cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1400
Views
10
Helpful
2
Replies

Relationship between Identification Profile, Decryption Policy and Access Policy

guty_1806
Level 1
Level 1

Hello:
I am configuring the policies of access to users in my company and I would like to request your help to better understand what is the relationship between Identification Profile, Decryption Policy and Access Policy in a Cisco WSA 390.

In advance thank you very much for the help.

2 Replies 2

Handy Putra
Cisco Employee
Cisco Employee

Hi,

 

Would recommend to review the WSA user guide on this to get more details understanding on how the correlate to each other.

 

In brief, When traffic comes in to WSA to be processed, the traffic will go to Identity first for WSA to identify from where the traffic from, whether authentication needed for that traffic, etc.

The Identity will work from top to bottom to match its condition (same work with access policy and decryption policy).

When the condition match an Identity, it then identify if the request is HTTP or HTTPS.

If it is HTTP, it will then goes to Access Policy to apply the policy based on the Identity use on the access policy.

If it is HTTPS, it will then goes to Decryption Policy. This is providing if HTTPS proxy is enable from the GUI -> Security Services -> HTTPS Proxy. If HTTPS proxy is not enabled, WSA still can process port 443 traffic however WSA will only CONNECT tunnelling the traffic and this will be processed in Access Policy if port 443 is listed in the Protocols and User Agents -> HTTP CONNECT Ports of that access policy.

 

I have attached some interactive PDF guide that might help you in setting up those policies.

Hope this helps

 

Regards

Handy Putra

 

 

Handy Putra
Cisco Employee
Cisco Employee

Also interactive PDF guide for setting up Identities

 

Regards

Handy Putra

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: