Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
25-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security d.In the Name field, specify a name for the inspection policy map, up to 40 characters in length. e.(Optional) Enter a description. f.(Optional) On the Parameters tab, specify a Default User and/or a Default Group. If the ASA cannot determine the identity of the user coming into the ASA, then the default user and/or group is applied. g.For the Protocol, click HTTP or HTTPS, to match the service you set in Step 3d. Cloud Web Security treats each type of traffic separately. h.(Optional) To identify a whitelist, click the Inspections tab.
25-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security –Click Add to choose the inspection class map you created in the “(Optional) Configuring Whitelisted Traffic” section on page 25-23. The Add Cloud Web Security Match Criterion dialog box appears. –From the Cloud Web Security Traffic Class drop-down menu, choose an inspection class map. To add or edit a class map, click Manage. –For the Action, click Whitelist. –Click OK to add the whitelist to the policy map. –Click OK. Step 6Click Finish. The rule is added to the Service Policy Rules table. Step 7To add additional sub-rules (ACEs) for this traffic class, to match or exempt additional traffic: a.Choose Configuration > Firewall > Service Policy Rules, and click Add > Service Policy Rule. b.Choose the same service policy as Step 2. Click Next.
25-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security c.On the Traffic Classification Criteria dialog box, choose Add Rule to Existing Traffic Class, and choose the name you created in Step 3. Click Next. d.In the Traffic Match - Source and Destination dialog box, choose Match to add inspect additional traffic, or Do Not Match to exempt traffic from Cloud Web Security inspections. Be sure to set the service to match the previous rules in this class (HTTP or HTTPS); you cannot mix HTTP and HTTPS in the same traffic class for Cloud Web Security. Click Next.
25-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security e.On the Rule Actions dialog box, do not make any changes; click Finish. For this traffic class, you can have only one set of rule actions even if you add multiple ACEs, so the previously-specified actions are inherited. Step 8Repeat this entire procedure to create an additional traffic class, for example for HTTPS traffic. You can create as many rules and sub-rules as needed. Step 9Arrange the order of Cloud Web Security rules and sub-rules on the Service Policy Rules pane. See the “Managing the Order of Service Policy Rules” section on page 1-15 for information about changing the order of ACEs.
25-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 10Click Apply. Examples The following example exempts all IPv4 HTTP and HTTPS traffic going to the 10.6.6.0/24 (test_network), and sends all other HTTPS and HTTPS traffic to Cloud Web Security, and applies this service policy rule to all interfaces as part of the existing global policy. If the Cloud Web Security server is unreachable, the ASA drops all matching traffic (fail close). If a user is not have user identity information, the default user Boulder and group Cisco is used. Step 1Choose Configuration > Firewall > Service Policy Rules, and click Add > Service Policy Rule. Add this rule to the default global_policy:
25-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 2Add a new traffic class called “scansafe-http,” and specify an ACL for traffic matching: Step 3Choose Match, and specify any4 for the Source and Destination. Specify tcp/http for the Service.
25-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 4Check Cloud Web Security and click Configure. Step 5Accept the default Fail Close action, and click Add.
25-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 6Name the inspection policy map “http-map,” set the Default User to Boulder and the default group to Cisco. Choose HTTP. Step 7Click OK, OK, and then Finish. The rule is added to the Service Policy Rules table. Step 8Choose Configuration > Firewall > Service Policy Rules, and click Add > Service Policy Rule. Add the new rule to the default global_policy:
25-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 9Click Add rule to existing traffic class, and choose scansafe-http. Step 10Choose Do not match, set any4 as the Source, and 10.6.6.0/24 as the Destination. Set the Service to tcp/http.
25-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 25 Configuring the ASA for Cisco Cloud Web Security Configuring Cisco Cloud Web Security Step 11Click Finish. Step 12Reorder the rules so the Do not match rule is above the Match rule.