Identify Whitelisted Traffic - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Configure Cisco Cloud Web Security
The following sample configuration enables Cloud Web Security in context one with the default license
and in context two with the license key override:
! System Context
!
scansafe general-options
server primary ip 180.24.0.62 port 8080
license 366C1D3F5CE67D33D3E9ACEC265261E5
!
context one
allocate-interface GigabitEthernet0/0.1
allocate-interface GigabitEthernet0/1.1
allocate-interface GigabitEthernet0/3.1
scansafe
config-url disk0:/one_ctx.cfg
!
context two
allocate-interface GigabitEthernet0/0.2
allocate-interface GigabitEthernet0/1.2
allocate-interface GigabitEthernet0/3.2
scansafe license 366C1D3F5CE67D33D3E9ACEC26789534
config-url disk0:/two_ctx.cfg
!
Identify Whitelisted Traffic
If you use identity firewall or AAA rules, you can configure the ASA so that web traffic from specific
users or groups that otherwise match the service policy rule is not redirected to the Cloud Web Security
proxy server for scanning. This process is called "whitelisting" traffic.
You configure the whitelist in a ScanSafe inspection class map. You can use usernames and group names
derived from both identity firewall and AAA rules. You cannot whitelist based on IP address or on
destination URL.
When you configure your Cloud Web Security service policy rule, you refer to the class map in your
policy. Although you can achieve the same results of exempting traffic based on user or group when you
configure the traffic matching criteria (with ACLs) in the service policy rule, you might find it more
straightforward to use a whitelist instead.
Procedure
Step 1
Create the class map.
hostname(config)# class-map type inspect scansafe [match-all | match-any] class_map_name
hostname(config-cmap)#
Where the class_map_name is the name of the class map. The match-all keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword specifies
that the traffic matches the class map if it matches at least one match statement. The CLI enters
class-map configuration mode, where you can enter one or more match commands.
Example
hostname(config)# class-map type inspect scansafe match-any whitelist1
Specify the whitelisted users and groups.
Step 2
match [not] {[user username] [group groupname]}
Cisco ASA Series Firewall CLI Configuration Guide
8-8
Chapter 8
ASA and Cisco Cloud Web Security
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
