Руководство Пользователя для Cisco Cisco Web Security Appliance S170
7-9
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 7 Policies
Working with Time Based Policies
•
Advanced membership criteria (proxy ports, URL categories, and user agents) defined in the
Identity group cannot be defined in the policy group using the Identity group.
Identity group cannot be defined in the policy group using the Identity group.
•
Define Identity groups as broadly as possible. Then you can use the Identity groups in other policy
types and further narrow down membership as necessary.
types and further narrow down membership as necessary.
•
Define fewer, more generic Decryption and Routing Policies as much as possible.
•
If you need to define membership by URL category, only define it in the Identity group when you
need to exempt from authentication requests to that category. For other purposes, define membership
by URL category in the Access, Decryption, Routing, Data Security, or External DLP Policy group.
This can increase performance in most cases.
need to exempt from authentication requests to that category. For other purposes, define membership
by URL category in the Access, Decryption, Routing, Data Security, or External DLP Policy group.
This can increase performance in most cases.
Working with Time Based Policies
The Web Security appliance provides the means to create time based policies by specifying time ranges,
such as business hours, and using those time ranges to define access to the web. You can define policy
group membership based on time ranges, and you can specify actions for URL filtering based on time
ranges.
such as business hours, and using those time ranges to define access to the web. You can define policy
group membership based on time ranges, and you can specify actions for URL filtering based on time
ranges.
You might want to use time ranges to accomplish the following tasks:
•
You can block access to high bandwidth sites, such as streaming media, or distracting sites, such as
games, during business hours.
games, during business hours.
•
You can route transactions to a particular external proxy after midnight when the other proxies are
being serviced.
being serviced.
•
You can allow larger files to be downloaded on the weekends.
Define time ranges on the Web Security Manager > Defined Time Ranges page. You can create time
ranges to define concepts such as “business hours” or “weekend shift.” Then you can use the time ranges
in the following locations:
ranges to define concepts such as “business hours” or “weekend shift.” Then you can use the time ranges
in the following locations:
•
Policy group membership for a Routing, Access, or Decryption Policy.
•
URL filtering settings for Access Policies.
When you define a time range, you can specify the day(s) of the week and the time of day. A transaction
matches the time range when it occurs on one of the days specified and during the time specified. You
can also define multiple combinations of day and time in a single time range. For example, you can
define a time range that applies to transactions that occur on Monday through Friday from 08:00 to 17:00
or on Saturday from 09:00 to 13:00.
matches the time range when it occurs on one of the days specified and during the time specified. You
can also define multiple combinations of day and time in a single time range. For example, you can
define a time range that applies to transactions that occur on Monday through Friday from 08:00 to 17:00
or on Saturday from 09:00 to 13:00.
Policies and URL filtering actions can be defined inside or outside the defined time ranges.
Note
Because you can define time based policy group membership only for Routing, Access, and Decryption
Policies, but not Identities, you cannot create time based policies that define when users must
authenticate. Authentication requirements are defined in Identity groups, but time based policies are
defined in other policy group types. (bug #41723)
Policies, but not Identities, you cannot create time based policies that define when users must
authenticate. Authentication requirements are defined in Identity groups, but time based policies are
defined in other policy group types. (bug #41723)
Creating Time Ranges
Step 1
Go to Web Security Manager > Defined Time Ranges.
Step 2
Click Add Time Range.