14-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 14 ASA and Cisco Cloud Web Security
Configure Cisco Cloud Web Security
The following sample configuration enables Cloud Web Security in context one with the default license
and in context two with the license key override:
! System Context
!
scansafe general-options
server primary ip 180.24.0.62 port 8080
license 366C1D3F5CE67D33D3E9ACEC265261E5
!
context one
allocate-interface GigabitEthernet0/0.1
allocate-interface GigabitEthernet0/1.1
allocate-interface GigabitEthernet0/3.1
scansafe
config-url disk0:/one_ctx.cfg
!
context two
allocate-interface GigabitEthernet0/0.2
allocate-interface GigabitEthernet0/1.2
allocate-interface GigabitEthernet0/3.2
scansafe license 366C1D3F5CE67D33D3E9ACEC26789534
config-url disk0:/two_ctx.cfg
!
Identify Whitelisted Traffic
If you use identity firewall or AAA rules, you can configure the ASA so that web traffic from specific
users or groups that otherwise match the service policy rule is not redirected to the Cloud Web Security
proxy server for scanning. This process is called “whitelisting” traffic.
You configure the whitelist in a ScanSafe inspection class map. You can use usernames and group names
derived from both identity firewall and AAA rules. You cannot whitelist based on IP address or on
destination URL.
When you configure your Cloud Web Security service policy rule, you refer to the class map in your
policy. Although you can achieve the same results of exempting traffic based on user or group when you
configure the traffic matching criteria (with ACLs) in the service policy rule, you might find it more
straightforward to use a whitelist instead.
Procedure
Step 1
Create the class map.
hostname(config)#
class-map type
inspect scansafe
[
match-all
|
match-any
]
class_map_name
hostname(config-cmap)#
Where the
class_map_name
is the name of the class map. The
match-all
keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword specifies
that the traffic matches the class map if it matches at least one
match
statement. The CLI enters
class-map configuration mode, where you can enter one or more
match
commands.
Example
hostname(config)# class-map type inspect scansafe match-any whitelist1
Step 2
Specify the whitelisted users and groups.
match
[
not
] {[
user
username
] [
group
groupname
]}
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......