I'm having difficulties setting up somewhat complex web access policies, and just wanted to see if I'm missing anything.
I'm converting from a NetCache web proxy. It allowed me to write specific text based ACLs, that were processed in order.
For example allow user bill url www.whatever.com allow user steve category gambling
But now with IronPort web access categories, it appears to not be that simple. Since I have to write a Web Access Policy for each user, I must also apply the entire set of categories to that policy.
So lets say policy #1 is designed to allow some users to banking sites. Policy #2 is designed to allow some users to news sites. And then lastly I have my global policy which defines our categories for everyone.
Policy #1 would Allow banking, and the rest would be set to "use global". Policy #2 would allow news, and the rest would be set to "use global".
If a user is in the group for both policy #1 and policy #2, they would be blocked from news sites. Since they matched policy#1, and it said to use global (which blocked news), they would be blocked. They would never get a chance to match policy#2, which would have allowed them to news sites.
I'm guessing I can solve this using a combination of usernames and "Members Accessing URL Categories" in the policy definition. So I'm about to test that now.
But overall I just wanted to add some feedback that this web access policy seems a bit cumbersome for complex policies. Before if I wanted to allow a single user access to a single site (with a NetCache) it was a one line text statement. Now it appears that it would require a rather complex "web access policy".
I beleive that we have acheived what you are refering to on our s650 with the existing policy sets. Our web access policies read something along the lines of "Allow downloads", "allow web based email", "Allow Custom Facebook", with each of these policies having their categories set accordingly.
Each policy is tied to an AD group. If I place a user in two groups, such as "Allow Downloads" and "Allow Web Based Email", they can get to both categories. Is this what you are trying to achieve?
The doco states that the policy list processes like and ACL and "jumps out" at the first match. However, if you find the flow chart for policy matching I think you'll find that it actually matches on "site trying to access" first, rather than "is this user in this policy". This confused me for some time too ...
If this is what you're looking to set up, I can elaborate on how we've done it if you like?
I am curious if this setup really works. I cant seem to get my head around it. If I follow this... there are 2 policies set up, one for Webmail and one for Facebook, both with AD groups. So if user A is in the webmail AD group, that rule would be satisfied and they would have access to webmail. So far so good... but what if user A is in the AD webmail AND facebook group, when user A went to facebook wouldnt the first policy be true and deny access?
Don't forget that the first thing the WSA matches on are the Identities. The request is assigned the first Identity that it matches. Then the Access Policies are evaluated, and the first Access Policy that has that Identity and configured user or user group is the policy defined. So the order of your policies matters. If you have multiple policies (either Identities or Access Policies) that apply to a particular user, only the topmost one will ever match.
As for the flow charts, make sure to pay attention to which flow chart you're looking at. For each policy type, there is one for policy membership, and then another for control settings (what we do to the request). Membership is always determined first, and then once which policy is matched, the appropriate control settings are applied.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :