Cisco Systems and the ASA Services Module Network Router User Manual


 
25-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Configuring Cisco Cloud Web Security
(Optional) Configuring Whitelisted Traffic
If you use user authentication, you can exempt some traffic from being filtered by Cloud Web Security
based on the username and/or groupname. When you configure your Cloud Web Security service policy
rule, you can reference the whitelisting inspection class map. Both IDFW and AAA user credentials can
be used with this feature.
Although you can achieve the same results of exempting traffic based on user or group when you
configure the service policy rule, you might find it more straightforward to use a whitelist instead. Note
that the whitelist feature is only based on user and group, not on IP address.
Detailed Steps
Example
The following example whitelists the same users and groups for the HTTP and HTTPS inspection policy
maps:
hostname(config)# class-map type inspect scansafe match-any whitelist1
hostname(config-cmap)# match user user1 group cisco
hostname(config-cmap)# match user user2
hostname(config-cmap)# match group group1
hostname(config-cmap)# match user user3 group group3
hostname(config)# policy-map type inspect scansafe cws_inspect_pmap1
hostname(config-pmap)# parameters
hostname(config-pmap-p)# http
hostname(config-pmap-p)# default group default_group
hostname(config-pmap-p)# class whitelist1
hostname(config-pmap-c)# whitelist
hostname(config)# policy-map type inspect scansafe cws_inspect_pmap2
hostname(config-pmap)# parameters
Command Purpose
Step 1
class-map type inspect scansafe
[match-all | match-any] name
Example:
ciscoasa(config)# class-map type inspect
scansafe match-any whitelist1
Creates an inspection class map for whitelisted users and groups.
The class_map_name argument is the name of the class map up to
40 characters in length.
The match-all keyword is the default, and specifies that traffic
must match all criteria to match the class map.
The match-any keyword specifies that the traffic matches the
class map if it matches at least one of the criteria.
The CLI enters class-map configuration mode, where you can
enter one or more match commands.
Step 2
match [not] {[user username] [group
groupname]}
Example:
ciscoasa(config-cmap)# match
The match keyword, followed by a specific username or
groupname, specifies a user or group to whitelist.
The match not keyword specifies that the user and/or group
should be filtered using Web Cloud Security. For example, if you
whitelist the group “cisco,” but you want to scan traffic from users
“johncrichton” and “aerynsun,” you can specify match not for
those users. Repeat this command to add as many users and
groups as needed.