8-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Configure Cisco Cloud Web Security
The following sample configuration enables Cloud Web Security in context one with the default license
and in context two with the license key override:
! System Context
!
scansafe general-options
server primary ip 180.24.0.62 port 8080
license 366C1D3F5CE67D33D3E9ACEC265261E5
!
context one
allocate-interface GigabitEthernet0/0.1
allocate-interface GigabitEthernet0/1.1
allocate-interface GigabitEthernet0/3.1
scansafe
config-url disk0:/one_ctx.cfg
!
context two
allocate-interface GigabitEthernet0/0.2
allocate-interface GigabitEthernet0/1.2
allocate-interface GigabitEthernet0/3.2
scansafe license 366C1D3F5CE67D33D3E9ACEC26789534
config-url disk0:/two_ctx.cfg
!
Identify Whitelisted Traffic
If you use identity firewall or AAA rules, you can configure the ASA so that web traffic from specific
users or groups that otherwise match the service policy rule is not redirected to the Cloud Web Security
proxy server for scanning. This process is called “whitelisting” traffic.
You configure the whitelist in a ScanSafe inspection class map. You can use usernames and group names
derived from both identity firewall and AAA rules. You cannot whitelist based on IP address or on
destination URL.
When you configure your Cloud Web Security service policy rule, you refer to the class map in your
policy. Although you can achieve the same results of exempting traffic based on user or group when you
configure the traffic matching criteria (with ACLs) in the service policy rule, you might find it more
straightforward to use a whitelist instead.
Procedure
Step 1
Create the class map.
hostname(config)#
class-map type
inspect scansafe
[
match-all
|
match-any
]
class_map_name
hostname(config-cmap)#
Where the
class_map_name
is the name of the class map. The
match-all
keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword specifies
that the traffic matches the class map if it matches at least one
match
statement. The CLI enters
class-map configuration mode, where you can enter one or more
match
commands.
Example
hostname(config)# class-map type inspect scansafe match-any whitelist1
Step 2
Specify the whitelisted users and groups.
match
[
not
] {[
user
username
] [
group
groupname
]}
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...