Identity Policies :
--> This Policies are used to classify the traffic/transactions by groups so different policies can be applied based on the identity.
--> Identities can be classified based upon IP addresses, Active Directory Groups and Users.
--> Whenever any request comes to WSA, It will first check the Identity of the request based upon the IP address, Username, and Groups.
--> Every client request always has just one identity.
--> Identity Policies are evaluated in order ( From Top to Bottom).
--> Client requests that do not match any user-defined or custom identity are assigned the global identity.
--> By using Identity Policies we can also specify the client request requires authentication or not and from which browser( User-agent) he can access the Internet.
--> It is recommended to configure the identities that do not require the authentication should be configured above the identities that require the authentication.
--> The yellow light bulb or key icon next to the identity indicates that the policy requires authentication.
Access Policies:
--> Access policies define whether the client request needs to be allowed, blocked, or redirected HTTP and decrypted HTTPS transactions.
--> Every client request always matches only one access policy.
--> Access Policies are evaluated in order ( From Top to Bottom).
--> Client requests that do not match any user-defined or custom access policy are assigned the global access policy.
--> Each and every access policy is associated with an action, that can be:
1) Allow: Allows the connection
2) Block: Does not allow the connection
3) Redirect: Redirects the connection to different URLs.
4) Warn: Gives warning page, the user needs to click on the continue button in order to access the website.
5) Monitor: Allows the connection but checks other settings as well.
--> Each and every access policy contains following sections:
There are five sets of access policy control settings:
Protocols and User Agents: Defines which protocols, ports and user agents are allowed.
URL Filtering: can be custom URL category or system URL category
Applications: Filtering is based upon the applications.
Objects: The size and MIME type of the object that is contained in the HTTP response.
Web Reputation and anti-malware filtering: checks the cisco database for malware information related to a particular connection.
Decryption policies
--> These policies are used to define how to treat HTTPS traffic.
--> We can apply different actions to specified groups of users and IP addresses by using decryption policy.
--> We can also specify which ports the WSA should monitor for HTTPS requests.
--> Once you configure the HTTPS traffic need to be encrypted then WSA will act as SSL Proxy and maintains two connections ( Client --Proxy and Proxy -- Web Server)
--> Each and every Decryption policy is associated with an action, that can be one of the following:
Monitor: Decrypts the connection and checks for other settings.
Drop: Drops the connection and does not decrypt the connection.
Pass-Through: Allows the connection without decryption. ( Need to be configured for bank and financial websites)
Decrypt: Allows the connection, but decrypts the traffic content.
--> Once the connection is decrypted then it will be forwarded to access policies for the HTTP requests.
Routing policies
-->These policies are used to define what traffic should be sent to which upstream (explicit forward) proxy.
--> Two common use cases for routing policies are as follows:
i) Forward a particular type of traffic to particular upstream proxies to enhance performance and optimize caching.
ii) Forward specific traffic to a partner reverse proxy.
SaaS policies are used to control access to third-party software service providers, such as Salesforce, Google Apps, and WebEx.
Ref: Cisco.com
Md.Kareemoddin
CCIE# 54759
--> This Policies are used to classify the traffic/transactions by groups so different policies can be applied based on the identity.
--> Identities can be classified based upon IP addresses, Active Directory Groups and Users.
--> Whenever any request comes to WSA, It will first check the Identity of the request based upon the IP address, Username, and Groups.
--> Every client request always has just one identity.
--> Identity Policies are evaluated in order ( From Top to Bottom).
--> Client requests that do not match any user-defined or custom identity are assigned the global identity.
--> By using Identity Policies we can also specify the client request requires authentication or not and from which browser( User-agent) he can access the Internet.
--> It is recommended to configure the identities that do not require the authentication should be configured above the identities that require the authentication.
--> The yellow light bulb or key icon next to the identity indicates that the policy requires authentication.
Access Policies:
--> Access policies define whether the client request needs to be allowed, blocked, or redirected HTTP and decrypted HTTPS transactions.
--> Every client request always matches only one access policy.
--> Access Policies are evaluated in order ( From Top to Bottom).
--> Client requests that do not match any user-defined or custom access policy are assigned the global access policy.
--> Each and every access policy is associated with an action, that can be:
1) Allow: Allows the connection
2) Block: Does not allow the connection
3) Redirect: Redirects the connection to different URLs.
4) Warn: Gives warning page, the user needs to click on the continue button in order to access the website.
5) Monitor: Allows the connection but checks other settings as well.
--> Each and every access policy contains following sections:
There are five sets of access policy control settings:
Protocols and User Agents: Defines which protocols, ports and user agents are allowed.
URL Filtering: can be custom URL category or system URL category
Applications: Filtering is based upon the applications.
Objects: The size and MIME type of the object that is contained in the HTTP response.
Web Reputation and anti-malware filtering: checks the cisco database for malware information related to a particular connection.
Decryption policies
--> These policies are used to define how to treat HTTPS traffic.
--> We can apply different actions to specified groups of users and IP addresses by using decryption policy.
--> We can also specify which ports the WSA should monitor for HTTPS requests.
--> Once you configure the HTTPS traffic need to be encrypted then WSA will act as SSL Proxy and maintains two connections ( Client --Proxy and Proxy -- Web Server)
--> Each and every Decryption policy is associated with an action, that can be one of the following:
Monitor: Decrypts the connection and checks for other settings.
Drop: Drops the connection and does not decrypt the connection.
Pass-Through: Allows the connection without decryption. ( Need to be configured for bank and financial websites)
Decrypt: Allows the connection, but decrypts the traffic content.
--> Once the connection is decrypted then it will be forwarded to access policies for the HTTP requests.
Routing policies
-->These policies are used to define what traffic should be sent to which upstream (explicit forward) proxy.
--> Two common use cases for routing policies are as follows:
i) Forward a particular type of traffic to particular upstream proxies to enhance performance and optimize caching.
ii) Forward specific traffic to a partner reverse proxy.
SaaS policies are used to control access to third-party software service providers, such as Salesforce, Google Apps, and WebEx.
Ref: Cisco.com
Md.Kareemoddin
CCIE# 54759
0 comments:
Post a Comment