Cisco Cisco Web Security Appliance S170 사용자 가이드
17-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 17 URL Filters
URL Filters Overview
•
Control access to HTTP, HTTPS, and FTP requests. You can choose to allow or block HTTP and
FTP requests by URL category using Access Policies, and you can choose to pass through, drop, or
decrypt HTTPS requests by URL category using Decryption Policies. You can also choose whether
or not to block upload requests by URL category using Cisco IronPort Data Security Policies. For
more information, see
FTP requests by URL category using Access Policies, and you can choose to pass through, drop, or
decrypt HTTPS requests by URL category using Decryption Policies. You can also choose whether
or not to block upload requests by URL category using Cisco IronPort Data Security Policies. For
more information, see
In addition to the predefined URL categories included with the URL filtering engine, you can create user
defined custom URL categories that specify specific hostnames and IP addresses. For more information,
see
defined custom URL categories that specify specific hostnames and IP addresses. For more information,
see
Dynamic Content Analysis Engine
The Dynamic Content Analysis engine is a scanning engine called at response time to categorize a
transaction that failed categorization using only the URL in the client request. You might want to enable
Dynamic Content Analysis when your organization’s traffic visits more of the newer, and therefore not
yet categorized, sites on the Internet.
transaction that failed categorization using only the URL in the client request. You might want to enable
Dynamic Content Analysis when your organization’s traffic visits more of the newer, and therefore not
yet categorized, sites on the Internet.
Enable the Dynamic Content Analysis engine when you enable Cisco IronPort Web Usage Controls on
the Security Services > Acceptable Use Controls page.
the Security Services > Acceptable Use Controls page.
After the Dynamic Content Analysis engine categorizes a URL, it stores the category verdict and URL
in a temporary cache. This allows future transactions to benefit from the earlier response scan and be
categorized at request time instead of at response time, and it improves overall performance.
in a temporary cache. This allows future transactions to benefit from the earlier response scan and be
categorized at request time instead of at response time, and it improves overall performance.
The Dynamic Content Analysis engine categorizes URLs when controlling access to websites in Access
Policies only. It does not categorize URLs when determining policy group membership or when
controlling access to websites using Decryption or Cisco IronPort Data Security Policies. This is because
the engine works by analyzing the response content from the destination server, so it cannot be used on
decisions that must be made at request time before any response is downloaded from the server.
Policies only. It does not categorize URLs when determining policy group membership or when
controlling access to websites using Decryption or Cisco IronPort Data Security Policies. This is because
the engine works by analyzing the response content from the destination server, so it cannot be used on
decisions that must be made at request time before any response is downloaded from the server.
Enabling the Dynamic Content Analysis engine can impact transaction performance. However, most
transactions are categorized using the Cisco IronPort Web Usage Controls URL categories database, so
the Dynamic Content Analysis engine is usually only called for a small percentage of transactions.
transactions are categorized using the Cisco IronPort Web Usage Controls URL categories database, so
the Dynamic Content Analysis engine is usually only called for a small percentage of transactions.
Note
It is possible for an Access Policy, or an Identity used in an Access Policy, to define policy membership
by a predefined URL category and for the Access Policy to perform an action on the same URL category.
In this case, it is also possible for the URL in the request to be uncategorized when determining Identity
and Access Policy group membership, but to be categorized by the Dynamic Content Analysis engine
after receiving the server response. In this scenario, Cisco IronPort Web Usage Controls ignores the
category verdict from the Dynamic Content Analysis engine and the URL retains the “uncategorized”
verdict for the remainder of the transaction. However, future transactions still benefit from the new
category verdict.
by a predefined URL category and for the Access Policy to perform an action on the same URL category.
In this case, it is also possible for the URL in the request to be uncategorized when determining Identity
and Access Policy group membership, but to be categorized by the Dynamic Content Analysis engine
after receiving the server response. In this scenario, Cisco IronPort Web Usage Controls ignores the
category verdict from the Dynamic Content Analysis engine and the URL retains the “uncategorized”
verdict for the remainder of the transaction. However, future transactions still benefit from the new
category verdict.
Uncategorized URLs
An uncategorized URL is a URL that does not match any pre-defined URL category or included custom
URL category.
URL category.
Note
When determining policy group membership, a custom URL category is considered included only when
it is selected for policy group membership.
it is selected for policy group membership.