8-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Guidelines for Cloud Web Security
On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify
the number of users that the ASA handles. Then log into ScanCenter and generate your authentication
keys.
Guidelines for Cloud Web Security
Context Mode Guidelines
Supported in single and multiple context modes.
In multiple context mode, the server configuration is allowed only in the system context, and the service
policy rule configuration is allowed only in the security contexts.
Each context can have its own authentication key, if desired.
Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.
IPv6 Guidelines
Does not support IPv6. Cloud Web Security currently supports only IPv4 addresses. If you use IPv6
internally, use NAT 64 to translate IPv6 addresses to IPv4 for any IPv6 flows that need to be sent to
Cloud Web Security.
Additional Guidelines
•
Cloud Web Security is not supported with ASA clustering.
•
You cannot use Cloud Web Security on the same traffic you redirect to a module that can also
perform URL filtering, such as ASA CX and ASA FirePOWER. The traffic is sent to the modules
only, not to the Cloud Web Security servers.
•
Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL
VPN traffic from the ASA service policy for Cloud Web Security.
•
When an interface to the Cloud Web Security proxy servers goes down, output from the
show
scansafe server
command shows both servers up for approximately 15-25 minutes. This condition
may occur because the polling mechanism is based on the active connection, and because that
interface is down, it shows zero connection, and it takes the longest poll time approach.
•
Cloud Web Security inspection is compatible with HTTP inspection for the same traffic.
•
Cloud Web Security is not supported with extended PAT or any application that can potentially use
the same source port and IP address for separate connections. For example, if two different
connections (targeted to separate servers) use extended PAT, the ASA might reuse the same source
IP and source port for both connection translations because they are differentiated by the separate
destinations. When the ASA redirects these connections to the Cloud Web Security server, it
replaces the destination with the Cloud Web Security server IP address and port (8080 by default).
As a result, both connections now appear to belong to the same flow (same source IP/port and
destination IP/port), and return traffic cannot be untranslated properly.
•
The default inspection traffic class does not include the default ports for the Cloud Web Security
inspection (80 and 443).
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...