bypasses the HTTP request-header matching traffic to a web server instead of
the Cloud Web Security tower or server.
whitelisting includes domain-based whitelisting and user agent-based
whitelisting. Domain-based whitelisting includes domain names and regex
patterns. Whitelisting can either be configured through the CLI or as patterns
that are downloaded from the Cloud Web Security tower in XML format.
When a device
requests for the whitelist configuration, the Cloud Web Security tower sends
the whitelist configuration file in XML format. This XML file is parsed to
retrieve the encoding type and the list of whitelisted domain names, user-agent
patterns, and IPv4 addresses. These parsed patterns are added to respective
regex tree for whitelisting.
from the Cloud Web Security tower are not stored in the configuration.
Whitelist patterns configured through the CLI are stored in the configuration.
Whitelist patterns configured via the CLI and patterns downloaded from the
tower can be used for whitelisting. To view the list of downloaded whitelist
patterns, use the
When an XML file is
received and parsed successfully, all previous domain names are removed and
newly received domain names are saved. Locally configured domain names are not
affected; only domain names from the tower are removed. If patterns added to
the regex file fails, all successfully added patterns are retained for
The XML file
consists of a list of domain names or patterns and the full IPv4 address of
each domain. The maximum length of a domain should be 256 characters or less.
Wild card characters supported for domain patterns are ., *, ^, +, ?, $, ,
and [^]. The first character of a pattern cannot be + or *.
whitelisting, the Cloud Web Security tower does not verify whether duplicate
entries exist in access control lists (ACLs) configured through the CLI.
Traffic matching any ACL entry configured through the CLI or downloaded from
the tower is bypassed from Cloud Web Security tower redirection.
If header-based or
IP-based whitelisting is enabled via the CLI and also downloaded from the
tower, both whitelist configurations are applied to incoming packets. If the
header-based or IP-based whitelisting is disabled via the CLI, only the
whitelist configuration downloaded from the Cloud Web Security tower is applied
to incoming packets.