Guides
Secure Access Help Center

Add a Security Profile for Internet Access

A Cisco Secure Access Security profile is a set of security controls and other settings that you can use in access rules.

For information about each of the components or controls that you can configure in a Security profile for internet access, see Security Profiles for Internet Access.

Table of Contents

Prerequisites

  • Full Admin user role. For more information, see Manage Accounts.
  • In Secure Access, configure the components that you will select in a security profile for internet access.

Procedure

Note: You can add up to 100 security profiles in Secure Access for the organization.

Configure the settings on a Security profile and add the profile to the organization. After you add the Security profile, configure any related security settings and use the Security profile in an access rule. For more information, see Configure Additional Security Options.

Add a Security Profile

  1. Navigate to Secure > Security Profiles.

  2. Click Add Profile, and then select Internet Access.

  3. Follow the steps in this procedure to configure the settings on the security profile.

Enable or Disable Decryption

  1. Navigate to Decryption, and then click Edit.

  2. Choose a decryption option.
    Note: Decryption is required for most security features to work properly. For more information about decryption, see Manage Traffic Decryption.


a. Click Enable Decryption.
Encrypted traffic is intercepted, decrypted to allow inspection, then re-encrypted before being forwarded to the original destination. By default, enabling this option attempts to decrypt all encrypted traffic. To bypass decryption for some traffic, select a Do Not Decrypt list.

b. Click Enable Decryption for End-User Notification Only.
Decrypt traffic only to display end-user notification. Do not decrypt traffic for inspection.
Note: A root certificate is required in any situation in which the system must proxy and decrypt traffic intended for a website.

c. Click Disable Decryption.
Encrypted traffic is not decrypted. Access can be controlled solely based on a destination's domain name.

  1. Click Save.

Note: If you enabled decryption, choose a Do Not Decrypt list. For more information, see Add a Do Not Decrypt List for Security Profiles.

SSO Authentication

Enable or disable SSO Authentication. For information about the SSO authentication setting on the profile, see Security Profiles for Internet Access.

  1. Navigate to SSO Authentication, navigate to Single Sign-On (SSO), and then click Edit.
  1. Click SSO enabled to toggle the setting on.
    Note: If you enable this option, ensure that decryption is enabled in the same security profile and in any rule in the Access policy that uses this profile.
  1. Click Save.

Note: (Optional) Click SSO disabled to toggle the setting off.

Security and Acceptable Use Controls

Configure security and acceptable use controls in the Security Profile. Depending on your requirements, you can enable multiple kinds of scanning and blocking. For information about these settings, see Security Profiles for Internet Access.

Threat Categories

  1. For Threat Categories, click Edit.

  2. To block access to known malicious sites and potentially risky sites based on threat category, choose from the existing lists of threat categories.

  3. Click Save.

File Inspection

  1. For File inspection, click Edit.
  2. Choose the file inspection and analysis tools to use to protect traffic that matches rules that use this security profile.
    Important: If this is the first time you enable Cisco Secure Malware Analytics, Secure Access displays the option to select a sandbox region. Before you enable Cisco Secure Malware Analytics, we recommend that you review the instructions about this option. For more information, see Enable File Analysis by Cisco Secure Malware Analytics.

a. Click File Inspection is Enabled.

b. (Optional) Click Cisco Secure Malware Analytics is Enabled.

  1. Click Save.

File Type Blocking

  1. For File type blocking, click Edit.

  2. Choose the file types to block, even if the original filename extension has been altered.
    Note: You can enable categories of file type (such as executables or video) and individual file type extensions.

  3. Click Save.

SafeSearch

  1. For SafeSearch, click Edit.

  2. Enable this option to filter out offensive, explicit, unsafe, and harmful search results in Google, YouTube, Yahoo, and Bing.

  3. Click Save.

Configure End-User Notifications

Configure end-user notifications for the organization. Secure Access displays Block and Warn pages in the end-user's web browser. The display of the Block or Warn page is based on the action that you configure in each rule where the security profile is used. For more information, see Manage Notification Pages.

  1. Navigate to End-User Notifications.

  2. Navigate to Notification Pages, and then click Edit.

  3. Choose one of the options.
    Each option includes a Block notification and a Warn notification.

    a. Click System-provided Notification Pages.

    b. Click Custom Notification Pages.
    Note: For custom pages, choose the pages that you want to display.

  4. (Optional) To preview the pages that you have selected, click the Preview links.

  5. Click Save.

View Security Profiles

View the configured security profiles in Secure Access.

  1. Navigate to Secure > Security Profiles.

  2. Navigate to a security profile and expand the profile.
    A configured security profile includes these details:

    • Name of the security profile.
    • Applied To—The number access rules where the security profile is included.
    • Access—The type of the security profile.
    • Decryption—Specifies whether decryption is enabled on the profile.
    • SSO Auth—Specifies whether SSO authentication has been enabled on the profile.
    • Security and Acceptable Use—Lists the number of security controls that are enabled on the profile.
    • End-User Notifications—Lists the type of notifications that are configured on the profile.
    • Last Modified—The date when the security profile was last updated.

Configure Additional Security Options

Configure additional functionality that is required for your selected features. For example, configure:

Add a Security Profile on Internet Access Rules

Add the security profile to one or more internet access rules. For more information, see Add an Internet Access Rule and Default Settings for Internet Access Rules.

Edit a Security Profile

After you add a security profile in Secure Access, you can modify it.

  1. Navigate to Secure > Security Profiles.
  2. Expand a security profile, and then click Edit.
  3. Choose any of the security controls and settings to modify.
    For more information, see:

Delete a Security Profile

After you add a security profile in Secure Access, you can remove it.

  1. Navigate to Secure > Security Profiles.

  2. Expand a security profile, and then click Delete.

  3. Confirm the removal of the security profile.

    a. Click Delete to confirm the removal of the security profile.

    b. If the security profile is in use on an access rule, you can not remove the profile.
    First remove the security profile from the access rules where it is included, and the try to remove the security profile again.

Security Profiles for Internet Access < Add a Security Profile for Internet Access > Enable SafeSearch

Updated 3 days ago