- Preface
-
- Getting Started with Security Manager
- Preparing Devices for Management
- Managing the Device Inventory
- Managing Activities
- Managing Policies
- Managing Policy Objects
- Managing FlexConfigs
- Managing Deployment
- Troubleshooting Device Communication and Deployment
- Managing the Security Manager Server
- Configuring Security Manager Administrative Settings
-
- Introduction to Firewall Services
- Managing Identity-Aware Firewall Policies
- Managing TrustSec Firewall Policies
- Managing Firewall AAA Rules
- Managing Firewall Access Rules
- Managing Firewall Inspection Rules
- Managing Firewall Web Filter Rules
- Managing Firewall Botnet Traffic Filter Rules
- Working with ScanSafe Web Security
- Managing Zone-based Firewall Rules
- Managing Traffic Zones
- Managing Transparent Firewall Rules
- Configuring Network Address Translation
-
- Managing Site-to-Site VPNs: The Basics
- Configuring IKE and IPsec Policies
- GRE and DM VPNs
- Easy VPN
- Group Encrypted Transport (GET) VPNs
- Managing Remote Access VPNs: The Basics
- Managing Remote Access VPNs on ASA and PIX 7.0+ Devices
- Managing Dynamic Access Policies for Remote Access VPNs (ASA 8.0+ Devices)
- Managing Remote Access VPNs on IOS and PIX 6.3 Devices
- Configuring Policy Objects for Remote Access VPNs
- Using Map View
- Getting Started with IPS Configuration
- Managing IPS Device Interfaces
- Configuring Virtual Sensors
- Defining IPS Signatures
- Configuring Event Action Rules
- Managing IPS Anomaly Detection
- Configuring Global Correlation
- Configuring Attack Response Controller for Blocking and Rate Limiting
- Managing IPS Sensors
- Configuring IOS IPS Routers
-
- Managing Firewall Devices
- Configuring Bridging Policies on Firewall Devices
- Configuring Device Administration Policies on Firewall Devices
- Configuring Device Access Settings on Firewall Devices
- Configuring Failover
- Configuring Hostname, Resources, User Accounts, and SLAs
- Configuring Server Access Settings on Firewall Devices
- Configuring FXOS Server Access Settings on Firepower 2100 Series Devices
- Configuring Logging Policies on Firewall Devices
- Configuring Multicast Policies on Firewall Devices
- Configuring Routing Policies on Firewall Devices
- Configuring Security Policies on Firewall Devices
- Configuring Service Policy Rules on Firewall Devices
- Configuring Security Contexts on Firewall Devices
- User Preferences
- Index
Working with ScanSafe Web Security
Security Manager provides integration with ScanSafe Web Security. ScanSafe Web Security is a cloud-based SaaS (Security as a Service) function that makes available its web security data centers at various locations worldwide. When ScanSafe Web Security is integrated with a router, selected HTTP and HTTPS traffic is redirected to ScanSafe Cloud for content scanning and for malware detection by other means. Also, you can use ScanSafe Web Security to provide differentiated services to particular users, user groups, and IPs.
Invoking ScanSafe Web Security from Security Manager, you can define policies and settings in the following areas:
With ScanSafe Web Security integration in Security Manager you can copy and share most policies and framework-based policy features. The following table details the scope of support for scanning and AAA policy types.
Security Manager does not support the following features:
- PAM configuration when inspect or ZBF rules for http/https are not present
- Auth-proxy using LDAP on older IOS versions. (That is, only IOS versions that support ScanSafe Web Security)
- Identity policy with auth-proxy as AAA method. (Support only for NTLM and http-basic.)
- Validation of Virtual Template number for identity policy creation
- Validation of the Secure Trust Point for LDAP server
- Inheritance of content scanning rules
- AD browsing of user groups and users
- Tool support for newer policies (such as policy query)
- Control tag policy
For more information on the ScanSafe Web Security product, go to http://www.cisco.com/en/US/partner/products/ps11720/index.html.
Configuring ScanSafe Web Security
Use the ScanSafe Web Security Settings page to define the settings for the default user group. As with other settings policies, you can share the default user group policy settings.
- ScanSafe Web Security Page
- ScanSafe Web Security Settings Page
- Chapter 20, “Working with ScanSafe Web Security”
- Add and Edit Default User Groups Dialog Box
- AAA Rules Page
Note
All steps are shown as performed from the Policy view.
To configure ScanSafe Web Security, perform the following steps:
Step 1 From the Policy Types selector, select Firewall > ScanSafe Web Security.
The ScanSafe Web Security page appears with the Interfaces tab selected.
Step 2 Enable those interfaces by which web requests are to be forwarded to the ScanSafe Web Security server by selecting them from the list in the Available Interfaces column and moving them to the Selected Interfaces column.
Step 3 Select the WhiteListing Regular Expressions tab.
Step 4 Select the Notify Tower checkbox to send notifications to the ScanSafe Web Security server regarding the whitelisting. It is applicable to all whitelisting except that which is IP-based.
(ScanSafe Web Security receives a warning when no regular expression is specified for white listing.)
Step 5 In the HTTP Host area specify the regular expressions to be whitelisted (using regular expression matching) by selecting them from the list in the Available Regular Expressions column and moving them to the Selected Regular Expressions column.
Step 6 In the HTTP User Agent area specify the regular expressions to be whitelisted by selecting them from the list in the Available Regular Expressions column and moving them to the Selected Regular Expressions column.
Step 7 Select the WhiteListing ACLs tab.
Step 8 Specify the type of ACLs to operate upon by selecting either Extended or Standard from the Type list.
Step 9 Specify the ACLs to whitelist by selecting them from the list in the column on the left and moving them to the Selected items column.
Step 10 Select the User Groups tab.
Tip You can use the User Groups page to define user groups, specify both the default user and default user group, and to include or exclude user groups. You can also edit or delete entries in all three of these lists.
Step 11 Specify a default user by entering the user name in the Default User field (optional).
Step 12 Specify a default user group by entering the user group name in the Default User Group field.
Step 13 Include a user group by selecting the interface and then adding the user group to the Include list.
Step 14 Exclude a user group by selecting the interface and then adding the user group to the Exclude list.
Step 15 Select Policy > Firewall > Settings > ScanSafe Web Security from the policy selector.
Step 16 With the Details tab selected, specify the Primary ScanSafe Server by entering the following values:
Step 17 With the Details tab selected, specify the Secondary ScanSafe Server by entering the following values:
- IP Address/Name (only a valid IP address or FQDN).
- HTTP Port (default 8080)
- HTTPS Port (default 8080)
Step 18 Specify the Server Timeout period in seconds (default 300).
Step 19 Specify the Session Idle Timeout period in seconds (default 300).
Step 20 Specify the source address by doing one of the following:
- Click the IP Address button and then enter the IP address.
- Click the Interface button, and then click the Select button and browse the Interface Selector to select an interface.
Note A valid source IP or interface must be one of the interfaces on which ScanSafe Web Security is enabled (on the Firewall > ScanSafe Web Security page > Interface tab.
Step 21 Enter the License and select the checkbox if it is encrypted.
Tip If Encrypted is not selected, the value entered must be 32 hexadecimal characters.
Step 22 If desired, select the Enable Logging checkbox.
ScanSafe Web Security Page
Security Manager provides integration with ScanSafe Web Security. ScanSafe Web Security is a cloud-based SaaS (Security as a Service) function that makes available its web security data centers at various locations worldwide. When ScanSafe Web Security is integrated with a router, selected HTTP and HTTPS traffic is redirected to ScanSafe Cloud for content scanning and for malware detection by other means. Also, you can use ScanSafe Web Security to provide differentiated services to particular users, user groups, and IPs.
Using ScanSafe Web Security in Security Manager, you can define settings and policies in the following areas:
With ScanSafe Web Security integration in Security Manager you can copy and share most policies and framework-based policy features.
For information on how best to configure the ScanSafe Web Security Page for your particular purposes, see Working with ScanSafe Web Security.
(Policy view) Select Firewall and open Settings from the Policy Type selector. Then click ScanSafe Web Security to open the ScanSafe Web Security Settings Page.
Note Configuration of the ScanSafe Web Security policies and settings is also possible by way of the Map view.
- Chapter 20, “Working with ScanSafe Web Security”
- Configuring ScanSafe Web Security
- ScanSafe Web Security Settings Page
- Add and Edit Default User Groups Dialog Box
- AAA Rules Page
|
|
|
|---|---|
|
|
|
Details on using filters in Security Manager are found at Filtering Tables. |
|
This tab allows you to select interfaces and Security Manager-defined interface roles on which web requests will be forwarded to the ScanSafe Web Security server for content scanning. |
|
Interfaces that are available to be selected for ScanSafe Web Security. |
|
Interfaces selected must be facing the WAN on which hosts’ requests for web services are forwarded to ScanSafe Web Security server |
|
|
|
|
This checkbox, when selected, specifies that the ScanSafe Web Security tower must be notified regarding the whitelisting. It is applicable to all ACL-based whitelisting variants except IP based whitelisting. The default behavior is that the notification is not sent. |
|
Lists the regular expressions available and considered for delivery to the ScanSafe Web Security server. |
|
Enables the administrator to filter whitelisted regular expressions sent to ScanSafe Web Security server by specifying include and exclude user group list. It operates on a match-all or match-any basis. |
|
A host that matches the selected regular expressions is whitelisted, and is not redirected to the ScanSafe Web Security server. |
|
An agent that matches the available regular expressions is whitelisted, and is not redirected to the ScanSafe Web Security server. |
|
When configured, only regular expressions that are in the Selected Regular Expressions list are sent to ScanSafe Cloud. |
|
|
|
|
Specifies the type of ACL Whitelisting, either standard or extended. Note Standard ACLs used for whitelisting are discovered as extended ACLs. A prefix of "CSM_EXT_" is added to the ACL name. Standard ACls are converted to extended ACLs as extended ACLs are complete and recommended |
|
When configured, only regular expressions that are in the Selected Regular Expressions list are sent to ScanSafe Cloud. |
|
|
|
|
A global name that is sent to the ScanSafe Web Security server when there is no content-scan-session specific user name. Use it when you want the same content scan policy for all users in a branch office (for example). |
|
A global name that is sent to the ScanSafe Web Security server when there is no content-scan-session specific user name. Use it when you want the same content scan policy for all user groups in a branch office (for example). |
|
You can use the Include and Exclude lists to specify the particular user groups to be included or excluded. |
|
Add and Edit Default User Groups Dialog Box
Use the Default User Groups dialog box to specify the default user group for a particular interface.
This dialog box is only useful when the ISR cannot determine user credentials, but would like to assign the users (that is, the IP addresses) to a user group so that other group-based policies in the ISR can be enforced. Only one group can be configured on an interface.
For details on these ScanSafe Web Security server configuration settings, see the ScanSafe Web Security Settings Page.
- ScanSafe Web Security Page
- ScanSafe Web Security Settings Page
- Chapter 20, “Working with ScanSafe Web Security”
- Configuring ScanSafe Web Security
- AAA Rules Page
(Policy view) Select Firewall and open the ScanSafe Web Security Page. Then click on the User Groups tab.
ScanSafe Web Security Settings Page
- ScanSafe Web Security Page
- Chapter 20, “Working with ScanSafe Web Security”
- Configuring ScanSafe Web Security
- Add and Edit Default User Groups Dialog Box
- AAA Rules Page
(Policy view) Select Firewall and open Settings from the Policy Type selector. Then click ScanSafe Web Security to open the ScanSafe Web Security Settings Page.
(Device view) Select Firewall and open Settings from the Policy Type selector. Then click ScanSafe Web Security to open the ScanSafe Web Security Settings Page.
Feedback