to continue
accessing an Internet resource (or a class of Internet resources) until they exhaust the data volume or
time limit imposed. AsyncOS enforces defined quotas on HTTP, HTTPS and FTP traffic.
time or data volume (also referred to as a “bandwidth quota”). Quotas allow individual users to continue
accessing an Internet resource (or a class of Internet resources) until they exhaust the data volume or
time limit imposed. AsyncOS enforces defined quotas on HTTP, HTTPS and FTP traffic.
As a user approaches either their time or volume quota, AsyncOS displays first a warning, and then a
block page.
block page.
Please note the following regarding use of time and volume quotas:
•
If AsyncOS is deployed in transparent mode and HTTPS proxy is disabled, there is no listening on
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
When HTTPS proxy is enabled, possible actions on a request are pass-through, decrypt, drop, or
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
With pass-through, you will also have the option to set quotas for tunnel traffic. With decrypt, this
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
•
If URL Filtering is disabled or if its feature key is unavailable, AsyncOS cannot identify the category
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
•
Many websites such as Facebook and Gmail auto-update at frequent intervals. If such a website is
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
•
A proxy restart will cause quotas to be reset, potentially allowing much more access than planned.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
•
Your EUN pages (both warning and block) cannot be displayed for HTTPS even when
decrypt-for-EUN option is enabled.
decrypt-for-EUN option is enabled.
Note
The most restrictive quota will always apply when more than one quota applies to any given user.
Step
Task
Link
Step 1
Create an Identification Profile that does not
require authentication.
require authentication.
Classifying Users and Client Software
Step 2
Set the Identification Profile membership as the client
application to exempt.
application to exempt.
Step 3
Place the Identification Profile above all other Identification
Profiles in the policies table that require authentication.
Profiles in the policies table that require authentication.