This document guides users through the several steps involved in configuring Cisco IOS Content Filtering using the Cisco Configuration Professional V1.1 (CCP).
Following are the tasks involved in configuring Cisco IOS Content Filtering:
Step 1. Download CCP V1.1 from the URL http://tools.cisco.com/support/downloads/pub/Redirect.x?mdfid=281795035 and install it on the local PC. A valid Cisco account is needed to download CCP. Additional information on how to add a device to CCP can be found at the CCP website http://www.cisco.com/go/ccp
Step 2. Launch CCP from the local PC and choose the community which has the router you want to configure IOS Content Filtering
Step 3. Discover the device where you want to configure IOS Content Filtering by highlighting the router and clicking on the Discover button.
Step 4. To setup Content Filtering Select Configure -> Security -> Advanced Security -> Web Filter Configuration on the left panel of CCP
Step 5. The pre-requisite for enabling Content Filtering is that Zone-based Firewall has to enabled on the interfaces. If Zone-based Firewall is not configured, you will get a warning that the “URLFilter wizard is unavailable. You must configure Firewall”. Click OK
Step 6. You will be redirected to the Firewall Configuration page where Zone-based Firewall has to be configured.
Step 7. Once the Firewall is configured, you will be allowed to configure Content Filtering. Click on Launch the Content Filter to get started with the configuration wizard for setting up Content Filtering
Step 8. The wizard appears with the summary of the tasks that it performs to setup Content Filtering. Click Next.
Step 9. Select the interfaces on which the Content Filtering will be applied. Choose the inside and outside interfaces. Click Next.
Step 10. Local filtering on Cisco® router allows blocking of Websites based on keywords. Only keywords that are not part of the domain are blocked. Specify the keywords in the URL which you want to block.
Step 11. Next we have the black lists. Cisco IOS content filtering supports 100 black lists. This is also part of the local policy in IOS. These are static lists that can be configured in IOS to allow or disallow URLs. Enter the URLs which you want to block.
Step 12. Next we have the white lists. Cisco IOS content filtering supports 100 white lists. White lists are useful when you want users to access only certain websites and not anything else. Enter the URLs which you want to allow. Click Next.
Step 13. In this screen you get to choose if you want to use Subscription based category filtering or use Websense or Secure Computing for third party filtering. To choose Subscription based category filtering, select Category Based Filtering. Cisco has partnered with TrendMicro for Category based Filtering. You will need to have active subscriptions services from TrendMicro to use this option. Click Next.
Step 14. Enter the DNS Server IP address and Click Next.
Step 15. For Secure Communication between router and Content Filter vendor you will need a digital certificate to be downloaded on to the router. Click on Download Certificate.
Step 16. You will get a webpage where you can enter the IP address of the router and download the certificate automatically on the router. Alternatively, this page can be accessed directly from the browser with the URL http://www.cisco.com/en/US/products/ps5854/products_configuration_example09186a0080816c23.shtml. Click Next.
Step 17. To activate the license for Content Filtering click on Swift Registration. You will be redirected to the Product License Registration page https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet where you will have to enter the Product Authorization Key and register the router.
Step 18. Click Next.
Step 19. In this screen you get to choose the Productivity Categories. Productivity categories contain web sites that hinder employee productivity or house objectionable content. For example, the Gambling category contains “Poker.net”. If you don’t want employees visiting gambling websites, you can block the gambling category. Cisco IOS Content Filtering supports more than 70 productivity categories. There are three pre-selected categories for you to block based on common deployment in the retail, education or small office/branch office verticals. Choose Default Category to start with one of these profiles.
Step 20. If you want to choose your own categories select Custom Category. Check all the Categories you want to block on.
Step 21. Click Next.
Step 22. In this screen you get to choose the Security Ratings. Security Ratings consist of categories that prevent malicious traffic from being downloaded into your environment. IOS content filtering supports 10 categories such as Adware, Phishing, Spyware and Hacking. Security ratings are provided from the Trend Micro database that the ISR points to. The ratings of these websites are determined using various algorithms and industry research to avoid false positives. The URL database is regularly maintained and updated to reflect the latest threat information. Select the security categories you want to block on. Cisco recommends turning on all the Security Categories except for UNBLEMISHED category.
Step 23. Click Next.
Step 24. In case the content filtering database is not reachable, you have the following options—allow or disallow all web requests. You can choose to Allow Web Requests to allow all the web traffic. If you want to block all the web traffic then, choose Disallow Web Requests.
Step 25. Click Next.
Step 26. Verify the Content Filter configuration and Click on Finish to deliver the configurations to the router.
Step 27. You will get a preview of the commands to be delivered on the router. Click Deliver.
Step 28. You will get a Command Delivery Status screen displaying that the Configuration is delivered on to the router. Click OK.
Step 29. Congratulations!! You have finished the initial provisioning of Content Filtering using CCP 1.1. Now you can explore the other configuration changes that can be performed on Content Filtering using CCP. To edit any of the existing configurations, Click on Edit Content Filter tab.
Step 30. To add, delete or modify the keywords, Click on Keyword Blocking.
Step 31. To add a new keyword, Click Add. Enter the keyword you want to block. Click OK.
Step 32. You will get a Preview of the commands to be delivered to the router. Click Deliver to deploy the changes onto the router.
Step 33. You will get a Commands Delivery Status screen displaying that the commands are delivered to the router. Click OK.
Step 34. Similarly you can make changes to the Black and White lists by clicking on Black & White Listing.
Step 35. You can modify the productivity category selected by clicking on Productivity Categories. Choose all the categories you want to block and click on Apply Changes to deploy the changes onto the router.
Step 36. Similarly the Security Categories can be modified by clicking on Security Categories.
Step 37. To view and edit the Content Filtering components click on Content Filtering Components. Content Filtering has 3 main components Policy Map, Class Map and Parameter Map.
Step 38. Expand the Content Filtering Components to view the Policy Map, Class Map and Parameter Map. You can make changes to each of these components.
Step 39. To edit the message that is displayed on the blocked page for TrendMicro based categories, expand Parameter Map and select URLF-Trend.
Step 40. Click on Edit and enter the message you want to be displayed on the blocked page. Click OK.
Step 41. Click Deliver to deploy the changes onto the router.
Step 42. You will get the Commands Delivery Status screen. Click OK.
Step 43. Content Filtering is now enabled on the Router. From the web browser of the local PC connected to the router, search for the keyword you had chosen to block.
Step 44. You should get a blocked page illustrating that the website is blocked due to a security policy.
Step 45. From the browser search for one of the websites in your black list. You should get a blocked page.
Step 46. Browse for any of the websites you have chosen to block in the Productivity Category. For example, if you have chosen to block Gambling category. Try to browse for any of the websites which belong to Gambling Category. You should get a blocked page illustrating that the page is blocked as it belongs to the Gambling category. You should also see the blocked message added in the blocked page which we added in Task 39.
Step 47. Browse for any of the Phishing sites and you will see that access is blocked.
● Cisco IOS Content Filtering at Cisco.com
● Cisco IOS Content Filtering Deployment Guide
● Cisco Configuration Professional at Cisco.com