Cisco ASA 5506-X Configuration Manual page 313

Chapter 14 ASA and Cisco Cloud Web Security
The match keyword specifies a user or group to whitelist, or both.
The match not keyword specifies that the user or group should be filtered using Cloud Web Security.
For example, if you whitelist the group "cisco," but you want to scan traffic from users "johncrichton"
and "aerynsun," which are members of that group, you can specify match not for those users. Repeat
this command to add as many users and groups as needed.
Example
The following example whitelists the same users and groups for the HTTP and HTTPS inspection policy
maps:
hostname(config)# class-map type inspect scansafe match-any whitelist1
hostname(config-cmap)# match user user1 group cisco
hostname(config-cmap)# match user user2
hostname(config-cmap)# match group group1
hostname(config-cmap)# match user user3 group group3
hostname(config)# policy-map type inspect scansafe cws_inspect_pmap1
hostname(config-pmap)# parameters
hostname(config-pmap-p)# http
hostname(config-pmap-p)# default group default_group
hostname(config-pmap-p)# class whitelist1
hostname(config-pmap-c)# whitelist
hostname(config)# policy-map type inspect scansafe cws_inspect_pmap2
hostname(config-pmap)# parameters
hostname(config-pmap-p)# https
hostname(config-pmap-p)# default group2 default_group2
hostname(config-pmap-p)# class whitelist1
hostname(config-pmap-c)# whitelist
Configure a Service Policy to Send Traffic to Cloud Web Security
Your service policy consists of multiple service policy rules, applied globally, or applied to each
interface. Each service policy rule can either send traffic to Cloud Web Security (Match) or exempt
traffic from Cloud Web Security (Do Not Match).
Create rules for traffic destined for the Internet. The order of these rules is important. When the ASA
decides whether to forward or exempt a packet, the ASA tests the packet with each rule in the order in
which the rules are listed. After a match is found, no more rules are checked. For example, if you create
a rule at the beginning of a policy that explicitly Matches all traffic, no further statements are ever
checked.
Before You Begin
If you need to use a whitelist to exempt some traffic from being sent to Cloud Web Security, first create
the whitelist so you can refer to it in your service policy rule.
Procedure
Create the ScanSafe inspection policy maps. You need to define separate maps for HTTP and HTTPS.
Step 1
a.
Create the ScanSafe inspection policy map.
hostname(config)# policy-map type inspect scansafe policy_map_name
Configure Cisco Cloud Web Security
Cisco ASA Series Firewall CLI Configuration Guide
14-9