Upon successful registration, the security appliance downloads your Cisco Cloud Web Security policy from Cisco ScanCenter.

• Every time you modify your CWS policy in Cisco ScanCenter, the whole policy is downloaded to the security appliance to synchronize policies.

• By default, every two minutes, the Cisco WSA checks to see if there is an updated policy to download.

• For information on configuring security policy and web filtering, see Overview.

• In the Cisco WSA, view its Reporting > System Status page to check the status of its hybrid registration with CWS.

Note	Some items that are configurable in Cisco ScanCenter are not yet supported for downloading by the Cisco WSA.

The following items must be configured directly on the Cisco WSA:

• Email Alert Settings. Frequency of email alerts you want to receive.

• Customized Alerts. Custom text and other settings for Block and AUP/EUA pages.

• Global Settings. Enabling of settings such as SearchAhead, SafeSearch, AUP (EUA on the WSA), Dynamic Classification Engine, Content Range Headers, and Sandboxing.

• Authentication Realms. Authentication realms must be configured directly on the Cisco WSA shortly after the System Setup Wizard finishes configuring Hybrid Web Security mode. In CWS, an authentication realm refers to SAML and EasyID. On the Cisco WSA, the types supported are different and usually refer to NTLM (SAML is not yet supported on the Cisco WSA). If CWS rules have either 'auth-user-name' or authentication groups configured, on the Cisco WSA you must configure authentication realms and custom identification profiles with authentication enabled. For more information, see the AsyncOS 9.2 for Cisco Web Security Appliances User Guide (primarily Chapters 6 and 7).

  Note

  Conversion and download of any HTTPS rules or authentication group rules is skipped during Cisco WSA hybrid set-up. These rules are automatically completed only after you set up the Cisco WSA in Hybrid Web Security mode and configure HTTPS proxy, authentication realms, and identification profiles, as CWS-to-WSA policy updates occur every two minutes.

The following items are not currently supported for use on on-premises security appliances and do not get downloaded by the Cisco WSA:

• Anonymize CWS Action Type. Any rule assigned the Anonymize action.

• Authenticate CWS Action Type. Any rule assigned the Authenticate action.

• Warn CWS Action Type. Any rule assigned the Warn action.

• Outbound Filters. Any rule using a filter that contains any Keyword, Outbound File Type, Preconfigured ID, or Regular Expression. Inbound extensions are also not supported.

• Whitelisting sets of domains and URLs to bypass Spyware or Web Reputation (WebRep) scanning at the global level.

• Delegated Administration. The Cisco WSA does not incorporate the concept of delegated administration. CWS will send a merged policy configuration.

• SafeSearch. Works with Google, Yahoo and Bing. Because they are moving to HTTPS, we require HTTPS inspection to be enabled in the cloud.

For additional information, including warnings, caveats, and what functionality is and is not supported, see:

• Release Notes for AsyncOS 9.2 for Cisco Web Security Appliances

• AsyncOS 9.2 for Cisco Web Security Appliances User Guide (primarily Chapter 2)

Note

Translation of both default and user-defined CWS policies to WSA policies is not a one-to-one conversion. However, the action that results from application of a particular policy in both environments is the same. In other words, the Block or Allow decision is always consistent, regardless of the sequence of rules “fired” in both cases. This allows rule evaluation in the proxy to be optimized for better performance without compromising consistent behavior.