Solved: Re: Cisco WSA Web Access Policy

Mandeep singh5 · ‎07-13-2023

Hello guys,

I have one confusion on which I need your thoughts, Kindly advise me on this.

The scenario is that I have created one identification profile for user 10.0.250.70 for which I'm allowing a few predefined and custom categories.

On the other hand, I've created a different identification profile in which I need to add 3 users including the above one (10.0.250.70) for just a single custom category i.e. Twitter.

Now to apply the best practice, On the second identification profile I just added 2 users' Ip addresses and didn't add the 10.0.250.70 so that while creating the web access policy, I can simply add these 2 identification profiles.

Now while creating this web access policy, When I'm adding these 2 identification profiles then in the action I can see all the predefined and custom categories which I've selected for 1st & 2nd identification profiles.

So my doubt is that if the users of the 2nd identification profile can only access Twitter or all the other websites which are defined for 1st identification profile 10.0.250.70

Please help me on this, I know this might be confusing for some of you.

@WSA @amojarra @fw_mon

amojarra · ‎07-14-2023

Hi @Mandeep singh5

Thanks for reaching out,

please correct me if I am wrong, I will re-write your scenario :

[1] IdProfile1 has IP 1.1.1.1

[2] IdProfile2 has IP 2.2.2.2 and 3.3.3.3

[3] CustomCAT1 is list of allowed URLs for IdProfile1

[4] CustomCAT2 is list of Allowed URLs for IdProfile2 and also IdProfile1 should have access as well

[5] in Global policy access to CustomCAT1 and 2 is blocked

=============================

here is my suggestion for configuration:

[A] Decryption Policy : DP1, just add IdProfile1, and Add both CustomCAT1 and CustomCAT2:

Screenshot 2023-07-14 at 1.01.18 PM.png

[B] Submit and under URL filtering set them to Pass Through

[C] Decryption Policy : DP2 : just add IdProfile2, and Add CustomCAT2

[D] Submit and under URL filtering set CustomCAT2 to Pass Through

========

Result

User1 wants to access CustomCat1 will hit IdProfile1 and the URL will hit CustomCat1, then the request will hit DP1 and will be pass Through

User1 wants to access CustomCat2 will hit IdProfile1 and the URL will hit CustomCat2, then the request will hit DP1 and will be pass Through

User2 wants to access CustomCat2 will hit IdProfile2 and the URL will hit CustomCat2, then the request will hit DP2 and will be pass Through

Please feel free to let me know if there is any questions or concerns

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

View solution in original post

amojarra · ‎07-14-2023

Hi @Mandeep singh5

Thanks for reaching out,

please correct me if I am wrong, I will re-write your scenario :

[1] IdProfile1 has IP 1.1.1.1

[2] IdProfile2 has IP 2.2.2.2 and 3.3.3.3

[3] CustomCAT1 is list of allowed URLs for IdProfile1

[4] CustomCAT2 is list of Allowed URLs for IdProfile2 and also IdProfile1 should have access as well

[5] in Global policy access to CustomCAT1 and 2 is blocked

=============================

here is my suggestion for configuration:

[A] Decryption Policy : DP1, just add IdProfile1, and Add both CustomCAT1 and CustomCAT2:

Screenshot 2023-07-14 at 1.01.18 PM.png

[B] Submit and under URL filtering set them to Pass Through

[C] Decryption Policy : DP2 : just add IdProfile2, and Add CustomCAT2

[D] Submit and under URL filtering set CustomCAT2 to Pass Through

========

Result

User1 wants to access CustomCat1 will hit IdProfile1 and the URL will hit CustomCat1, then the request will hit DP1 and will be pass Through

User1 wants to access CustomCat2 will hit IdProfile1 and the URL will hit CustomCat2, then the request will hit DP1 and will be pass Through

User2 wants to access CustomCat2 will hit IdProfile2 and the URL will hit CustomCat2, then the request will hit DP2 and will be pass Through

Please feel free to let me know if there is any questions or concerns

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++

Mandeep singh5 · ‎07-14-2023

Hi @amojarra

I understood your point and I'll apply this during the configuration.

But apart from it, I would like to know in what scenarios we will add multiple identification profiles in a web access policy.

If you can explain this with an example just like you explained above, Then it will be really helpful.

amojarra · ‎07-14-2023

@Mandeep singh5 , thanks for reaching out to us

You use multiple identification profiles when they are targeting same URL category(s)

and about ... in a web access policy.

we use Access policy for HTTP traffic or decrypted HTTPS traffic,

lets say you just want to allow a single video from Youtube :

[1] you decrypt all youTube traffic ( to be able to see the whole URI, in transparent Proxy deployment )

[2] then you allow that single URI in access policy ( for sure you need to create a custom URL category for that specific URI(s)

Feel free to let me know if there is any questions

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++ If you find this answer helpful, please rate it as such ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++