Add a Security Profile for Internet Access

A security profile is a set of security controls and other settings that you can use in access rules. To add a security profile, navigate to Secure > Security Profiles. For more information about each of the features you will configure in a security profile for internet access, see Security Profiles for Internet Access.

Table of Contents

Prerequisites

Procedure

  1. Navigate to Secure > Security Profiles.

  2. Click Add Profile > Internet Access.

  3. Choose Decryption settings, including a Do Not Decrypt list.
    Decryption is required for most security features to work properly.
    For more information about decryption, see Manage Traffic Decryption.
    For guidance on which option to choose in this section, see Security Profiles for Internet Access.

    1. Next to the Decryption setting, click Edit to modify the setting.
      Decryption options in security profile
    2. Choose a decryption option.
      1. Enable Decryption – Encrypted traffic is intercepted, decrypted to allow inspection, then re-encrypted before being forwarded to the original destination. By default, enabling this option attempts to decrypt all encrypted traffic. To bypass decryption for some traffic, select a "Do Not Decrypt" list.
      2. Enable Decryption for End-User Notification Only – Decrypt traffic only to display end-user notification. Do not decrypt traffic for inspection.
        Note: A root certificate is required in any situation in which the system must proxy and decrypt traffic intended for a website.
      3. Disable Decryption – Encrypted traffic is not decrypted. Access can be controlled solely based on a destination's domain name.
    3. If you enabled decryption, choose a Do Not Decrypt list. For more information.
  4. Enable or disable SAML Authentication.

    1. Next to the SAML Authentication setting, click Edit to modify the setting.
      For guidance on which option to choose, see Security Profiles for Internet Access.

      SAML Authentication setting in Security Profile

    2. Enable or disable the setting.

    3. If you enable this option, be sure that decryption is enabled in the same security profile and in any rule that uses this profile.

  5. Configure Security and Acceptable Use Controls.
    Multiple kinds of scanning and blocking can be enabled depending on your requirements.
    For links to more details about each, see Security Profiles for Internet Access.
    Available controls are:


  1. Security and Acceptable Use Controls

    1. Click Edit beside each setting to choose options.
    2. Choose options:
      1. For Threat Categories:
        Choose from existing lists of threat categories, to block access to known malicious sites and potentially risky sites, based on threat category.
      2. For File inspection:
        Choose the file inspection and analysis tool(s) to use to protect traffic that matches rules that use this security profile.
        Important! If this is the first time you enable Secure Malware Analytics, you will see the option to select a sandbox region. Carefully read the instructions in Enable File Analysis by Cisco Secure Malware Analytics before saving changes.
        File inspection - first time, before choosing Sandbox region
      3. For File type blocking:
        Choose file types to block, even if the original filename extension has been altered.
        You can enable categories of file type (such as executables or video) and individual file type extensions.
      4. For SafeSearch:
        Enable this option to filter out offensive, explicit, unsafe, and harmful search results in Google, YouTube, Yahoo, and Bing.
  2. Configure End-User Notifications
    Block and Warn pages will be displayed in the end-user’s web browser, based on the action configured in each rule in which the security profile is used.
    For details, see Manage Notification Pages.

    1. Next to the Notification Pages setting, click Edit.
      Security profile - choose notification pages
    2. Choose one of the two options.
      Each option includes a Block notification and a Warn notification.
      1. System-provided Notification Pages.
      2. Custom Notification Pages.
    3. If you chose custom pages, choose the pages you want to display.
    4. To preview the pages you have selected, click the Preview links.
    5. Click Save.

Next steps

Configure functionality elsewhere in the product that is needed for your selected features to work. For example:

  • Traffic decryption
    Decryption requires certificates. See Certificates for Internet Decryption.
  • SAML user authentication:
    If you will enable this option in a security profile, ensure that SAML authentication is configured for your Secure Access deployment, and enable SAML for the Cisco Secure Client roaming security module.
    See Configure Integrations with SAML Identity Providers.
  • Notification pages
    To display notification pages, you must install a Secure Access root CA certificate on all end-user devices. This may not be the same certificate you use for decrypting internet traffic.
    See Certificates for Internet Decryption.
  • Add the security profile to one or more internet access rules.

Security Profiles for Internet Access < Add a Security Profile for Internet Access > Enable SafeSearch