Cisco Cisco Web Security Appliance S170 사용자 가이드
10-2
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 10 Access Policies
Access Policies Overview
When the Web Proxy receives an HTTP request on a monitored port or a decrypted HTTPS connection,
it compares the request to the Access Policy groups to determine which Access Policy group to apply.
After it assigns the request to an Access Policy group, it can determine what to do with the request. For
more information about evaluating policy group membership, see
it compares the request to the Access Policy groups to determine which Access Policy group to apply.
After it assigns the request to an Access Policy group, it can determine what to do with the request. For
more information about evaluating policy group membership, see
.
The Web Proxy can perform any of the following actions on an HTTP request or decrypted HTTPS
connection:
connection:
•
Allow. The Web Proxy permits the connection without interruption. Allowed connections may not
have been scanned by the DVS engine.
have been scanned by the DVS engine.
•
Block. The Web Proxy does not permit the connection and instead displays an end user notification
page explaining the reason for the block.
page explaining the reason for the block.
•
Redirect. The Web Proxy does not allow the connection to the originally requested destination
server and instead connects to a different specified URL. You might want to redirect traffic at the
appliance if your organization published the links to an internal site, but the location of the site
changed since publication, or if you do not have control over the web server. For more information
about redirecting traffic, see
server and instead connects to a different specified URL. You might want to redirect traffic at the
appliance if your organization published the links to an internal site, but the location of the site
changed since publication, or if you do not have control over the web server. For more information
about redirecting traffic, see
Note
The preceding actions are final actions that the Web Proxy takes on a client request. The Monitor action
that you can configure for Access Policies is not a final action. For more information, see
that you can configure for Access Policies is not a final action. For more information, see
.
After the Web Proxy assigns an Access Policy to an HTTP or decrypted HTTPS request, it compares the
request to the policy group’s configured control settings to determine which action to apply. You can
configure multiple security components to determine how to handle HTTP and decrypted HTTPS
requests for a particular policy group. For more information about the security components that you can
configure and how the Web Proxy uses Access Policy groups to control HTTP traffic, see
request to the policy group’s configured control settings to determine which action to apply. You can
configure multiple security components to determine how to handle HTTP and decrypted HTTPS
requests for a particular policy group. For more information about the security components that you can
configure and how the Web Proxy uses Access Policy groups to control HTTP traffic, see
Understanding the Monitor Action
When the Web Proxy compares a transaction to the control settings, it evaluates the settings in order.
Each control setting can be configured to perform one of the following actions for Access Policies:
Each control setting can be configured to perform one of the following actions for Access Policies:
•
Monitor
•
Allow
•
Block
•
Redirect
All actions except Monitor are final actions that the Web Proxy applies to a transaction. A final action
is an action that causes the Web Proxy to stop comparing the transaction to the rest of the control settings.
is an action that causes the Web Proxy to stop comparing the transaction to the rest of the control settings.
The Monitor action is an intermediary action. The Web Proxy continues comparing the transaction to the
other control settings to determine which final action to apply.
other control settings to determine which final action to apply.
For example, if an Access Policy is configured to monitor a suspect user agent, the Web Proxy does not
make a final determination about a request from the user agent. If an Access Policy is configured to block
a particular URL category, then any request to that URL category is blocked before fetching the content
from the server regardless of the server’s reputation score.
make a final determination about a request from the user agent. If an Access Policy is configured to block
a particular URL category, then any request to that URL category is blocked before fetching the content
from the server regardless of the server’s reputation score.