, and open a rule.
To create a new rule, click
Add > Add Service Policy Rule.
When adding a policy, you can apply it to a specific interface or globally to
all interfaces. If there is already a global policy, or a policy for the
interface, you are adding a rule to the existing policy. You can name new
Next to proceed.
If you have a ScanSafe inspection rule,
or a rule to which you are adding ScanSafe inspection, select it and click
Edit. Note that the
“inspection_default” rule in the Global folder does not include the HTTP and
HTTPS ports, so you cannot add ScanSafe inspection to that rule.
||On the Traffic Classification Criteria page,
choose one of the following options to specify the traffic to which to apply
the policy actions and click
Next. When creating a
new class, give the class a meaningful name. Also note that you must create
separate classes for HTTP and HTTPS traffic.
Create a new traffic class > Source and Destination IP
Address (uses ACL)—If you do not already have a traffic class for Cloud Web
Security, we recommend this option because ACL matching is the most flexible
way to define the class.
When you create a new
traffic class of this type, you can only specify one access control entry (ACE)
initially. After you finish adding the rule, you can add additional ACEs by
adding a new rule to the same interface or global policy, and then specifying
Add rule to existing traffic
Create a new
traffic class > TCP or UDP Port—Use this option if you do not want to
differentiate among web traffic. When you click
Next, specify one port, either
TCP http or
Add rule to
existing traffic class—If you have already started an ACL for Cisco Cloud
Web Security inspection, and you are adding rules to the existing policy,
select this option and select the traffic class.
||(ACL matching.) When defining the traffic
class based on source and destination criteria, fill in the ACL attributes for
Do Not Match.
specifies that traffic matching the source and destination is sent to Cloud Web
Do Not Match exempts matching
traffic from Cloud Web Security. You can later add additional rules to match or
not match other traffic.
When creating your rules, consider how
you can match appropriate traffic that is destined for the Internet, but not
match traffic that is destined for other internal networks. For example, to
prevent inside traffic from being sent to Cloud Web Security when the
destination is an internal server on the DMZ, be sure to add a deny ACE to the
ACL that exempts traffic to the DMZ.
- In the Source Criteria area, enter or
browse for a Source IP address or network object. You can also use identity
firewall user arguments and Cisco Trustsec security groups to help identify
traffic. Note that Trustsec security group information is not sent to Cloud Web
Security; you cannot define policy based on security group.
- In the Destination Criteria area, enter
or browse for a Destination IP address or network object, and an optional
TrustSec Security Group.
FQDN network objects might be useful in
matching or exempting traffic to specific servers.
- In the Service field,
https, and click Next.
Cloud Web Security only
operates on HTTP and HTTPS traffic. Each type of traffic is treated separately
by the ASA. Therefore, you need to create HTTP-only rules and HTTPS-only rules.
||On the Rule Actions page,
Protocol Inspection tab,
Cloud Web Security
Configure to set the
traffic action and add the inspection policy map.
The inspection policy map configures
essential parameters for the rule and also optionally identifies the whitelist.
An inspection policy map is required for each class of traffic that you want to
send to Cloud Web Security. You can also pre-configure inspection policy maps
Configuration > Firewall > Objects
> Inspect Maps > Cloud Web Security.
- For the Cloud Web Security Traffic
Action, choose one:
- Choose an existing
inspection policy map, or click
Add to add a new map.
- (New maps only.) In the
Cloud Web Security Inspection Map dialog box, enter a name for the map and
configure the following attributes. Click
OK when finished.
User and Group—(Optional.) The default user or group name, or both. If the
ASA cannot determine the identity of the user coming into the ASA, then the
default user and group is included in the HTTP request sent to Cloud Web
Security. You can define policies in ScanCenter for this user or group name.
HTTPS based on the service you
selected in the traffic class. These selections must match. Cloud Web Security
treats each type of traffic separately.
Inspections tab—(Optional) To identify a whitelist,
Add on the Inspections tab and
select the class map for the whitelist. You can also add a whitelist at this
time by clicking
Manage. Ensure that
Whitelist is selected as the
action and click
OK. You can add additional
OK in the Select Cloud Web Security
Inspect Map dialog box.
Finish. The rule is
added to the Service Policy Rules table.
||To add additional sub-rules (ACEs) for this
traffic class, to match or exempt additional traffic, repeat the process,
selecting the same interface or global policy. When you configure the traffic
class, select the option to
Add rule to existing traffic
class, and select the Cloud Web Security class.
When you configure the new
ACE, ensure that you specify the same service used by the other rules in the
class, either HTTP or HTTPS.
Do not make changes to the
Rule Actions page. Click
Finish when the rule is complete.
||Repeat this entire procedure to create
traffic class for the other protocol, for example for HTTPS traffic (assuming
you started with an HTTP traffic class). You can create as many rules and
sub-rules as needed.
||Arrange the order of Cloud Web Security
rules and sub-rules on the Service Policy Rules pane. Select the rule you want
to move and click the up or down buttons. Ensure that specific rules come
before more general rules.