Web: Example for Configuring Cloud Access Security Awareness

Cloud access security awareness can be configured on enterprises' security gateways to control enterprise cloud applications in a refined and differentiated manner.

Networking Requirements

As shown in Figure 1, the FW serves as the enterprise egress gateway. Employees are classified into R&D employees and marketing ones. User groups research and marketing are created for R&D and marketing employees, respectively, and the authentication configuration is complete. Cloud access security awareness must be configured on the FW to control the use of enterprise cloud application DingTalk:

R&D employees can use DingTalk for instant messaging but cannot transfer files or browsing, preventing disclosure of key information.
Marketing employees can use DingTalk for instant messaging and browsing but cannot transfer files.

Figure 1 Networking diagram of cloud access security awareness

Data Planning

Item	Data	Description
Cloud access security awareness profile	Name: profile_casa_research Control item: Allow instant messaging but block file transfer or browsing.	To control the use of enterprise cloud application DingTalk by R&D employees.
Cloud access security awareness profile	Name: profile_casa_marketing Control item: Allow instant messaging and browsing but block file transfer.	To control the use of enterprise cloud application DingTalk by marketing employees.
Security policy	Name: policy_sec_research Source zone: trust Destination zone: untrust Employee: research (R&D user group) Action: permit Cloud Access Security Awareness: profile_casa_research	Allow R&D employees to access the Internet and reference the cloud access security awareness profile profile_casa_research to control the use of enterprise cloud application DingTalk by R&D employees.
Security policy	Name: policy_sec_marketing Source zone: trust Destination zone: untrust Employee: marketing (marketing user group) Action: permit Cloud Access Security Awareness: profile_casa_marketing	Allow marketing employees to access the Internet and reference the cloud access security awareness profile profile_casa_marketing to control the use of enterprise cloud application DingTalk by marketing employees.

Procedure

Set the IP address and security zone of the interface.
1. Choose Network > Interface.
2. Click GE0/0/1 and set the parameters as follows:
  
  Zone
  
  untrust
  
  IPV4
  
  IP address
  
  1.1.1.1/24
3. Click OK.
4. Repeat the previous steps to set the parameters of interface GE0/0/3.
  
  Zone
  
  trust
  
  IPV4
  
  IP address
  
  10.3.1.1/24
Create cloud access security awareness profiles profile_casa_research for R&D employees and profile_casa_marketing for marketing employees.
1. Choose Object > Security Profiles > Cloud Access Security Awareness.
2. Click Add to create profile_casa_research and set the following parameters for enterprise cloud application DingTalk.
  
  Application Name/Behavior
  
  DingTalk
  
  IM
  
  Allow
  
  FileTransfer
  
  Block
  
  Browsing
  
  Block
3. Click OK.
4. Create profile_casa_marketing by referring to the preceding step and set the following parameters.
  
  Application Name/Behavior
  
  DingTalk
  
  IM
  
  Allow
  
  FileTransfer
  
  Block
  
  Browsing
  
  Allow
5. Click OK.

Zone	untrust
IPV4
IP address	1.1.1.1/24

Zone	trust
IPV4
IP address	10.3.1.1/24

Application Name/Behavior
DingTalk
IM	Allow
FileTransfer	Block
Browsing	Block

Application Name/Behavior
DingTalk
IM	Allow
FileTransfer	Block
Browsing	Allow

Configure security policies.

Choose Policy > Security Policy > Security Policy.

Click Add Security Policy, and set the following parameters to create policy_sec_research. Then, reference the cloud access security awareness profile to control the use of DingTalk by R&D employees.

Content Security
Name	policy_sec_research
Source Zone	trust
Destination Zone	untrust
User	/default/research
Action	Permit
Cloud Access Security Awareness	profile_casa_research

Click OK.

Repeat the previous step to create policy_sec_marketing. Reference the cloud access security awareness profile to control the use of DingTalk by marketing employees.

Content Security
Name	policy_sec_marketing
Source Zone	trust
Destination Zone	untrust
User	/default/marketing
Action	Permit
Cloud Access Security Awareness	profile_casa_marketing

Click OK.

Click Save on the upper right of the web interface, and click OK in the dialog box that is displayed.
Click Commit on the upper right of the web page to commit the security profile.

Verification

After the configuration is complete, use DingTalk on an R&D employee's PC and a marketing employee's PC. If the access requests are controlled as configured, the profiles and security policies have taken effect. If not, check the configuration.

Configuration Scripts

The following lists related scripts of this configuration example.

#
 sysname FW
#
interface GigabitEthernet0/0/1   
 undo shutdown
 ip address 1.1.1.1 255.255.255.0
#                                                                               
interface GigabitEthernet0/0/3   
 undo shutdown
 ip address 10.3.1.1 255.255.255.0
#                                                                               
firewall zone trust                                                             
 set priority 85                                                                
 add interface GigabitEthernet0/0/3
#                                                                               
firewall zone untrust                                                           
 set priority 5                                                                 
 add interface GigabitEthernet0/0/1
#                                                                               
profile type casa name profile_casa_research                                    
 application name DingTalk_FileTransfer action block                            
 application name DingTalk_Browsing action block                                
#                                                                               
profile type casa name profile_casa_marketing                                   
 application name DingTalk_FileTransfer action block                            
# 
security-policy
 rule name policy_sec_research
  source-zone trust
  destination-zone untrust
  user user-group /default/research
  profile casa profile_casa_research
  action permit
 rule name policy_sec_marketing
  source-zone untrust
  destination-zone trust
  user user-group /default/marketing
  profile casa profile_casa_marketing
  action permit
#
return