Add a Web Profile

A Web profile is a set of security controls and other settings that you can use in internet access rules. To add a Web profile, navigate to Secure > Profiles > Web Profiles.


For more information

For detailed information about each of the features you will configure in a web profile, see Manage Web Profiles.

Table of Contents



  1. Navigate to Secure > Profiles > Web Profiles.

  2. Choose Decryption settings, including a Do Not Decrypt list.
    Decryption is required for most web security features to work properly.
    For more information about decryption, see Manage Traffic Decryption.
    For guidance on which option to choose in this section, see Manage Web Profiles.

    1. Next to the Decryption setting, click Edit to modify the setting.
      Decryption options in web profile
    2. Choose a decryption option.
      1. Enable Decryption - Encrypted traffic is intercepted, decrypted to allow inspection, then re-encrypted before being forwarded to the original destination. By default, enabling this option attempts to decrypt all encrypted traffic. To bypass decryption for some traffic, select a "Do Not Decrypt" list.
      2. Enable Decryption for End-User Notification Only - Decrypt traffic only to display end-user notification. Do not decrypt traffic for inspection.
        Note: A root certificate is required in any situation in which the system must proxy and decrypt traffic intended for a website.
      3. Disable Decryption - Encrypted traffic is not decrypted. Access can be controlled solely based on a destination's domain name.
    3. If you enabled decryption, choose a Do Not Decrypt list. For more information.
  3. Enable or disable SAML Authentication.

    1. Next to the SAML Authentication setting, click Edit to modify the setting.
      For guidance on which option to choose, see Manage Web Profiles.

    2. Enable or disable the setting.

    3. If you enable this option, be sure that decryption is enabled in the same web profile.

  4. Configure Security and Acceptable Use Controls.
    Multiple kinds of scanning and blocking can be enabled depending on your requirements.
    For links to more details about each, see Manage Web Profiles.
    Available controls are:

    1. Click Edit beside each setting to choose options.
    2. Choose options:
      1. For Threat Categories:
        Choose from existing lists of threat categories, to block access to known malicious sites and potentially risky sites, based on threat category.
      2. For File inspection:
        Choose the file inspection and analysis tool(s) to use to protect traffic that matches rules that use this web profile.
        Important! If this is the first time you enable Secure Malware Analytics, you will see the option to select a sandbox region. Carefully read the instructions in Enable File Analysis by Cisco Secure Malware Analytics before saving changes.
        File inspection - first time, before choosing Sandbox region
      3. For File type blocking:
        Choose file types to block, even if the original filename extension has been altered.
        You can enable categories of file type (such as executables or video) and individual file type extensions.
      4. For SafeSearch:
        Enable this option to filter out offensive, explicit, unsafe, and harmful search results in Google, YouTube, Yahoo, and Bing.
  1. Configure End-User Notifications
    Block and Warn pages will be displayed in the end-user’s web browser, based on the action configured in each rule in which the web profile is used.
    For details, see Manage Notification Pages.
    1. Next to the Notification Pages setting, click Edit.
      Web profile - choose notification pages
    2. Choose one of the two options.
      Each option includes a Block notification and a Warn notification.
      1. System-provided Notification Pages.
      2. Custom Notification Pages.
    3. If you chose custom pages, choose the pages you want to display.
    4. To preview the pages you have selected, click the Preview links.
    5. Click Save.

Next steps

Configure functionality elsewhere in the product that is needed for your selected features to work. For example:

  • Traffic decryption
    Decryption requires certificates. See Certificates for Internet Decryption.
  • SAML user authentication:
    If you will enable this option in a web profile, ensure that SAML authentication is configured for your Secure Access deployment, and enable SAML for the Cisco Secure Client roaming security module.
    See Configure Integrations with SAML Identity Providers.
  • Notification pages
    To display notification pages, you must install a Secure Access root CA certificate on all end-user devices. This may not be the same certificate you use for decrypting internet traffic.
    See Certificates for Internet Decryption.
  • Add the web profile to one or more internet access rules.

Manage Web Profiles < Add a Web Profile > Enable SafeSearch