Cisco ASA 5506-X Configuration Manual page 307

Chapter 14 ASA and Cisco Cloud Web Security
You configure the URL filtering policies in ScanCenter, not in the ASA.
However, part of the policy is to whom the policy applies. User traffic can match a policy rule in
ScanCenter based on group association: a directory group or a custom group. Group information is
included in the requests redirected from the ASA, so you need to understand what group information you
might get from the ASA.
•
•
•
Directory Groups
Directory groups define the group to which traffic belongs. When using the identity firewall, the group,
if present, is included in the client's HTTP request. If you do not use identity firewall, you can configure
a default group for traffic matching an ASA rule for Cloud Web Security inspection.
In ScanCenter, when you configure a directory group in a policy, you must enter the group name exactly.
•
•
Custom Groups
Custom groups are defined using one or more of the following criteria:
•
•
•
Directory Groups, page 14-3
Custom Groups, page 14-3
How Groups and the Authentication Key Interoperate, page 14-4
Identity firewall group names are sent in the following format.
domain-name\group-name
Note that on the ASA, the format is domain-name\\group-name. However, the ASA modifies the
name to use only one backslash (\) to conform to typical ScanCenter notation when including the
group in the redirected HTTP request.
The default group name is sent in the following format:
[domain\]group-name
On the ASA, you need to configure the optional domain name to be followed by 2 backslashes (\\);
however, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter
notation. For example, if you specify "Cisco\\Boulder1," the ASA modifies the group name to be
"Cisco\Boulder1" with only one backslash (\) when sending the group name to Cloud Web Security.
ScanCenter Group authentication key—You can generate a Group authentication key for a custom
group. Then, if you identify this group key when you configure the ASA, all traffic from the ASA
is tagged with the Group key.
Source IP address—You can identify source IP addresses in the custom group. Note that the ASA
service policy is based on source IP address, so you might want to configure any IP address-based
policy on the ASA instead.
Username—You can identify usernames in the custom group.
Identity firewall usernames are sent in the following format:
–
domain-name\username
– AAA usernames, when using RADIUS or TACACS+, are sent in the following format:
LOCAL\username
– AAA usernames, when using LDAP, are sent in the following format:
domain-name\username
Information About Cisco Cloud Web Security
Cisco ASA Series Firewall CLI Configuration Guide
14-3