Components for Internet Access Rules
You will create access rules by assembling components that you or others have previously created.
Components described in this topic are reusable; you can use the same component (such as a source) in multiple rules, speeding and simplifying policy creation.
For example, you can define a set of users as a source, then use the same source in an internet access rule and in a private access rule for the same set of users.
Some components are "profiles", or sets of settings bundled together that you choose as a unit when configuring a rule.
Note: Most components for internet access rules are different from components needed for private access rules.
Table of Contents
Sources
You will configure access policies for specific source-destination pairs. Sources are the users, groups of users, or other entities that comprise the "From" end of traffic that an access policy applies to.
The following reusable sources (source objects) can be used in internet access rules:
- Users
- User Groups
- Network Tunnel Groups
You can apply rules to traffic originating from IP addresses in network segments defined by Network Tunnel Groups. - Registered Networks
You can apply rules to traffic originating from IP addresses in network segments defined by Registered Networks. - Internal Networks
You can apply rules to traffic originating from IP addresses in network segments defined by Internal Networks. - Roaming Devices
You can apply rules to traffic originating from managed devices that have the Cisco Secure Client installed, but that may not currently be on the corporate network.
In a rule, you can also specify sources by typing in IP addresses and subnets, but these are NOT reusable source components. If you do this, you can type in port and protocol in the rule's destination.
See also About Configuring Sources in Internet Access Rules.
Destinations
You will configure access policies for specific source-destination pairs. Destinations are the web applications, web sites in particular categories, or other internet destinations that comprise the "To" end of traffic that an internet access policy applies to.
Reusable destinations (destination objects) in internet access rules:
- Destination Lists
List groups of domains, URLs, IP addresses, and CIDR blocks to which you want to apply the same policy.
You can create custom lists of destinations based on any criteria you choose. - Content Category Lists
Create lists of web sites based on the content or type of the site, so you can control access to a variety of sites as a group. For example, you might create a content category list that includes all sites belonging to the Adult, Child abuse, and Pornography categories. - Application Lists
Create lists of web-based applications to which you want to apply the same policy. For example, if you want to apply a single policy to all social media applications, you can create an application list that includes all applications in the Social Networking category.
For some web-based applications, you can allow access to the application, but block uploads, downloads, and posting or sharing information. You will see these options in each rule when you configure applicable destinations in the rule. For details, see Advanced Application Controls.
When configuring rules, you can also:
- Specify web sites by content category, or specify web applications or categories of web application, without creating content category lists or application lists.
- Type destination IP addresses, ports, and protocols directly into the rule.
However, best practice is generally to create reusable destination objects when possible, so that you can apply rules consistently.
See also About Configuring Destinations in Internet Access Rules.
Security Controls
Security controls make use of profiles and other pre-configured sets of settings.
The following types of security controls apply to internet traffic:
Intrusion Prevention (IPS)
Intrusion Prevention protects your network and assets by inspecting traffic for specified threat characteristics.
You will specify a single intrusion prevention profile in each access rule.
- Set Up Certificates for Decrypting Internet Traffic
- Configure Intrusion Prevention (IPS) Profiles
- Configure the Do Not Decrypt List for IPS
Set Up Certificates for Decrypting Internet Traffic
Internet traffic must be decrypted in order to allow it to be inspected by the intrusion prevention and for web security features. In order to decrypt this traffic, certificates are required. You may have already set up these certificates to decrypt traffic for web security features.
See Certificates for Internet Decryption.
Configure Intrusion Prevention (IPS) Profiles
Intrusion Prevention (IPS) detects a large number of known threats. Sets of settings are grouped together in profiles, which you can specify in access rules. Secure Access provides several pre-configured profiles that address common needs, such as Balanced Security and Connectivity or Maximum Security. Or you can create a custom profile using Snort signatures. You can also choose to block or just monitor traffic that matches a profile.
You can choose a different IPS profile for each access rule based on the balance of convenience vs. risk appropriate for the particular traffic.
For details, see Manage IPS Profiles.
Configure the Do Not Decrypt List for IPS
Secure Access must decrypt traffic in order to allow the Intrusion Prevention feature to inspect the traffic for threats.
However, decrypting traffic to certain sites, such as health-related or financial sites, may be restricted by privacy laws in some geographic regions.
Use the default Do Not Decrypt List to specify destinations that should not be decrypted by intrusion prevention processes (IPS.)
The Web Security feature also requires decryption in order to be effective; you can use this list for Web Security decryption, or you can create and use a different list or lists for Web Security.
For details, see Important Information About Do Not Decrypt Lists.
Web Security
You will specify a single Web Security Profile in each internet access rule, but web security profiles include multiple components that you should pre-configure.
- Configure Threat Category Settings
- Configure SAML Authentication
- Set Up Certificates for Decrypting Internet Traffic
- Configure Do Not Decrypt Lists for Web Security
- (Optional) Configure Custom End-User Block and Warn Notifications
- Configure Web Profiles
Configure Threat Category Settings
Choose the types of web-borne threats to block. Blocking some threat categories may affect legitimate traffic.
See Threat Categories.
Configure SAML Authentication
SAML authentication is required for some web security features.
Set Up Certificates for Decrypting Internet Traffic
If you have already set up certificates for this purpose for the intrusion prevention feature, you may not need to do anything more.
Internet traffic must be decrypted in order to allow it to be inspected by the intrusion prevention and web security features, to apply acceptable use controls, for rules in which the rule action is Isolate or Warn, and to display end-user notifications when destinations are blocked.
In order to decrypt this traffic, certificates are required.
See Certificates for Internet Decryption.
Configure Do Not Decrypt Lists for Web Security
Secure Access must decrypt internet traffic in order to allow Web Security features to protect your network effectively.
However, decrypting traffic to certain sites, such as health-related or financial sites, may be restricted by confidentiality law in certain geographic regions.
Use a Do Not Decrypt List to specify destinations that should not be decrypted by web security processes. You can create different Do Not Decrypt Lists for different regions or purposes.
You can use the same Do Not Decrypt List that you use for IPS, or create one or more Do Not Decrypt lists to use only for security features included in the web profile.
For details, see Important Information About Do Not Decrypt Lists.
(Optional) Configure Custom End-User Block and Warn Notifications
If you do not want to use the default Secure Access-branded notifications, configure the notifications that are presented to end users who attempt to access internet destinations that are blocked, and notifications to present when users attempt to access destinations that match a rule configured with the Warn action.
End-user notifications require decryption.
See Manage Notification Pages.
Configure Web Profiles
Sets of web security settings grouped into profiles control the following aspects of security for internet traffic:
- Decryption (including Do Not Decrypt lists)
See information above. - SAML Authentication
See information above. - Threat categories
See information above. - File inspection
File inspection detects threats using Cisco Advanced Malware Protection and Cisco Secure Malware Analytics.
See Manage File Inspection and File Analysis. - File type blocking
Block files based on their type. For example, you can prevent users from downloading executable files from the web.
See Manage File Type Control. - SafeSearch
SafeSearch filters out offensive, explicit, unsafe, and harmful results from searches in Google, YouTube, Yahoo, and Bing.
See SafeSearch - End-user notifications
Web pages shown to users who attempt to access blocked destinations or destinations allowed with a warning.
See information above.
You will enable these options in a web profile that you will choose in a rule. See Manage Web Profiles.
Tenant Controls
If your company uses Microsoft 365, Slack, Google G-Suite, or Dropbox, see Manage Tenant Control Profiles.
Manage Internet Access Rules< Components for Internet Access Rules > Default Settings for Internet Access Rules
Updated 2 months ago