Cisco Systems ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA Services Module, ASA 5505 ScanCenter Policy

25-4

Cisco ASA Series Firewall ASDM Configuration Guide

Chapter25 Configuring the ASA for Cisco Cloud Web Security

Information About Cisco Cloud Web Security

For more information, see the Cloud Web Security documentation:

http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h

tml.

ScanCenter Policy

In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security

then applies the configured action for the rule. User traffic can match a policy rule in ScanCenter based

on group association: a directory group or a custom group.

•Directory Groups, page 25-4

•Custom Groups, page 25-4

•How Groups and the Authentication Key Interoperate, page25-5

Directory groups define the group to which traffic belongs. The group, if present, is included in the

HTTP header of the client request. The ASA includes the group in the HTTP header when you configure

IDFW. If you do not use IDFW, you can configure a default group for traffic matching an ASA rule for

Cloud Web Security inspection.

When you configure a directory group, you must enter the group name exactly.

•IDFW group names are sent in the following format:

domain-name\group-name

When the ASA learns the IDFW group name, the format on the ASA is domain-name\\group-name.

However, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter

notation.

•The default group name is sent in the following format:

[domain\]group-name

On the ASA, you need to configure the optional domain name to be followed by 2 backslashes (\\);

however, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter

notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be

“Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.

Custom groups are defined using one or more of the following criteria:

•ScanCenter Group authentication key—You can generate a Group authentication key for a custom

group. Then, if you identify this group key when you configure the ASA, all traffic from the ASA

is tagged with the Group key.

•Source IP address—You can identify source IP addresses in the custom group. Note that the ASA

service policy is based on source IP address, so you might want to configure any IP address-based

policy on the ASA instead.

•Username—You can identify usernames in the custom group.

–

IDFW usernames are sent in the following format:

domain-name\username

Cisco Systems ScanCenter Policy