Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
29-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Buffering the Content Server Response, page 29-5 Caching Server Addresses, page 29-5 Filtering HTTP URLs, page 29-6 Buffering the Content Server Response When you issue a request to connect to a content server, the ASA sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This behavior delays the web server response for the web client, because the web client must reissue the request. By enabling the HTTP response buffer, replies from web content servers are buffered, and the responses are forwarded to the requesting client if the filtering server allows the connection. This behavior prevents the delay that might otherwise occur. To configure buffering for responses to HTTP or FTP requests, perform the following steps: Step 1In the URL Filtering Servers pane, click Advanced to display the Advanced URL Filtering dialog box. Step 2In the URL Buffer Size area, check the Enable buffering check box. Step 3Enter the number of 1550-byte buffers. Valid values range from 1 to 128. Step 4Click OK to close this dialog box. Caching Server Addresses After you access a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again. NoteRequests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports. You can accumulate Websense run logs before using the url-cache command. To improve throughput, perform the following steps: Step 1In the URL Filtering Servers pane, click Advanced to display the Advanced URL Filtering dialog box. Step 2In the URL Cache Size area, check the Enable caching based on check box to enable caching according to the specified criteria. Step 3Click one of the following radio buttons: Destination Address—This option caches entries according to the URL destination address. Choose this setting if all users share the same URL filtering policy on the Websense server. Source/Destination Address—This option caches entries according to both the source address that initiates the URL request and the URL destination address. Choose this setting if users do not share the same URL filtering policy on the server. Step 4Enter the cache size within the range from 1 to 128 (KB).
29-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Step 5Click OK to close this dialog box. Filtering HTTP URLs This section describes how to configure HTTP filtering with an external filtering server and includes the following topics: Enabling Filtering of Long HTTP URLs, page 29-6 Enabling Filtering of Long HTTP URLs By default, the ASA considers an HTTP URL to be a long URL if it is greater than 1159 characters. You can increase the maximum length allowed. To configure the maximum size of a single URL, perform the following steps: Step 1In the URL Filtering Servers pane, click Advanced to display the Advanced URL Filtering dialog box. Step 2In the Long URL Support area, check the Use Long URL check box to enable long URLs for filtering servers. Step 3Enter the maximum URL length allowed, up to a maximum of 4 KB. Step 4Enter the memory allocated for long URLs in KB. Step 5Click OK to close this dialog box. Configuring Filtering Rules Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, choose Configuration > Firewall > URL Filtering Servers. To configure filtering rules, perform the following steps: Step 1From the ASDM main window, choose Configuration > Firewall > Filter Rules. Step 2In the toolbar, click Add to display the types of filter rules that are available to add from the following list: Add Filter ActiveX Rule Add Filter Java Rule Add Filter HTTP Rule Add Filter HTTPS Rule Add Filter FTP Rule Step 3If you chose Add Filter ActiveX Rule, specify the following settings: Click one of the following radio buttons: Filter ActiveX or Do not filter ActiveX. Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any source address.
29-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any destination address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following: –tcp/port—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443. tcp/2000. - —Range. For example, tcp/2000-3000. –Enter a well-known service name, such as HTTP or FTP. –Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Click OK to close this dialog box. Click Apply to save your changes. Step 4If you chose Add Filter Java Rule, specify the following settings: Click one of the following radio buttons: Filter Java or Do not filter Java. Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any source address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any destination address. –Enter a hostname.
29-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following: –tcp/port—The port number can be from 1 to 65535. Additionally, you can use the following modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443. tcp/2000. - —Range. For example, tcp/2000-3000. –Enter a well-known service name, such as HTTP or FTP. –Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Click OK to close this dialog box. Click Apply to save your changes. Step 5If you chose Add Filter HTTP Rule, specify the following settings: Click one of the following radio buttons: Filter HTTP or Do not filter HTTP. Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any source address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any destination address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following: –tcp/port—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443.
29-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server >—Greater than. For example, >tcp/2000. - —Range. For example, tcp/2000-3000. –Enter a well-known service name, such as HTTP or FTP. –Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Choose the action to take when the URL exceeds the specified size from the drop-down list. Check the Allow outbound traffic if URL server is not available check box to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable. Check the Block users from connecting to an HTTP proxy server check box to prevent HTTP requests made through a proxy server. Check the Truncate CGI parameters from URL sent to URL server check box to have the ASA forward only the CGI script location and the script name, without any parameters, to the filtering server. Click OK to close this dialog box. Click Apply to save your changes. Step 6If you chose Add Filter HTTPS Rule, specify the following settings: Click one of the following radio buttons: Filter HTTPS or Do not filter HTTPS. Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any source address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any destination address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following: –tcp/port—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443 tcp/2000. - —Range. For example, tcp/2000-3000.
29-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server –Enter a well-known service name, such as HTTP or FTP. –Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Check the Allow outbound traffic if URL server is not available check box to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable. Click OK to close this dialog box. Click Apply to save your changes. Step 7If you chose Add Filter FTP Rule, specify the following settings: Click one of the following radio buttons: Filter FTP or Do not filter FTP. Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any source address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list. Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options: –Enter any to indicate any destination address. –Enter a hostname. –Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter 10.1.1.0/24 or 10.1.1.0/255.255.255.0. –Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list. Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following: –tcp/port—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service: !=—Not equal to. For example, !=tcp/443 tcp/2000. - —Range. For example, tcp/2000-3000. –Enter a well-known service name, such as http or ftp. –Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list. Check the Allow outbound traffic if URL server is not available check box to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable. Check the Block interactive FTP sessions (block if absolute FTP path is not provided) check box to drop FTP requests if they use a relative path name to the FTP directory.
29-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Click OK to close this dialog box. Click Apply to save your changes. Step 8To modify a filtering rule, select it and click Edit to display the Edit Filter Rule dialog box for the specified filtering rule. Step 9Make the required changes, then click OK to close this dialog box. Step 10Click Apply to save your changes. Filtering the Rule Table To find a specific rule if your rule table includes a lot of entries, you can apply a filter to the rule table to show only the rules specified by the filter. To filter the rule table, perform the following steps: Step 1Click Find on the toolbar to display the Filter toolbar. Step 2Choose the type of filter from the Filter drop-down list: Source—Displays rules based on the specified source address or hostname. Destination—Displays rules based on the specified destination address or hostname. Source or Destination—Displays rules based on the specified source or destination address or hostname. Service—Displays rules based on the specified service. Rule Type—Displays rules based on the specified rule type. Query—Displays rules based on a complex query composed of source, destination, service, and rule type information. Step 3For Source, Destination, Source or Destination, and Service filters, perform the following steps: a.Enter the string to match using one of the following methods: –Type the source, destination, or service name in the adjacent field. –Click the ellipses to open a Browse dialog box from which you can choose existing services, IP addresses, or host names. b.Choose the match criteria from the drop-down list. Choose is for exact string matches or contains for partial string matches. Step 4For Rule Type filters, choose the rule type from the list. Step 5For Query filters, click Define Query. To define queries, see the “Defining Queries” section on page 29-12. Step 6To apply the filter to the rule table, click Filter. Step 7To remove the filter from the rule table and display all rule entries, click Clear. Step 8To show the packet trace for the selected rule, click Packet Trace. Step 9To show and hide the selected rule diagram, click Diagram. Step 10To remove a filter rule and place it elsewhere, click Cut. Step 11To copy a filter rule, click Copy. Then to move the copied filter rule elsewhere, click Paste.
29-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 29 Configuring Filtering Services Filtering URLs and FTP Requests with an External Server Step 12To delete a selected filter rule, click Delete. Defining Queries To define queries, perform the following steps: Step 1Enter the IP address or hostname of the source. Choose is for an exact match or choose contains for a partial match. Click the ellipses to display the Browse Source dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas. Step 2Enter the IP address or hostname of the destination. Choose is for an exact match or choose contains for a partial match. Click the ellipses to display the Browse Destination dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas. Step 3Enter the IP address or hostname of the source or destination. Choose is for an exact match or choose contains for a partial match. Click the ellipses to display the Browse Source dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas. Step 4Enter the protocol, port, or name of a service. Choose is for an exact match or choose contains for a partial match. Click the ellipses to display the Browse Service dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas. Step 5Choose the rule type from the drop-down list. Step 6Click OK to close this dialog box. After you click OK, the filter is immediately applied to the rule table. To remove the filter, click Clear. Feature History for URL Filtering Table 29-2 lists the release history for URL filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 29-2 Feature History for URL Filtering Feature NamePlatform Releases Feature Information URL filtering 7.0(1) Filters URLs based on an established set of filtering criteria.