Cisco ASA Series Cli Configuration Manual page 1384
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Information About Cisco Cloud Web Security
ScanCenter Policy
In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security
then applies the configured action for the rule. User traffic can match a policy rule in ScanCenter based
on group association: a directory group or a custom group.
•
•
•
Directory Groups
Directory groups define the group to which traffic belongs. The group, if present, is included in the
HTTP header of the client request. The ASA includes the group in the HTTP header when you configure
IDFW. If you do not use IDFW, you can configure a default group for traffic matching an ASA rule for
Cloud Web Security inspection.
When you configure a directory group, you must enter the group name exactly.
•
•
Custom Groups
Custom groups are defined using one or more of the following criteria:
•
•
•
Cisco ASA Series CLI Configuration Guide
1-4
Directory Groups, page 1-4
Custom Groups, page 1-4
How Groups and the Authentication Key Interoperate, page 1-5
IDFW group names are sent in the following format:
domain-name\group-name
When the ASA learns the IDFW group name, the format on the ASA is domain-name\\group-name.
However, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter
notation.
The default group name is sent in the following format:
[domain\]group-name
On the ASA, you need to configure the optional domain name to be followed by 2 backslashes (\\);
however, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter
notation. For example, if you specify "Cisco\\Boulder1," the ASA modifies the group name to be
"Cisco\Boulder1" with only one backslash (\) when sending the group name to Cloud Web Security.
ScanCenter Group authentication key—You can generate a Group authentication key for a custom
group. Then, if you identify this group key when you configure the ASA, all traffic from the ASA
is tagged with the Group key.
Source IP address—You can identify source IP addresses in the custom group. Note that the ASA
service policy is based on source IP address, so you might want to configure any IP address-based
policy on the ASA instead.
Username—You can identify usernames in the custom group.
–
IDFW usernames are sent in the following format:
domain-name\username
–
AAA usernames, when using RADIUS or TACACS+, are sent in the following format:
LOCAL\username
–
AAA usernames, when using LDAP, are sent in the following format:
domain-name\username
Chapter 1
Configuring the ASA for Cisco Cloud Web Security
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
