8-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 8 ASA and Cisco Cloud Web Security
Examples for Cisco Cloud Web Security
user-identity monitor user-group ASASCANLAB\\GROUPNAME
Step 3 (Optional) Configure a whitelist.
If there are specific users or groups you would like to exempt from Cloud Web Security filtering, you
can create a whitelist.
class-map type inspect scansafe match-any whiteListCmap
match user LOCAL\user1
Step 4 Configure ACLs.
We recommend that you split the traffic by creating separate HTTP and HTTPS class maps so that you
know how many HTTP and HTTPS packets have gone through.
Then, if you need to troubleshoot you can run debug commands to distinguish how many packets have
traversed each class map and find out if you are pushing through more HTTP or HTTPS traffic:
hostname(config)# access-list web extended permit tcp any any eq www
hostname(config)# access-list https extended permit tcp any any eq https
Step 5 Configure class maps.
hostname(config)# class-map cmap-http
hostname(config-cmap)# match access-list web
hostname(config)# class-map cmap-https
hostname(config-cmap)# match access-list https
Step 6 Configure inspection policy maps.
hostname(config)# policy-map type inspect scansafe http-pmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# default group httptraffic
hostname(config-pmap-p)# http
hostname(config-pmap-p)# class whiteListCmap
hostname(config-pmap-p)# whitelist
hostname(config)# policy-map type inspect scansafe https-pmap
hostname(config-pmap)# parameters
hostname(config-pmap-p)# default group httpstraffic
hostname(config-pmap-p)# https
hostname(config-pmap-p)# class whiteListCmap
hostname(config-pmap-p)# whitelist
Step 7 Configure policy maps.
The following example creates unique policy maps for Cloud Web Security traffic.
hostname(config)# policy-map pmap-webtraffic
hostname(config-pmap)# class cmap-http
hostname(config-pmap-c)# inspect scansafe http-pmap fail-close
hostname(config-pmap)# class cmap-https
hostname(config-pmap-c)# inspect scansafe https-pmap fail-close
Alternatively, you can add the classes to the default global_policy to have redirection enabled for all
interfaces. Ensure that you add the classes to global_policy rather than applying a new policy map
globally, or you will remove the default protocol inspections that are part of the default global policy.
hostname(config)# policy-map global_policy
hostname(config-pmap)# class cmap-http
hostname(config-pmap-c)# inspect scansafe http-pmap fail-close
hostname(config-pmap)# class cmap-https
hostname(config-pmap-c)# inspect scansafe https-pmap fail-close
To Next Page
Loading...
Need help?
General
