Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
959
Views
0
Helpful
1
Replies

Cisco WSA Access Policy and Decryption Policy clarification

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎08-31-2023 12:41 AM

Hello,

We have a customer who has access policy configured to block "online meetings" category and decryption policy action configured as "monitor" for "online meetings" category. I noticed that zoom is blocked for the customer as expected but webex is allowed for the customer. When I checked the log it shows that the zoom traffic is matching the access policy but webex traffic is matching the decryption policy. Could anyone explain to me the below.

 

1.  How will be relationship between access policy and decryption policy. My understanding is that the decryption policy will decrypt the traffic and the resulting http traffic will be inspected by access policy. correct me if I am wrong.

2. In the logs for webex why am I only seeing the decryption policy match and not the access policy match?.

Thanks

Shabeeb

Labels:
0 Helpful
1 Reply 1

Konstantinos9
Cisco Employee
Cisco Employee

‎08-31-2023 03:31 AM - edited ‎08-31-2023 03:33 AM

Hello Shabeep,

 

When traffic is going through the WSA, both the decryption and the access policies will be evaluated. Encrypted traffic will always go through the decryption policies first, and based on the action selected for a specific category or URL list, the traffic might:

pass-through (which means allow without decryption),

decrypt (which will decrypt the traffic and later go through the access policies),

monitor (Which means continue evaluating based on the rest of decryption policy settings or the default action, and can be any of the pass-through/decrypt/drop) and

drop (which blocks the traffic without any further inspection).

 

So basically, domains that go through both the decryption and the allow policies, means that at the decryption the action selected was "Decrypt" (might have been explicitly selected or matched the default action). Traffic that is set to pass-through or drop will never go through the access policies. This could be the reason why you see Webex only matching decryption policies while Zoom appears on access policies. Logs will also show you the action taken for a specific request based on the matched decryption or access policy.

Hope this helps.

 

 

 

0 Helpful
Customers Also Viewed These Support Documents