Filter
Top Products
25-13
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 25 Configuring the ASA for Cisco Cloud Web Security
Configuring Cisco Cloud Web Security
Step 10
match access-list acl1
Example:
ciscoasa(config-cmap)# match access-list
SCANSAFE_HTTP
Specifies an ACL created in Step 8.
Although you can use other match statements for this rule, we
recommend using the match access-list command because it is
the most versatile for identifying HTTP or HTTPS-only traffic.
See the “Identifying Traffic (Layer 3/4 Class Maps)” section on
page 1-12 for more information.
Step 11
class-map name2
match access-list acl2
Example:
ciscoasa(config)# class-map cws_class2
ciscoasa(config-cmap)# match access-list
SCANSAFE_HTTPS
(Optional) Creates an additional class map, for example for
HTTPS traffic. You can create as many classes as needed for this
service policy rule.
Step 12
policy-map name
Example:
ciscoasa(config)# policy-map cws_policy
Adds or edits a policy map that sets the actions to take with the
class map traffic. The policy map in the default global policy is
called global_policy. You can edit this policy, or create a new one.
You can only apply one policy to each interface or globally.
Step 13
class name1
Example:
ciscoasa(config-pmap)# class cws_class1
Identifies the class map created in Step 9.
Step 14
inspect scansafe scansafe_policy_name1
[fail-open | fail-close]
Example:
ciscoasa(config-pmap-c)# inspect scansafe
cws_inspect_pmap1 fail-open
Enables Cloud Web Security inspection on the traffic in this class.
Specify the inspection class map name that you created in Step 1.
Specify fail-open to allow traffic to pass through the ASA if the
Cloud Web Security servers are unavailable.
Specify fail-close to drop all traffic if the Cloud Web Security
servers are unavailable. fail-close is the default.
Step 15
class name2
inspect scansafe scansafe_policy_name2
[fail-open | fail-close]
Example:
ciscoasa(config-pmap)# class cws_class2
ciscoasa(config-pmap-c)# inspect scansafe
cws_inspect_pmap2 fail-open
(Optional) Identifies a second class map that you created in
Step 11, and enables Cloud Web Security inspection for it.
You can configure multiple class maps as needed.
Step 16
service-policy policymap_name {global |
interface interface_name}
Example:
ciscoasa(config)# service-policy
cws_policy inside
Activates the policy map on one or more interfaces. global applies
the policy map to all interfaces, and interface applies the policy
to one interface. Only one global policy is allowed. You can
override the global policy on an interface by applying a service
policy to that interface. You can only apply one policy map to
each interface. See the “Applying Actions to an Interface (Service
Policy)” section on page 1-17 for more information.
Command Purpose