Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
11-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection The Select HTTP Map dialog box lets you select or create a new HTTP map. An HTTP map lets you change the configuration values used for HTTP application inspection. The Select HTTP Map table provides a list of previously configured maps that you can select for application inspection. Fields Use the default HTTP inspection map—Specifies to use the default HTTP map. Select an HTTP map for fine control over inspection—Lets you select a defined application inspection map or add a new one. Add—Opens the Add Policy Map dialog box for the inspection. HTTP Class Map The HTTP Class Map dialog box is accessible as follows: Configuration > Global Objects > Class Maps > HTTP The HTTP Class Map pane lets you configure HTTP class maps for HTTP inspection. An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP. Fields Name—Shows the HTTP class map name. Match Conditions—Shows the type, match criterion, and value in the class map. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the HTTP class map. –Value—Shows the value to match in the HTTP class map. Description—Shows the description of the class map. Add—Adds an HTTP class map. Edit—Edits an HTTP class map. Delete—Deletes an HTTP class map. Add/Edit HTTP Traffic Class Map The Add/Edit HTTP Traffic Class Map dialog box is accessible as follows: Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map. Fields Name—Enter the name of the HTTP class map, up to 40 characters in length. Description—Enter the description of the HTTP class map. Add—Adds an HTTP class map.
11-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Edit—Edits an HTTP class map. Delete—Deletes an HTTP class map. Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Criterion dialog box is accessible as follows: Configuration > Global Objects > Class Maps > HTTP > Add/Edit HTTP Traffic Class Map > Add/Edit HTTP Match Criterion The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map. Fields Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of HTTP traffic to match. –Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request. –Request Arguments—Applies the regular expression match to the arguments of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified. Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against. –Request Body—Applies the regular expression match to the body of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields. Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type,
11-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. –Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified. Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against. –Request Header Field—Applies the regular expression match to the header of the request. Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers. Greater Than Count—Enter the maximum number of headers. –Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified. Greater Than Length—Enter a header length value in bytes. –Request Header non-ASCII—Matches non-ASCII characters in the header of the request. –Request Method—Applies the regular expression match to the method of the request.
11-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe. Regular Expression—Specifies to match on a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified. Greater Than Length—Enter a URI length value in bytes. –Request URI—Applies the regular expression match to the URI of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Body—Applies the regex match to the body of the response. ActiveX—Specifies to match on ActiveX. Java Applet—Specifies to match on a Java Applet. Regular Expression—Specifies to match on a regular expression. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified. Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against. –Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.
11-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. –Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against. –Response Header Field—Applies the regular expression match to the header of the response. Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers. Greater Than Count—Enter the maximum number of headers. –Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified. Greater Than Length—Enter a header length value in bytes. –Response Header non-ASCII—Matches non-ASCII characters in the header of the response. –Response Status Line—Applies the regular expression match to the status line. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.
11-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection HTTP Inspect Map The HTTP Inspect Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection. HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance. HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported. Fields HTTP Inspect Maps—Table that lists the defined HTTP inspect maps. Add—Configures a new HTTP inspect map. To edit an HTTP inspect map, choose the HTTP entry in the HTTP Inspect Maps table and click Customize. Delete—Deletes the inspect map selected in the HTTP Inspect Maps table. Security Level—Select the security level (low, medium, or high). –Low—Default. Protocol violation action: Drop connection Drop connections for unsafe methods: Disabled Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured –Medium Protocol violation action: Drop connection Drop connections for unsafe methods: Allow only GET, HEAD, and POST Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured –High Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured –URI Filtering—Opens the URI Filtering dialog box to configure URI filters. –Customize—Opens the Edit HTTP Policy Map dialog box for additional settings. –Default Level—Sets the security level back to the default level of Medium.
11-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection URI Filtering The URI Filtering dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP > URI Filtering The URI Filtering dialog box lets you configure the settings for an URI filter. Fields Match Type—Shows the match type, which can be a positive or negative match. Criterion—Shows the criterion of the inspection. Value—Shows the value to match in the inspection. Action—Shows the action if the match condition is met. Log—Shows the log state. Add—Opens the Add URI Filtering dialog box to add a URI filter. Edit—Opens the Edit URI Filtering dialog box to edit a URI filter. Delete—Deletes an URI filter. Move Up—Moves an entry up in the list. Move Down—Moves an entry down in the list. Add/Edit HTTP Policy Map (Security Level) The Add/Edit HTTP Policy Map (Security Level) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Basic View The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps. Fields Name—When adding an HTTP map, enter the name of the HTTP map. When editing an HTTP map, the name of the previously configured HTTP map is shown. Description—Enter the description of the HTTP map, up to 200 characters in length. Security Level—Select the security level (low, medium, or high). –Low—Default. Protocol violation action: Drop connection Drop connections for unsafe methods: Disabled Drop connections for requests with non-ASCII headers: Disabled URI filtering: Not configured Advanced inspections: Not configured –Medium Protocol violation action: Drop connection Drop connections for unsafe methods: Allow only GET, HEAD, and POST Drop connections for requests with non-ASCII headers: Disabled
11-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection URI filtering: Not configured Advanced inspections: Not configured –High Protocol violation action: Drop connection and log Drop connections for unsafe methods: Allow only GET and HEAD. Drop connections for requests with non-ASCII headers: Enabled URI filtering: Not configured Advanced inspections: Not configured –URI Filtering—Opens the URI Filtering dialog box which lets you configure the settings for an URI filter. –Default Level—Sets the security level back to the default. Details—Shows the Parameters and Inspections tabs to configure additional settings. Add/Edit HTTP Policy Map (Details) The Add/Edit HTTP Policy Map (Details) dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View The Add/Edit HTTP Policy Map pane lets you configure the security level and additional settings for HTTP application inspection maps. Fields Name—When adding an HTTP map, enter the name of the HTTP map. When editing an HTTP map, the name of the previously configured HTTP map is shown. Description—Enter the description of the HTTP map, up to 200 characters in length. Security Level—Shows the security level and URI filtering settings to configure. Parameters—Tab that lets you configure the parameters for the HTTP inspect map. –Check for protocol violations—Checks for HTTP protocol violations. Action—Drop Connection, Reset, Log. Log—Enable or disable. –Spoof server string—Replaces the server HTTP header value with the specified string. Spoof String—Enter a string to substitute for the server header field. Maximum is 82 characters. –Body Match Maximum—The maximum number of characters in the body of an HTTP message that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance. Inspections—Tab that shows you the HTTP inspection configuration and lets you add or edit. –Match Type—Shows the match type, which can be a positive or negative match. –Criterion—Shows the criterion of the HTTP inspection. –Value—Shows the value to match in the HTTP inspection. –Action—Shows the action if the match condition is met. –Log—Shows the log state.
11-35 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection –Add—Opens the Add HTTP Inspect dialog box to add an HTTP inspection. –Edit—Opens the Edit HTTP Inspect dialog box to edit an HTTP inspection. –Delete—Deletes an HTTP inspection. –Move Up—Moves an inspection up in the list. –Move Down—Moves an inspection down in the list. Add/Edit HTTP Map The Add/Edit HTTP Map dialog box is accessible as follows: Configuration > Global Objects > Inspect Maps > HTTP > HTTP Inspect Map > Advanced View > Add/Edit HTTP Inspect The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map. Fields Single Match—Specifies that the HTTP inspect has only one match statement. Match Type—Specifies whether traffic should match or not match the values. For example, if No Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the class map. Criterion—Specifies which criterion of HTTP traffic to match. –Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request. –Request Arguments—Applies the regular expression match to the arguments of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified. Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against. –Request Body—Applies the regular expression match to the body of the request. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.
11-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 11 Configuring Inspection of Basic Internet Protocols HTTP Inspection Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Count—Enter the maximum number of header fields. –Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified. Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against. –Request Header Field—Applies the regular expression match to the header of the request. Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning. Regular Expression—Lists the defined regular expressions to match. Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions. Regular Expression Class—Lists the defined regular expression classes to match. Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps. –Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers. Greater Than Count—Enter the maximum number of headers. –Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified. Greater Than Length—Enter a header length value in bytes. –Request Header non-ASCII—Matches non-ASCII characters in the header of the request. –Request Method—Applies the regular expression match to the method of the request.