Cisco Asdm 7 User Guide

							 
25-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Information About Cisco Cloud Web Security
The ASA supports the following methods of determining the identity of a user, or of providing a default 
identity:
AAA rules—When the ASA performs user authentication using a AAA rule, the username is 
retrieved from the AAA server or local database. Identity from AAA rules does not include group 
information. If configured, the default group is used. For information about configuring AAA rules, 
see Chapter 8, “Configuring AAA Rules for Network Access.” 
IDFW—When the ASA uses IDFW with the Active Directory (AD), the username and group is 
retrieved from the AD agent when you activate a user and/or group by using an ACL in a feature 
such as an access rule or in your service policy, or by configuring the user identity monitor to 
download user identity information directly.
For information about configuring IDFW, see Chapter 38, “Configuring the Identity Firewall,” in the 
general operations configuration guide.
Default username and group—Without user authentication, the ASA uses an optional default 
username and/or group for all users that match a service policy rule for Cloud Web Security.
Authentication Keys
Each ASA must use an authentication key that you obtain from Cloud Web Security. The authentication 
key lets Cloud Web Security identify the company associated with web requests and ensures that the 
ASA is associated with valid customer.
You can use one of two types of authentication keys for your ASA: the company key or the group key.
Company Authentication Key, page 25-3
Group Authentication Key, page 25-3
Company Authentication Key
A Company authentication key can be used on multiple ASAs within the same company. This key simply 
enables the Cloud Web Security service for your ASAs. The administrator generates this key in 
ScanCenter (https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail 
the key for later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in 
ScanCenter. For more information, see the Cloud Web Security documentation: 
http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h
tml.
Group Authentication Key
A Group authentication key is a special key unique to each ASA that performs two functions:
Enables the Cloud Web Security service for one ASA.
Identifies all traffic from the ASA so you can create ScanCenter policy per ASA.
For information about using the Group authentication key for policy, see the “ScanCenter Policy” section 
on page 25-4).
The administrator generates this key in ScanCenter 
(https://scancenter.scansafe.com/portal/admin/login.jsp); you have the opportunity to e-mail the key for 
later use. You cannot look up this key later in ScanCenter; only the last 4 digits are shown in ScanCenter.  
						

							 
25-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Information About Cisco Cloud Web Security
For more information, see the Cloud Web Security documentation: 
http://www.cisco.com/en/US/products/ps11720/products_installation_and_configuration_guides_list.h
tml.
ScanCenter Policy
In ScanCenter, traffic is matched against policy rules in order until a rule is matched. Cloud Web Security 
then applies the configured action for the rule. User traffic can match a policy rule in ScanCenter based 
on group association: a directory group or a custom group.
Directory Groups, page 25-4
Custom Groups, page 25-4
How Groups and the Authentication Key Interoperate, page 25-5
Directory Groups
Directory groups define the group to which traffic belongs. The group, if present, is included in the 
HTTP header of the client request. The ASA includes the group in the HTTP header when you configure 
IDFW. If you do not use IDFW, you can configure a default group for traffic matching an ASA rule for 
Cloud Web Security inspection.
When you configure a directory group, you must enter the group name exactly.
IDFW group names are sent in the following format:
domain-name\group-name
When the ASA learns the IDFW group name, the format on the ASA is domain-name\\group-name. 
However, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter 
notation.
The default group name is sent in the following format:
[domain\]group-name
On the ASA, you need to configure the optional domain name to be followed by 2 backslashes (\\); 
however, the ASA modifies the name to use only one backslash (\) to conform to typical ScanCenter 
notation. For example, if you specify “Cisco\\Boulder1,” the ASA modifies the group name to be 
“Cisco\Boulder1” with only one backslash (\) when sending the group name to Cloud Web Security.
Custom Groups
Custom groups are defined using one or more of the following criteria:
ScanCenter Group authentication key—You can generate a Group authentication key for a custom 
group. Then, if you identify this group key when you configure the ASA, all traffic from the ASA 
is tagged with the Group key.
Source IP address—You can identify source IP addresses in the custom group. Note that the ASA 
service policy is based on source IP address, so you might want to configure any IP address-based 
policy on the ASA instead.
Username—You can identify usernames in the custom group.
–IDFW usernames are sent in the following format:
domain-name\username 
						

							 
25-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Information About Cisco Cloud Web Security
–AAA usernames, when using RADIUS or TACACS+, are sent in the following format:
LOCAL\username
–AAA usernames, when using LDAP, are sent in the following format:
domain-name\username
–For the default username, it is sent in the following format:
[domain-name\]username
For example, if you configure the default username to be “Guest,” then the ASA sends “Guest.” 
If you configure the default username to be “Cisco\Guest,” then the ASA sends “Cisco\Guest.”
How Groups and the Authentication Key Interoperate
Unless you need the per-ASA policy that a custom group+group key provides, you will likely use a 
company key. Note that not all custom groups are associated with a group key. Non-keyed custom groups 
can be used to identify IP addresses or usernames, and can be used in your policy along with rules that 
use directory groups. 
Even if you do want per-ASA policy and are using a group key, you can also use the matching capability 
provided by directory groups and non-keyed custom groups. In this case, you might want an ASA-based 
policy, with some exceptions based on group membership, IP address, or username. For example, if you 
want to exempt users in the America\Management group across all ASAs:
1.Add a directory group for America\Management.
2.Add an exempt rule for this group.
3.Add rules for each custom group+group key after the exempt rule to apply policy per-ASA.
4.Traffic from users in America\Management will match the exempt rule, while all other traffic will 
match the rule for the ASA from which it originated.
Many combinations of keys, groups, and policy rules are possible.
Cloud Web Security Actions
After applying the configured policies, Cloud Web Security either blocks, allows, or sends a warning 
about the user request:
Allows—When Cloud Web Security allows the client request, it contacts the originally requested 
server and retrieves the data. It forwards the server response to the ASA, which then forwards it to 
the user.
Blocks—When Cloud Web Security blocks the client request, it notifies the user that access has been 
blocked. It sends an HTTP 302 “Moved Temporarily” response that redirects the client application 
to a web page hosted by the Cloud Web Security proxy server showing the blocked error message. 
The ASA forwards the 302 response to the client. 
Warns—When the Cloud Web Security proxy server determines that a site may be in breach of the 
acceptable use policy, it displays a warning page about the site. You can choose to heed the warning 
and drop the request to connect, or you can click through the warning and proceed to the requested 
site.
You can also choose how the ASA handles web traffic when it cannot reach either the primary or backup 
Cloud Web Security proxy server. It can block or allow all web traffic. By default, it blocks web traffic. 
						

							 
25-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Licensing Requirements for Cisco Cloud Web Security
Bypassing Scanning with Whitelists
If you use AAA rules or IDFW, you can configure the ASA so that web traffic from specific users or 
groups that otherwise match the service policy rule is not redirected to the Cloud Web Security proxy 
server for scanning. When you bypass Cloud Web Security scanning, the ASA retrieves the content 
directly from the originally requested web server without contacting the proxy server. When it receives 
the response from the web server, it sends the data to the client. This process is called “whitelisting” 
traffic.
Although you can achieve the same results of exempting traffic based on user or group when you 
configure the class of traffic using ACLs to send to Cloud Web Security, you might find it more 
straightforward to use a whitelist instead. Note that the whitelist feature is only based on user and group, 
not on IP address.
IPv4 and IPv6 Support
Cloud Web Security currently supports only IPv4 addresses. If you use IPv6 internally, NAT 64 must be 
performed for any IPv6 flows that need to be sent to Cloud Web Security. 
The following table shows the class map traffic that is supported by Cloud Web Security redirection:
Failover from Primary to Backup Proxy Server
When you subscribe to the Cisco Cloud Web Security service, you are assigned a primary Cloud Web 
Security proxy server and backup proxy server.
If any client is unable to reach the primary server, then the ASA starts polling the tower to determine 
availability. (If there is no client activity, the ASA polls every 15 miniutes.) If the proxy server is 
unavailable after a configured number of retries (the default is 5; this setting is configurable), the server 
is declared unreachable, and the backup proxy server becomes active.
If a client or the ASA can reach the server at least twice consecutively before the retry count is reached, 
the polling stops and the tower is determined to be reachable.
After a failover to the backup server, the ASA continues to poll the primary server. If the primary server 
becomes reachable, then the ASA returns to using the primary server.
Licensing Requirements for Cisco Cloud Web Security
Class Map Traffic Cloud Web Security Inspection
From IPv4 to IPv4 Supported
From IPv6 to IPv4 (using NAT64) Supported
From IPv4 to IPv6 Not Supported
From IPv6 to IPv6 Not Supported 
						

							 
25-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Prerequisites for Cloud Web Security
On the Cloud Web Security side, you must purchase a Cisco Cloud Web Security license and identify 
the number of users that the ASA handles. Then log into ScanCenter, and generate your authentication 
keys.
Prerequisites for Cloud Web Security
(Optional) User Authentication Prerequisites
To send user identity information to Cloud Web Security, configure one of the following on the ASA:
AAA rules (username only)—See Chapter 8, “Configuring AAA Rules for Network Access.” 
IDFW (username and group)—See Chapter 38, “Configuring the Identity Firewall,” in the general 
operations configuration guide.
(Optional) Fully Qualified Domain Name Prerequisites
If you use FQDNs in ACLs for your service policy rule, or for the Cloud Web Security server, you must 
configure a DNS server for the ASA according to the “Configuring the DNS Server” section on 
page 16-17 in the general operations configuration guide.
Guidelines and Limitations
Context Mode Guidelines
Supported in single and multiple context modes.
In multiple context mode, the server configuration is allowed only in the system, and the service policy 
rule configuration is allowed only in the security contexts.
Each context can have its own authentication key, if desired.
Firewall Mode Guidelines
Supported in routed firewall mode only. Does not support transparent firewall mode.
IPv6 Guidelines
Does not support IPv6. See the “IPv4 and IPv6 Support” section on page 25-6.
Additional Guidelines
Cloud Web Security is not supported with ASA clustering.
Clientless SSL VPN is not supported with Cloud Web Security; be sure to exempt any clientless SSL 
VPN traffic from the ASA service policy for Cloud Web Security. Model License Requirement
All models Strong Encryption (3DES/AES) License to encrypt traffic between the security appliance and the 
Cloud Web Security server. 
						

							 
25-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Default Settings
When an interface to the Cloud Web Security proxy servers goes down, output from the show 
scansafe server command shows both servers up for approximately 15-25 minutes. This condition 
may occur because the polling mechanism is based on the active connection, and because that 
interface is down, it shows zero connection, and it takes the longest poll time approach.
Cloud Web Security is not supported with the ASA CX module. If you configure both the ASA CX 
action and Cloud Web Security inspection for the same traffic, the ASA only performs the ASA CX 
action.
Cloud Web Security inspection is compatibile with HTTP inspection for the same traffic. HTTP 
inspection is enabled by default as part of the default global policy.
Cloud Web Security is not supported with extended PAT or any application that can potentially use 
the same source port and IP address for separate connections. For example, if two different 
connections (targeted to separate servers) use extended PAT, the ASA might reuse the same source 
IP and source port for both connection translations because they are differentiated by the separate 
destinations. When the ASA redirects these connections to the Cloud Web Security server, it 
replaces the destination with the Cloud Web Security server IP address and port (8080 by default). 
As a result, both connections now appear to belong to the same flow (same source IP/port and 
destination IP/port), and return traffic cannot be untranslated properly.
The Default Inspection Traffic traffic class does not include the default ports for the Cloud Web 
Security inspection (80 and 443).
Default Settings
By default, Cisco Cloud Web Security is not enabled.
Configuring Cisco Cloud Web Security
Configuring Communication with the Cloud Web Security Proxy Server, page 25-8
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context, page 25-10
Configuring a Service Policy to Send Traffic to Cloud Web Security, page 25-10
(Optional) Configuring Whitelisted Traffic, page 25-23
Configuring the Cloud Web Security Policy, page 25-26
Configuring Communication with the Cloud Web Security Proxy Server
Guidelines
The public key is embedded in the ASA software, so there is no need for you to configure it. 
						

							 
25-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Configuring Cisco Cloud Web Security
Detailed Steps
Step 1Choose Configuration > Device Management > Cloud Web Security.
Step 2In the Primary Server area, enter the following:
IP Address/Domain Name—Enter the IPv4 address or FQDN of the primary server.
HTTP Port—Enter the HTTP port of the primary server (port to which traffic must be redirected). 
By default the port is 8080; do not change this value unless directed to do so.
Step 3In the Backup Server area, enter the following:
IP Address/Domain Name—Enter the IPv4 address or FQDN of the backup server.
HTTP Port—Enter the HTTP port of the backup server (port to which traffic must be redirected). 
By default the port is 8080. Valid values are from 1 to 65535.
Step 4In the Other area, enter the following:
Retry Counter—Enter the value for the number of consecutive polling failures to the Cloud Web 
Security proxy server before determining the server is unreachable. Polls are performed every 30 
seconds. Valid values are from 2 to 100, and the default is 5.
License Key—Configure the authentication key that the ASA sends to the Cloud Web Security proxy 
servers to indicate from which organization the request comes. The authentication key is a 16-byte 
hexidecimal number. See the “Authentication Keys” section on page 25-3.
Confirm License Key—Confirm the authentication key.
Step 5Click Apply.  
						

							 
25-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Configuring Cisco Cloud Web Security
(Multiple Context Mode) Allowing Cloud Web Security Per Security Context
In multiple context mode, you must allow Cloud Web Security per context. See the “Configuring a 
Security Context” section on page 8-21 in the general operations configuration guide.
NoteYou must configure a route pointing to the Scansafe towers in both; the admin context and the specific 
context. This ensures that the Scansafe tower does not become unreachable in the Active/Active failover 
scenario.
Configuring a Service Policy to Send Traffic to Cloud Web Security
Your service policy consists of multiple service policy rules, applied globally, or applied to each 
interface. Each service policy rule can either send traffic to Cloud Web Security (Match) or exempt 
traffic from Cloud Web Security (Do Not Match). Create rules for traffic destined for the Internet. The 
order of these rules is important. When the ASA decides whether to forward or exempt a packet, the ASA 
tests the packet with each rule in the order in which the rules are listed. After a match is found, no more 
rules are checked. For example, if you create a rule at the beginning of a policy that explicitly Matches 
all traffic, no further statements are ever checked. You can reorder the rules as needed after you add them.
See Chapter 1, “Configuring a Service Policy,” for more information about service policy rules.
Prerequisites
(Optional) If you need to use a whitelist to exempt some traffic from being sent to Cloud Web Security, 
first create the whitelist according to the “(Optional) Configuring Whitelisted Traffic” section on 
page 25-23 so you can refer to the whitelist in your service policy rule.
Detailed Steps
Step 1Choose Configuration > Firewall > Service Policy Rules, and click Add > Service Policy Rule to add 
a service policy rule.
Step 2On the Service Policy dialog box, you can configure Cloud Web Security as part of a new service policy, 
or you can edit an existing service policy. Click Next.
Step 3On the Traffic Classification Criteria dialog box, name the traffic class (or accept the default name), keep 
the Create a new traffic class option selected, and click Source and Destination IP address (Uses 
AC L ), then click Next. 
						

							 
25-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Configuring Cisco Cloud Web Security
When you create a new traffic class of this type, you can only specify one access control entry (ACE) 
initially. After you finish adding the rule, you can add additional ACEs by adding a new rule to the same 
interface or global policy, and then specifying Add rule to existing traffic class on the Traffic 
Classification dialog box.
The Traffic Match - Source and Destination dialog box appears.
a.Click Match or Do Not Match.
Match specifies that traffic matching the source and destination is sent to Cloud Web Security. Do 
Not Match exempts matching traffic from Cloud Web Security. You can later add additional rules 
to match or not match other traffic.
When creating your rules, consider how you can match appropriate traffic that is destined for the 
Internet, but not match traffic that is destined for other internal networks. For example, to prevent 
inside traffic from being sent to Cloud Web Security when the destination is an internal server on 
the DMZ, be sure to add a deny ACE to the ACL that exempts traffic to the DMZ. 
b.In the Source Criteria area, enter or browse for a Source IP address or network object, an optional 
IDFW Username or group, and an optional TrustSec Security Group.
c.In the Destination Criteria area, enter or browse for a Destination IP address or network object, and 
an optional TrustSec Security Group.
FQDN network objects might be useful in matching or exempting traffic to specific servers.
d.In the Service field, enter http or https, and click Next.
NoteCloud Web Security only operates on HTTP and HTTPS traffic. Each type of traffic is 
treated separately by the ASA. Therefore, you need to create HTTP-only rules and 
HTTPS-only rules.
The Rule Actions dialog box appears. 
						

							 
25-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 25      Configuring the ASA for Cisco Cloud Web Security
  Configuring Cisco Cloud Web Security
Step 4On the Protocol Inspection tab, check the Cloud Web Security check box.
Step 5Click Configure to set the traffic action (fail open or fail close) and add the inspection policy map.
The inspection policy map configures essential parameters for the rule and also optionally identifies the 
whitelist. An inspection policy map is required for each class of traffic that you want to send to Cloud 
Web Security. You can also pre-configure inspection policy maps from the Configuration > Firewall > 
Objects > Inspect Maps > Cloud Web Security pane.
The Select Cloud Web Security Inspect Map dialog box appears.
a.For the Cloud Web Security Traffic Action, choose one:
–Fail Close—Drops all traffic if the Cloud Web Security servers are unavailable.
–Fail Open—Allows traffic to pass through the ASA if the Cloud Web Security servers are 
unavailable.
b.Choose an existing inspection policy map, or add one using the Add button.
c.Click Add to add a new inspection policy map.
The Add Cloud Web Security Inspect Map dialog box appears.