Cisco Cisco Web Security Appliance S170 사용자 가이드
9-9
AsyncOS 8.6 for Cisco Web Security Appliances User Guide
Chapter 9 Create Policies to Control Internet Requests
Time Ranges and Quotas
Exempting Client Applications from Authentication
Time Ranges and Quotas
Apply time and volume quotas to access policies and decryption policies to restrict a user’s connection
time or data volume (also referred to as a “bandwidth quota”). Quotas allow individual users to continue
accessing an Internet resource (or a class of Internet resources) until they exhaust the data volume or
time limit imposed. AsyncOS enforces defined quotas on HTTP, HTTPS and FTP traffic.
time or data volume (also referred to as a “bandwidth quota”). Quotas allow individual users to continue
accessing an Internet resource (or a class of Internet resources) until they exhaust the data volume or
time limit imposed. AsyncOS enforces defined quotas on HTTP, HTTPS and FTP traffic.
As a user approaches either their time or volume quota, AsyncOS displays first a warning, and then a
block page.
block page.
Please note the following regarding use of time and volume quotas:
•
If AsyncOS is deployed in transparent mode and HTTPS proxy is disabled, there is no listening on
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
port 443, and requests are dropped. This is standard behavior. If AsyncOS is deployed in explicit
mode, you can set quotas in your access policies.
When HTTPS proxy is enabled, possible actions on a request are pass-through, decrypt, drop, or
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
monitor. Overall, quotas in decryption policies are applicable only to the pass-through categories.
With pass-through, you will also have the option to set quotas for tunnel traffic. With decrypt, this
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
option is not available, as the quotas configured in the access policy will be applied to decrypted traffic.
•
If URL Filtering is disabled or if its feature key is unavailable, AsyncOS cannot identify the category
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
of a URL, and the Access Policy -> URL Filtering page is disabled. Thus, the feature key needs to
be present, and Acceptable Use Policies enabled, to configure quotas..
•
Many websites such as Facebook and Gmail auto-update at frequent intervals. If such a website is
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
left open in an unused browser window or tab, it will continue to consume the user’s quota of time
and volume.
•
A proxy restart will cause quotas to be reset, potentially allowing much more access than planned.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
A proxy restart may occur because of a configuration change, a crash, a machine reboot, and so on.
Some confusion is possible, as administrators are not explicitly informed about proxy restarts.
•
Your EUN pages (both warning and block) cannot be displayed for HTTPS even when
decrypt-for-EUN option is enabled.
decrypt-for-EUN option is enabled.
Note
The most restrictive quota will always apply when more than one quota applies to any given user.
Step
Task
Link
Step 1
Create an that does not require authentication.
Step 2
Set the membership as the client application to exempt.
Step 3
Place the above all other in the policies table that
require authentication.
require authentication.