Cisco Cisco Web Security Appliance S170 사용자 가이드
9-2
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 9 Block, Allow or Redirect Transaction Requests
Overview of Block, Allow, or Redirect Transaction Requests
•
Time Range within which the request is made
•
URL Category of the Destination web site
•
User Agents (application) making the request
AsyncOS for Web uses multiple web security features in conjunction with its Web Proxy and DVS
engine to control web traffic, protect networks from web-based threats, and enforce organization
acceptable use policies. You can define policies that determine which HTTP connections are allowed and
blocked.
engine to control web traffic, protect networks from web-based threats, and enforce organization
acceptable use policies. You can define policies that determine which HTTP connections are allowed and
blocked.
To configure the appliance to handle HTTP requests, perform the following tasks:
Step 1
Enable the Web Proxy. To allow or block HTTP traffic, you must first enable the Web Proxy. Usually,
the Web Proxy is enabled during the initial setup using the System Setup Wizard. For more information,
see
the Web Proxy is enabled during the initial setup using the System Setup Wizard. For more information,
see
.
Step 2
Create and configure Access Policy groups. After the Web Proxy is enabled, you create and configure
Access Policy groups to determine how to handle each request from each user. For more information,
see
Access Policy groups to determine how to handle each request from each user. For more information,
see
Access Policy Groups
Access Policies define how the Web Proxy handles HTTP and FTP requests and decrypted HTTPS
connections for network users. You can apply different actions to specified groups of users. You can also
specify which ports the Web Proxy monitors for HTTP transactions.
connections for network users. You can apply different actions to specified groups of users. You can also
specify which ports the Web Proxy monitors for HTTP transactions.
Note
HTTP PUT and POST requests are handled by Outbound Malware Scanning, Cisco IronPort Data
Security, and External DLP Policies. For more information, see
Security, and External DLP Policies. For more information, see
and
When the Web Proxy receives an HTTP request on a monitored port or a decrypted HTTPS connection,
it compares the request to the Access Policy groups to determine which Access Policy group to apply.
After it assigns the request to an Access Policy group, it can determine what to do with the request. For
more information about evaluating policy group membership, see
it compares the request to the Access Policy groups to determine which Access Policy group to apply.
After it assigns the request to an Access Policy group, it can determine what to do with the request. For
more information about evaluating policy group membership, see
.
The Web Proxy can perform any of the following actions on an HTTP request or decrypted HTTPS
connection:
connection:
•
Allow. The Web Proxy permits the connection without interruption. Allowed connections may not
have been scanned by the DVS engine.
have been scanned by the DVS engine.
•
Block. The Web Proxy does not permit the connection and instead displays an end user notification
page explaining the reason for the block.
page explaining the reason for the block.
•
Redirect. The Web Proxy does not allow the connection to the originally requested destination
server and instead connects to a different specified URL. You might want to redirect traffic at the
appliance if your organization published the links to an internal site, but the location of the site
changed since publication, or if you do not have control over the web server. For more information
about redirecting traffic, see
server and instead connects to a different specified URL. You might want to redirect traffic at the
appliance if your organization published the links to an internal site, but the location of the site
changed since publication, or if you do not have control over the web server. For more information
about redirecting traffic, see