Cisco Cisco Web Security Appliance S690 ユーザーガイド
Chapter 6 Working with Policies
Policy Group Membership
6-10
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Policy Group Membership
All policy groups define which transactions apply to them. When a client sends a
request to a server, the Web Proxy receives the request, evaluates it, and
determines to which policy group it belongs. The Web Proxy applies the
configured policy control settings to a client request based on the client request’s
policy group membership.
request to a server, the Web Proxy receives the request, evaluates it, and
determines to which policy group it belongs. The Web Proxy applies the
configured policy control settings to a client request based on the client request’s
policy group membership.
Transactions belong to a policy group for each type of policy that is enabled. If a
policy type has no user defined policy groups, then each transaction belongs to the
global policy group for that policy type.
policy type has no user defined policy groups, then each transaction belongs to the
global policy group for that policy type.
Policy group membership for a Routing, Decryption, Access, Data Security, and
External DLP Policies is based on an Identity and optional additional criteria.
That means that the Web Proxy evaluates Identity groups before the other policy
types. The Web Security appliance allows you to define some membership criteria
at either the Identity level or the non-Identity policy level. For more information,
see
External DLP Policies is based on an Identity and optional additional criteria.
That means that the Web Proxy evaluates Identity groups before the other policy
types. The Web Security appliance allows you to define some membership criteria
at either the Identity level or the non-Identity policy level. For more information,
see
Suppose you define an Identity by subnet 10.1.1.0/24 and then create an Access
Policy using that Identity. The Access Policy membership applies to all IP
addresses specified in the Identity by default. You can then choose to configure
the Access Policy membership so that it applies to a subset of the addresses
defined in the Identity, such as addresses 10.1.1.0-15.
Policy using that Identity. The Access Policy membership applies to all IP
addresses specified in the Identity by default. You can then choose to configure
the Access Policy membership so that it applies to a subset of the addresses
defined in the Identity, such as addresses 10.1.1.0-15.
For more information defining membership for each policy type, see the following
sections:
sections:
•
•
•
•
•
Authenticating Users versus Authorizing Users
The Web Security appliance separates where it authenticates users from where it
authorizes users.
authorizes users.