Cisco ASA Series Cli Configuration Manual page 1391

Chapter 1 Configuring the ASA for Cisco Cloud Web Security
Command
Step 7
policy-map type inspect scansafe name2
parameters
default {[user user] [group group]}
class whitelist_name2
whitelist
Example:
hostname(config)# policy-map type inspect
scansafe cws_inspect_pmap2
hostname(config-pmap)# parameters
hostname(config-pmap-p)# default group2
default_group2
hostname(config-pmap-p)# class whitelist2
hostname(config-pmap-c)# whitelist
Step 8
access-list access_list_name
[line line_number] extended
{deny | permit} tcp [user_argument]
[security_group_argument]
source_address_argument [port_argument]
dest_address_argument [port_argument]
Example:
hostname(config)# object network cisco1
hostname(config-object-network)# fqdn
www.cisco.com
hostname(config)# object network cisco2
hostname(config-object-network)# fqdn
tools.cisco.com
hostname(config)# access-list
SCANSAFE_HTTP extended deny tcp any4
object cisco1 eq 80
hostname(config)# access-list
SCANSAFE_HTTP extended deny tcp any4
object cisco2 eq 80
hostname(config)# access-list
SCANSAFE_HTTP extended permit tcp any4
any4 eq 80
Step 9
class-map name1
Example:
hostname(config)# class-map cws_class1
Purpose
Repeat Step 1 to Step 6 to create a separate class map for HTTPS
traffic (for example). You can create an inspection class map for
each class of traffic you want to send to Cloud Web Security. You
can reuse an inspection class map for multiple classes of traffic if
desired.
Identifies the class of traffic you want to send to Cloud Web
Security. Create an ACL consisting of one or more access control
entries (ACEs). For detailed information about ACLs, see
Chapter 1, "Adding an Extended Access Control List."
Cloud Web Security only operates on HTTP and HTTPS traffic.
Each type of traffic is treated separately by the ASA. Therefore,
you need to create HTTP-only ACLs and HTTPS-only ACLs.
Create as many ACLs as needed for your policy.
A permit ACE sends matching traffic to Cloud Web Security. A
deny ACE exempts traffic from the service policy rule, so it is not
sent to Cloud Web Security.
When creating your ACLs, consider how you can match
appropriate traffic that is destined for the Internet, but not match
traffic that is destined for other internal networks. For example, to
prevent inside traffic from being sent to Cloud Web Security when
the destination is an internal server on the DMZ, be sure to add a
deny ACE to the ACL that exempts traffic to the DMZ.
FQDN network objects might be useful in exempting traffic to
specific servers.
The user_argument lets you specify the IDFW username or group,
either inline or by referring to an object group.
The security_group_argument lets you specify the TrustSec
security group, either inline or by referring to an object group.
Note that although you can match traffic to send to Cloud Web
Security by security group, the ASA does not send security group
information to Cloud Web Security in the HTTP header; Cloud
Web Security cannot create policy based on the security group.
Creates a class map to identify the traffic for which you want to
enable Cloud Web Security filtering.
Cisco ASA Series CLI Configuration Guide
Configuring Cisco Cloud Web Security
1-11