Cisco WSA - Block all policy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2021 06:46 AM
Hi,
Is that possible to create a WSA policy / profile to block all the web requests.
Scenario is that I have already created a profile / policy to give access only to specific websites from a specific management server. WSA should block all the other requests from the management server.
But the thing is there is already a policy below which covers the whole customer network without any subnets and the authentication is based on kerberos. I could add all the subnets and IP addresses into the policy and exempt the management server IP address. But the network is too huge for that and we can easily make mistakes.
Is there an other way to create new policy which blocks all the requests?
Thank you all.
- Labels:
-
Web Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2021 07:11 AM
1. Under Web Security Manager/Identity Profiles create an identification profile, set it to Insert above your first one, exempt it from identification, and define the members by subnet, by setting the IP as a /32. (ex. 10.10.10.15/32)
2. Under Web Security Manager/Custom and External URL categories, create a category and add the web sites you want this box to have access to.
3. Under Web Security Manager/Access Policy create a new policy, set it to insert above the other policies you may have, select the Identification Profile you created in step 1
4. Set the URL Filtering in the new access policy to block all of the categories, including uncategorized ones, except the one you created in step 2. Set that one to monitor.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-02-2021 07:32 AM - edited 08-02-2021 07:32 AM
I have created similar to what you have proposed. It didn't block any other websites though. Maybe I have made a mistake while configuring this. I will give it a try and let you know. Thank you so far.
