8-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Configure Cisco Cloud Web Security
hostname(config)# access-list SCANSAFE_HTTP extended deny tcp any4 object dmz_network eq
443
hostname(config)# access-list SCANSAFE_HTTPS extended permit tcp any4 any4 eq 443
hostname(config)# class-map cws_class1
hostname(config-cmap)# match access-list SCANSAFE_HTTP
hostname(config)# class-map cws_class2
hostname(config-cmap)# match access-list SCANSAFE_HTTPS
hostname(config)# policy-map cws_policy
hostname(config-pmap)# class cws_class1
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap1 fail-open
hostname(config-pmap)# class cws_class2
hostname(config-pmap-c)# inspect scansafe cws_inspect_pmap2 fail-open
hostname(config)# service-policy cws_policy inside
Configure the User Identity Monitor
When you use identity firewall, the ASA only downloads user identity information from the AD server
for users and groups included in active ACLs. The ACL must be used in a feature such as an access rule,
AAA rule, service policy rule, or other feature to be considered active.
For example, although you can configure your Cloud Web Security service policy rule to use an ACL
with users and groups, thus activating any relevant groups, it is not required. You could use an ACL based
entirely on IP addresses.
Because Cloud Web Security can base its ScanCenter policy on user identity, you might need to
download groups that are not part of an active ACL to get full identity firewall coverage for all your
users. The user identity monitor lets you download group information directly from the AD agent.
Note
The ASA can only monitor a maximum of 512 groups, including those configured for the user identity
monitor and those monitored through active ACLs.
Procedure
Step 1
Identify the groups that you want to use in ScanCenter policies that are not already used in active ACLs.
If necessary, create local user group objects.
Step 2
Download the group information from the AD agent.
user-identity monitor
{
user-group
[
domain-name
\\
]
group-name
|
object-group-user
object-group-name
}
hostname(config)# user-identity monitor user-group CISCO\\Engineering
Where:
•
user-group
—Specifies a group name defined in the AD server.
•
object-group-user
—The name of a local object created by the
object-group user
command. This
group can include multiple groups.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...