Cisco WSA Policies

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:

Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware

This is the 4th part of the series.

Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.

Click  Web Security Manager > Access Policies

access policy default

Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.

First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.

Click  Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

  • Kiosk users
  • Update agents
  • Company users

add identity

Now, go back to  Web Security Manager > Access Policies  and create a new Policy:

add policy

Click on Advanced for filtering, like filtering on category:

Policy advanced 1

Policy categoriesIf you don’t choose any criteria, the criteria of the Global Policy is used (inherited).