Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 (Optional) Configuring Whitelisted Traffic

25-15

Cisco ASA Series Firewall CLI Configuration Guide

Chapter25 Configuring the ASA for Cisco Cloud Web Security

Configuring Cisco Cloud Web Security

(Optional) Configuring Whitelisted Traffic

If you use user authentication, you can exempt some traffic from being filtered by Cloud Web Security

based on the username and/or groupname. When you configure your Cloud Web Security service policy

rule, you can reference the whitelisting inspection class map. Both IDFW and AAA user credentials can

be used with this feature.

Although you can achieve the same results of exempting traffic based on user or group when you

configure the service policy rule, you might find it more straightforward to use a whitelist instead. Note

that the whitelist feature is only based on user and group, not on IP address.

Detailed Steps

Example

The following example whitelists the same users and groups for the HTTP and HTTPS inspection policy

maps:

hostname(config)# class-map type inspect scansafe match-any whitelist1

hostname(config-cmap)# match user user1 group cisco

hostname(config-cmap)# match user user2

hostname(config-cmap)# match group group1

hostname(config-cmap)# match user user3 group group3

hostname(config)# policy-map type inspect scansafe cws_inspect_pmap1

hostname(config-pmap)# parameters

hostname(config-pmap-p)# http

hostname(config-pmap-p)# default group default_group

hostname(config-pmap-p)# class whitelist1

hostname(config-pmap-c)# whitelist

hostname(config)# policy-map type inspect scansafe cws_inspect_pmap2

hostname(config-pmap)# parameters

Command Purpose

Step1 class-map type inspect scansafe

[match-all | match-any] name

Example:

ciscoasa(config)# class-map type inspect

scansafe match-any whitelist1

Creates an inspection class map for whitelisted users and groups.

The class_map_name argument is the name of the class map up to

40 characters in length.

The match-all keyword is the default, and specifies that traffic

must match all criteria to match the class map.

The match-any keyword specifies that the traffic matches the

class map if it matches at least one of the criteria.

The CLI enters class-map configuration mode, where you can

enter one or more match commands.

Step2 match [not] {[user username] [group

groupname]}

Example:

ciscoasa(config-cmap)# match

The match keyword, followed by a specific username or

groupname, specifies a user or group to whitelist.

The match not keyword specifies that the user and/or group

should be filtered using Web Cloud Security. For example, if you

whitelist the group “cisco,” but you want to scan traffic from users

“johncrichton” and “aerynsun,” you can specify match not for

those users. Repeat this command to add as many users and

groups as needed.

Cisco Systems (Optional) Configuring Whitelisted Traffic

Models: and the ASA Services Module ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA 5505

Example