This document describes how to allow traffic with low Web-Based Reputation Scores (WBRS) through the Cisco Web Security Appliance (WSA) with the continued use of an Antivirus program.
Cisco recommends that you have knowledge of WSA devices.
The information in this document is base on WSA devices that run AsyncOS Versions 5.6 and later.
A site is blocked due to a low WBRS. You desire to allow the traffic through, but still scan the traffic with an Antivirus program.
If you desire to allow traffic to this destination, you must create a special Identity/Access policy that matches the request. For example, if www.example.com has a score of -6.0 and is currently blocked, you must first create a custom URL category for this URL. Then you must bind the new category to an identity, bind the identity to an access policy, and finally modify the WBRS block range for the access policy.
Complete these steps in order to create a custom URL category:
Log into your WSA, navigate to Web Security Manager > Custom URL categories, and click Add Custom Category....
Create an entry similar to this:
Category Name: Bypass.WBRS
Submit the the entry once the configuration is complete.
Complete these steps in order to bind the new category to an identity:
Navigate to Web Security Manager > Identities and click Add Identity ....
Create an identity similar to this:
Insert Above: 1
Advanced URL Categories: Bypass WBRS
Configure the other fields as desired. For example, if you require authentication, then enable authentication for this identity.
Submit the identity once the configuration is complete.
Complete these steps in order to bind the new identity to an access policy:
Navigate to Web Security Manager > Access Policies and click Add Policy ....
Create a policy similar to this:
Policy Name: Bypass.WBRS.policy
Insert Above Policy: 1
Identities and Users: Select One or More Identities
Configure the other fields as desired.
Submit the policy once the configuration is complete.
Complete these steps in order to modify the WBRS block range for this new access policy:
Navigate to Web Security Manager > Access Policies > Bypass.WBRS.policy > Web Reputation and Anti-Malware Filtering and click (global policy).
Change the Web Reputation and Anti-Malware Settings selection to Define Web Reputation and Anti-Malware Custom Settings. This allows you to change the Web Reputation settings.
Move the arrow that specifies the BLOCK Range and set it so that is starts to block at -7.0. This step is needed so that the scan does not occur through the full range, in case the page is viral and the score decreases even further.
Submit the change and commit once the configuration is complete.
With this setup, when a user sends a request to www.example.com, the WSA assigns this request the Bypass.WBRS.id. Since the Bypass.WBRS.policy is bound to the Bypass.WBRS.id, the WSA applies the policies that are configured for the Bypass.WBRS.policy. The WBRS setting in this policy is configured so that it starts to block at -7.0, so the request is allowed through.
Note: If you use the Bypass.WBRS category and configure the Action to Allow in the URL category, it bypasses the Antivirus/Malware scan. Instead, set the Action to Monitor.