CHAPTER
 
8-1
Cisco ASA Series Firewall CLI Configuration Guide
 
8
ASA and Cisco Cloud Web Security
Cisco Cloud Web Security (also known as ScanSafe) provides web security and web filtering services 
through the Software-as-a-Service (SaaS) model. Enterprises with the ASA in their network can use 
Cloud Web Security services without having to install additional hardware.
• Information About Cisco Cloud Web Security, page 8-1
• Licensing Requirements for Cisco Cloud Web Security, page 8-4
• Guidelines for Cloud Web Security, page 8-5
• Configure Cisco Cloud Web Security, page 8-6
• Monitoring Cloud Web Security, page 8-14
• Examples for Cisco Cloud Web Security, page 8-15
• History for Cisco Cloud Web Security, page 8-19
Information About Cisco Cloud Web Security
When you enable Cloud Web Security on the ASA, the ASA transparently redirects selected HTTP and 
HTTPS traffic to the Cloud Web Security proxy servers based on service policy rules. The Cloud Web 
Security proxy servers then scan the content and allow, block, or send a warning about the traffic based 
on the policy configured in Cisco ScanCenter to enforce acceptable use and to protect users from 
malware.
The ASA can optionally authenticate and identify users with Identity Firewall and AAA rules. The ASA 
encrypts and includes the user credentials (including usernames and user groups) in the traffic it redirects 
to Cloud Web Security. The Cloud Web Security service then uses the user credentials to match the 
traffic to the policy. It also uses these credentials for user-based reporting. Without user authentication, 
the ASA can supply an (optional) default username and group, although usernames and groups are not 
required for the Cloud Web Security service to apply policy.
You can customize the traffic you want to send to Cloud Web Security when you create your service 
policy rules. You can also configure a “whitelist” so that a subset of web traffic that matches the service 
policy rule instead goes directly to the originally requested web server and is not scanned by Cloud Web 
Security.
You can configure a primary and a backup Cloud Web Security proxy server, each of which the ASA 
polls regularly to check for availability.
• User Identity and Cloud Web Security, page 8-2
• Authentication Keys, page 8-2