Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Cloud Web Security Actions

25-5

Cisco ASA Series Firewall CLI Configuration Guide

Chapter25 Configuring the ASA for Cisco Cloud Web Security

Information About Cisco Cloud Web Security

–

AAA usernames, when using RADIUS or TACACS+, are sent in the following format:

LOCAL\username

–

AAA usernames, when using LDAP, are sent in the following format:

domain-name\username

–

For the default username, it is sent in the following format:

[domain-name\]username

For example, if you configure the default username to be “Guest,” then the ASA sends “Guest.”

If you configure the default username to be “Cisco\Guest,” then the ASA sends “Cisco\Guest.”

How Groups and the Authentication Key Interoperate

Unless you need the per-ASA policy that a custom group+group key provides, you will likely use a

company key. Note that not all custom groups are associated with a group key. Non-keyed custom groups

can be used to identify IP addresses or usernames, and can be used in your policy along with rules that

use directory groups.

Even if you do want per-ASA policy and are using a group key, you can also use the matching capability

provided by directory groups and non-keyed custom groups. In this case, you might want an ASA-based

policy, with some exceptions based on group membership, IP address, or username. For example, if you

want to exempt users in the America\Management group across all ASAs:

1. Add a directory group for America\Management.

2. Add an exempt rule for this group.

3. Add rules for each customgroup+group key after the exempt rule to apply policy per-ASA.

4. Traffic from users in America\Management will match the exempt rule, while all other traffic will

match the rule for the ASA from which it originated.

Many combinations of keys, groups, and policy rules are possible.

Cloud Web Security Actions

After applying the configured policies, Cloud Web Security either blocks, allows, or sends a warning

about the user request:

•Allows—When Cloud Web Security allows the client request, it contacts the originally requested

server and retrieves the data. It forwards the server response to the ASA, which then forwards it to

the user.

•Blocks—When Cloud Web Security blocks the client request, it notifies the user that access has been

blocked. It sends an HTTP 302 “Moved Temporarily” response that redirects the client application

to a web page hosted by the Cloud Web Security proxy server showing the blocked error message.

The ASA forwards the 302 response to the client.

•Warns—When the Cloud Web Security proxy server determines that a site may be in breach of the

acceptable use policy, it displays a warning page about the site. You can choose to heed the warning

and drop the request to connect, or you can click through the warning and proceed to the requested

site.

You can also choose how the ASA handles web traffic when it cannot reach either the primary or backup

Cloud Web Security proxy server. It can block or allow all web traffic. By default, it blocks web traffic.

Cisco Systems Cloud Web Security Actions

Models: and the ASA Services Module ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA 5505

How Groups and the Authentication Key Interoperate