14-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 14 ASA and Cisco Cloud Web Security
Information About Cisco Cloud Web Security
You configure the URL filtering policies in ScanCenter, not in the ASA.
However, part of the policy is to whom the policy applies. User traffic can match a policy rule in
ScanCenter based on group association: a
directory group
or a
custom group
. Group information is
included in the requests redirected from the ASA, so you need to understand what group information you
might get from the ASA.
•
•
•
How Groups and the Authentication Key Interoperate, page 14-4
Directory Groups
Directory groups define the group to which traffic belongs. When using the identity firewall, the group,
if present, is included in the client’s HTTP request. If you do not use identity firewall, you can configure
a default group for traffic matching an ASA rule for Cloud Web Security inspection.
In ScanCenter, when you configure a directory group in a policy, you must enter the group name exactly.
•
Identity firewall group names are sent in the following format.
domain-name
\
group-name
Note that on the ASA, the format is
domain-name
\\
group-name
. However, the ASA modifies the
name to use only one backslash (\) to conform to typical ScanCenter notation when including the
group in the redirected HTTP request.
•
The default group name is sent in the following format:
[
domain\
]
group-name
On the ASA, you need to configure the optional domain name to be followed by 2 backslashes (\\);
however, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter
notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be
“Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.
Custom Groups
Custom groups are defined using one or more of the following criteria:
•
ScanCenter Group authentication key—You can generate a Group authentication key for a custom
group. Then, if you identify this group key when you configure the ASA, all traffic from the ASA
is tagged with the Group key.
•
Source IP address—You can identify source IP addresses in the custom group. Note that the ASA
service policy is based on source IP address, so you might want to configure any IP address-based
policy on the ASA instead.
•
Username—You can identify usernames in the custom group.
–
Identity firewall usernames are sent in the following format:
domain-name
\
username
–
AAA usernames, when using RADIUS or , are sent in the following format:
LOCAL\
username
–
AAA usernames, when using LDAP, are sent in the following format:
domain-name
\
username
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......