25-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Licensing Requirements for Cisco Cloud Web Security
Bypassing Scanning with Whitelists
If you use AAA rules or IDFW, you can configure the ASA so that web traffic from specific users or
groups that otherwise match the service policy rule is not redirected to the Cloud Web Security proxy
server for scanning. When you bypass Cloud Web Security scanning, the ASA retrieves the content
directly from the originally requested web server without contacting the proxy server. When it receives
the response from the web server, it sends the data to the client. This process is called “whitelisting”
traffic.
Although you can achieve the same results of exempting traffic based on user or group when you
configure the class of traffic using ACLs to send to Cloud Web Security, you might find it more
straightforward to use a whitelist instead. Note that the whitelist feature is only based on user and group,
not on IP address.
IPv4 and IPv6 Support
Cloud Web Security currently supports only IPv4 addresses. If you use IPv6 internally, NAT 64 must be
performed for any IPv6 flows that need to be sent to Cloud Web Security.
The following table shows the class map traffic that is supported by Cloud Web Security redirection:
Failover from Primary to Backup Proxy Server
When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web
Security proxy server and backup proxy server.
If any client is unable to reach the primary server, then the ASA starts polling the tower to determine
availability. (If there is no client activity, the ASA polls every 15 miniutes.) If the proxy server is
unavailable after a configured number of retries (the default is 5; this setting is configurable), the server
is declared unreachable, and the backup proxy server becomes active.
If a client or the ASA can reach the server at least twice consecutively before the retry count is reached,
the polling stops and the tower is determined to be reachable.
After a failover to the backup server, the ASA continues to poll the primary server. If the primary server
becomes reachable, then the ASA returns to using the primary server.
Licensing Requirements for Cisco Cloud Web Security
Class Map Traffic Cloud Web Security Inspection
From IPv4 to IPv4 Supported
From IPv6 to IPv4 (using NAT64) Supported
From IPv4 to IPv6 Not Supported
From IPv6 to IPv6 Not Supported