Cisco Cisco Web Security Appliance S170 사용자 가이드
P O L I C Y G R O U P M E M B E R S H I P R U L E S A N D G U I D E L I N E S
C H A P T E R 7 : W O R K I N G W I T H P O L I C I E S
135
Typically, you use All Identities in a policy while also configuring an advanced option, such as
a particular user agent or destination (using a custom URL category). This allows you to create
a single rule that makes an exception for a specific case instead of creating multiple rules to
make the exception for the specific case. For example, you can create an Access Policy group
whose membership applies to All Identities and a custom URL category for all intranet pages.
Then you can configure the Access Policy control settings to disable anti-malware filtering
and Web Reputation scoring.
a particular user agent or destination (using a custom URL category). This allows you to create
a single rule that makes an exception for a specific case instead of creating multiple rules to
make the exception for the specific case. For example, you can create an Access Policy group
whose membership applies to All Identities and a custom URL category for all intranet pages.
Then you can configure the Access Policy control settings to disable anti-malware filtering
and Web Reputation scoring.
Policy Group Membership Rules and Guidelines
Consider the following rules and guidelines when defining policy group membership:
• The Web Proxy evaluates Identity groups before the other policy types.
• Subnet membership criteria defined in the Identity group can be further narrowed down
in the policy group using the Identity group.
• Advanced membership criteria (proxy ports, URL categories, and user agents) defined in
the Identity group cannot be defined in the policy group using the Identity group.
• Define Identity groups as broadly as possible. Then you can use the Identity groups in
other policy types and further narrow down membership as necessary.
• Define fewer, more generic Decryption and Routing Policies as much as possible.
• If you need to define membership by URL category, only define it in the Identity group
when you need to exempt from authentication requests to that category. For other
purposes, define membership by URL category in the Access, Decryption, Routing, Data
Security, or External DLP Policy group. This can increase performance in most cases.
purposes, define membership by URL category in the Access, Decryption, Routing, Data
Security, or External DLP Policy group. This can increase performance in most cases.