Cisco ASA 5506-X Configuration Manual page 314
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Configure Cisco Cloud Web Security
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map
configuration mode.
b.
Enter parameters configuration mode.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
Set one or more parameters. You can set the following options; use the no form of the command to
c.
disable the option:
d.
(Optional.) If you defined a whitelist, identify the class and use the whitelist command to mark it
as a whitelist.
hostname(config-pmap-p)# class whitelist1
hostname(config-pmap-c)# whitelist
Repeat the process to create an inspection policy map for the other protocol, HTTP or HTTPS.
e.
Define the classes for the traffic you want to redirect to Cloud Web Security.
Step 2
ACL matching is the most flexible way to define the class. However, if you want to send all
HTTP/HTTPS traffic, you could instead use a port match in the class (match port tcp 80 and match
port tcp 443). The following procedure describes an ACL match.
Create ACLs (access-list extended command) to identify the traffic you want to send to Cloud Web
a.
Security. You must create separate ACLs for HTTP and HTTPS traffic. Because Cloud Web Security
works on HTTP/HTTPS traffic only, any other traffic defined in the ACL is ignored.
A permit ACE sends matching traffic to Cloud Web Security. A deny ACE exempts traffic from the
service policy rule, so it is not sent to Cloud Web Security. Use tcp for the protocol, and identify the
port (80 for HTTP, 443 for HTTPS).
When creating your ACLs, consider how you can match appropriate traffic that is destined for the
Internet, but not match traffic that is destined for other internal networks. For example, to prevent
inside traffic from being sent to Cloud Web Security when the destination is an internal server on
the DMZ, be sure to add a deny ACE to the ACL that exempts traffic to the DMZ.
FQDN network objects might be useful in exempting traffic to specific servers. You can also use
identity firewall user arguments and Cisco Trustsec security groups to help identify traffic. Note that
Trustsec security group information is not sent to Cloud Web Security; you cannot define policy
based on security group.
Create as many ACLs as needed for your policy. You can apply redirection to any number of traffic
classes.
The following example shows how to exempt HTTP traffic to two servers, but include the remaining
traffic. You would create a duplicate ACL for HTTPS traffic, where you simply change the port to
443.
hostname(config)# object network cisco1
hostname(config-object-network)# fqdn www.cisco.com
hostname(config)# object network cisco2
Cisco ASA Series Firewall CLI Configuration Guide
14-10
{http | https}—The service type for this map. You can only specify one service type per map,
•
so you need separate maps for HTTP and HTTPS.
default {[user username] [group groupname]}—(Optional.) The default user or group name,
•
or both. If the ASA cannot determine the identity of the user coming into the ASA, then the
default user and group is included in the HTTP request sent to Cloud Web Security. You can
define policies in ScanCenter for this user or group name.
Chapter 14
ASA and Cisco Cloud Web Security
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
