Hybrid Web Security provides unified cloud and on-premises policy enforcement and threat defense using security policies you
define in Cisco ScanCenter. Register your on-premises WSA with Cisco ScanCenter to automatically download and periodically
update your security policies from the CWS cloud.
registration, the security appliance downloads your Cisco Cloud Web Security
policy from Cisco ScanCenter.
Every time you
modify your CWS policy in Cisco ScanCenter, the whole policy is downloaded to
the security appliance to synchronize policies.
every two minutes, the Cisco WSA checks to see if there is an updated policy to
information on configuring security policy and web filtering, see
In the Cisco
WSA, view its
System Status page to check the status of its hybrid
registration with CWS.
Some items that
are configurable in Cisco ScanCenter are not yet supported for downloading by
the Cisco WSA.
items must be configured directly on the Cisco WSA:
Settings. Frequency of email alerts you want to receive.
Customized Alerts. Custom text and other settings for Block and AUP/EUA pages.
Global Settings. Enabling of settings such as SearchAhead, SafeSearch, AUP (EUA on the WSA), Dynamic Classification Engine,
Content Range Headers, and Sandboxing.
Authentication Realms. Authentication realms must be configured directly on the Cisco WSA shortly after the System Setup Wizard
finishes configuring Hybrid Web Security mode. In CWS, an authentication realm refers to SAML and EasyID. On the Cisco WSA,
the types supported are different and usually refer to NTLM (SAML is not yet supported on the Cisco WSA). If CWS rules have
either 'auth-user-name' or authentication groups configured, on the Cisco WSA you must configure authentication realms and
custom identification profiles with authentication enabled. For more information, see the AsyncOS 9.2 for Cisco Web Security Appliances User Guide (primarily Chapters 6 and 7).
and download of any HTTPS rules or authentication group rules is skipped during
Cisco WSA hybrid set-up. These rules are automatically completed only after you
set up the Cisco WSA in Hybrid Web Security mode and configure HTTPS proxy,
authentication realms, and identification profiles, as CWS-to-WSA policy
updates occur every two minutes.
The following items are not currently supported for use on on-premises security appliances and do not get downloaded by the Cisco WSA:
Anonymize CWS Action Type. Any rule assigned the Anonymize action.
Authenticate CWS Action Type. Any rule assigned the Authenticate action.
Warn CWS Action Type. Any rule assigned the Warn action.
Outbound Filters. Any rule using a filter that contains any Keyword, Outbound File Type, Preconfigured ID, or Regular Expression.
Inbound extensions are also not supported.
Allow listing sets of domains and URLs to bypass Spyware or Web Reputation (WebRep) scanning
at the global level.
Delegated Administration. The Cisco WSA does not incorporate the concept of delegated administration. CWS will send a merged
SafeSearch. Works with Google, Yahoo and Bing. Because they are moving to HTTPS, we require HTTPS inspection to be enabled
in the cloud.
information, including warnings, caveats, and what functionality is and is not
Translation of both default and user-defined CWS policies to WSA policies is not a one-to-one conversion. However, the action
that results from application of a particular policy in both environments is the same. In other words, the Block or Allow
decision is always consistent, regardless of the sequence of rules “fired” in both cases. This allows rule evaluation in the
proxy to be optimized for better performance without compromising consistent behavior.