Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 3.1
email through ftp-map
Downloads: This chapterpdf (PDF - 653.0KB) The complete bookPDF (PDF - 39.84MB) | Feedback

email through ftp-map Commands

Table Of Contents

email through ftp-map Commands

email

enable

enable password

endpoint

enforcenextupdate

enrollment retry count

enrollment retry period

enrollment terminal

enrollment url

erase

established

exit

failover

failover active

failover group

failover interface ip

failover interface-policy

failover key

failover lan interface

failover lan unit

failover link

failover polltime

failover reload-standby

failover replication http

failover reset

failover suspend-config-sync

filter activex

filter ftp

filter https

filter java

filter url

firewall transparent

format

fqdn

fragment

fsck

ftp mode passive

ftp-map


email through ftp-map Commands


email

To include the indicated email address in the Subject Alternative Name extension of the certificate during enrollment, use the email command in crypto ca trustpoint configuration mode. To restore the default setting, use the no form of the command.

email address

no email [address]

Syntax Description

address

Specifies the email address. The maximum length of address is 64 characters.


Defaults

The default setting is not set.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the email address jjh@nhf.net in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# email jjh@nhf.net
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.


enable

To enter privileged EXEC mode, use the enable command in user EXEC mode.

enable [level]

Syntax Description

level

(Optional) Enters the privilege level between 0 and 15.


Defaults

Enters privilege level 15 unless you are using command authorization, in which case the default level depends on the level configured for your username.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The default enable password is blank. See the enable password command to set the password.

To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.

Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.

Enter the disable command to exit privileged EXEC mode.

Examples

The following example enters privileged EXEC mode:

hostname> enable
Password: Pa$$w0rd
hostname#

The following example enters privileged EXEC mode for level 10:

hostname> enable 10
Password: Pa$$w0rd10
hostname#

Related Commands

Command
Description

enable password

Sets the enable password.

disable

Exits privileged EXEC mode.

aaa authorization command

Configures command authorization.

privilege

Sets the command privilege levels for local command authorization.

show curpriv

Shows the currently logged in username and the user privilege level.


enable password

To set the enable password for privileged EXEC mode, use the enable password command in global configuration mode. To remove the password for a level other than 15, use the no form of this command. You cannot remove the level 15 password.

enable password password [level level] [encrypted]

no enable password level level

Syntax Description

encrypted

(Optional) Specifies that the password is in encrypted form. The password is saved in the configuration in encrypted form, so you cannot view the original password after you enter it. If for some reason you need to copy the password to another FWSM but do not know the original password, you can enter the enable password command with the encrypted password and this keyword. Normally, you only see this keyword when you enter the show running-config enable command.

level level

(Optional) Sets a password for a privilege level between 0 and 15.

password

Sets the password as a case-sensitive string of up to 16 alphanumeric and special characters. You can use any character in the password except a question mark or a space.


Defaults

The default password is blank. The default level is 15.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The default password for enable level 15 (the default level) is blank. To reset the password to be blank, do not enter any text for the password.

For multiple context mode, you can create an enable password for the system configuration as well as for each context.

To use privilege levels other than the default of 15, configure local command authorization (see the aaa authorization command command and specify the LOCAL keyword), and set the commands to different privilege levels using the privilege command. If you do not configure local command authorization, the enable levels are ignored, and you have access to level 15 regardless of the level you set. See the show curpriv command to view your current privilege level.

Levels 2 and above enter privileged EXEC mode. Levels 0 and 1 enter user EXEC mode.

Examples

The following example sets the enable password to Pa$$w0rd:

hostname(config)# enable password Pa$$w0rd

The following example sets the enable password to Pa$$w0rd10 for level 10:

hostname(config)# enable password Pa$$w0rd10 level 10

The following example sets the enable password to an encrypted password that you copied from another FWSM:

hostname(config)# enable password jMorNbK0514fadBh encrypted

Related Commands

Command
Description

aaa authorization command

Configures command authorization.

enable

Enters privileged EXEC mode.

privilege

Sets the command privilege levels for local command authorization.

show curpriv

Shows the currently logged in username and the user privilege level.

show running-config enable

Shows the enable passwords in encrypted form.


endpoint

To associate endpoints with an HSI group, use the endpoint command in HSI group configuration mode. To remove the endpoint, use the no form of this command.

endpoint ip address interface

no endpoint ip address interface

Syntax Description

ip address

The IP address of the endpoint.

interface

The interface on the FWSM that is connected to the endpoint.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

HSI group configuration


Command History

Release
Modification

FWSM 3.1

This command was introduced.


Usage Guidelines

Use the endpoint command to identify the endpoints associated with an HSI group. An HSI group allows the FWSM to open dynamic, port-specific pinholes for an H.245 connection when an HSI is involved in H.225 call-signalling.

Each HSI group can contain a maximum of ten endpoints. You must configure an HSI within the group before configuring any endpoints. You must remove all endpoints and the HSI before removing the HSI group.

Examples

The following example shows how to define an H.225 map.

hostname(config)# h225-map hmap
hostname(config-h225-map)# hsi-group 1
hostname(config-h225-map-hsi-grp)# hsi 10.10.15.11 
hostname(config-h225-map-hsi-grp)# endpoint 10.3.6.1 inside
hostname(config-h225-map-hsi-grp)# endpoint 10.10.25.5 outside
hostname(config-h225-map-hsi-grp)# exit
hostname(config-h225-map-hsi-grp)# exit

Related Commands

Commands
Description

hsi

Defines the HSI associated with an HSI group.

hsi-group

Defines an HSI group and enables HSI group configuration mode.

h225-map

Defines an H.225 map and enables H.225 map configuration mode.

inspect h323 h225

Applies an H.225 map to H.323 application inspection.


enforcenextupdate

To specify how to handle the NextUpdate CRL field, use the enforcenextupdate command in crl configure configuration mode. If set, this command requires CRLs to have a NextUpdate field that has not yet lapsed. If not used, the FWSM allows a missing or lapsed NextUpdate field in a CRL.

To permit a lapsed or missing NextUpdate field, use the no form of this command.

enforcenextupdate

no enforcenextupdate

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is enforced (on).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

CRL configure configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crl configure configuration mode, and requires CRLs to have a NextUpdate field that has not expired for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# crl configure
hostname(ca-crl)# enforcenextupdate
hostname(ca-crl)# 

Related Commands

Command
Description

cache-time

Specifies a cache refresh time in minutes.

crl configure

Enters ca-crl configuration mode.

crypto ca trustpoint

Enters trustpoint configuration mode.


enrollment retry count

To specify a retry count, use the enrollment retry count command in crypto ca trustpoint configuration mode. To restore the default setting of the retry count, use the no form of the command. After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the configured retry period, it sends another certificate request. The FWSM repeats the request until either it receives a response or reaches the end of the configured retry period.

enrollment retry count number

no enrollment retry count

Syntax Description

number

Sets the maximum number of attempts to send an enrollment request. The valid range is 0, 1-100 retries.


Defaults

The default setting for number is 0 (unlimited).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is optional and applies only when automatic enrollment is configured.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry count of 20 retries within trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# enrollment retry count 20
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment retry period

Specifies the number of minutes to wait before resending an enrollment request.


enrollment retry period

To specify a retry period, use the enrollment retry period command in crypto ca trustpoint configuration mode. To restore the default setting of the retry period, use the no form of the command. After requesting a certificate, the FWSM waits to receive a certificate from the CA. If the FWSM does not receive a certificate within the specified retry period, it sends another certificate request.

enrollment retry period minutes

no enrollment retry period

Syntax Description

minutes

Sets the number of minutes between attempts to send an enrollment request. the valid range is 1- 60 minutes.


Defaults

The default setting is 1 minute.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is optional and applies only when automatic enrollment is configured.

Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and configures an enrollment retry period of 10 minutes within trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# enrollment retry period 10
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns all enrollment parameters to their system default values.

enrollment retry count

Defines the number of retries to requesting an enrollment.


enrollment terminal

To specify cut and paste enrollment with this trustpoint (also known as manual enrollment), use the enrollment terminal command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.

enrollment terminal

no enrollment terminal

Syntax Description

This command has no arguments or keywords.

Defaults

The default setting is off.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies the cut and paste method of CA enrollment for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# enrollment terminal
hostname(ca-trustpoint)#

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment retry count

Specifies the number of retries to attempt to send an enrollment request.

enrollment retry period

Specifies the number of minutes to wait before resending an enrollment request.

enrollment url

Specifies automatic enrollment (SCEP) with this trustpoint and configures the URL.


enrollment url

To specify automatic enrollment (SCEP) to enroll with this trustpoint and to configure the enrollment URL, use the enrollment url command in crypto ca trustpoint configuration mode. To restore the default setting of the command, use the no form of the command.

enrollment url url

no enrollment url

Syntax Description

url

Specifies the name of the URL for automatic enrollment. The maximum length is 1K characters (effectively unbounded).


Defaults

The default setting is off.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and specifies SCEP enrollment at the URL https://enrollsite for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# enrollment url https://enrollsite
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment retry count

Specifies the number of retries to attempt to send an enrollment request.

enrollment retry period

Specifies the number of minutes to wait before resending an enrollment request.

enrollment terminal

Specifies cut and paste enrollment with this trustpoint.


erase

To erase and reformat the file system, use the erase command in privileged EXEC mode. This command overwrites all files and erases the file system, including hidden system files, and then reinstalls the file system.

erase [flash:]

Syntax Description

flash:

(Optional) Specifies the internal Flash memory, followed by a colon.


Caution Erasing the Flash memory also removes the licensing information, which is stored in Flash memory. Save the licensing information prior to erasing the Flash memory.

Defaults

This command has no default settings.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

The erase command erases all data on the Flash memory using the OxFF pattern and then rewrites an empty file system allocation table to the device.

To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the erase command.

Examples

The following example erases and reformats the file system:

hostname# erase flash:

Related Commands

Command
Description

delete

Removes all visible files, excluding hidden system files.

format

Erases all files (including hidden system files) and formats the file system.


established

To permit return connections on ports that are based on an established connection, use the established command in global configuration mode. To disable the established feature, use the no form of this command.

established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]

no established est_protocol dest_port [source_port] [permitto protocol port [-port]] [permitfrom protocol port[-port]]

Syntax Description

est_protocol

Specifies the IP protocol (UDP or TCP) to use for the established connection lookup.

dest_port

Specifies the destination port to use for the established connection lookup.

permitfrom

(Optional) Allows the return protocol connection(s) originating from the specified port.

permitto

(Optional) Allows the return protocol connections destined to the specified port.

port [-port]

(Optional) Specifies the (UDP or TCP) destination port(s) of the return connection.

protocol

(Optional) IP protocol (UDP or TCP) used by the return connection.

source_port

(Optional) Specifies the source port to use for the established connection lookup.


Defaults

The defaults are as follows:

dest_port—0 (wildcard)

source_port—0 (wildcard)

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

The keywords to and from were removed from the CLI. Use the keywords permitto and permitfrom instead.


Usage Guidelines

The established command lets you permit return access for outbound connections through the FWSM. This command works with an original connection that is outbound from a network and protected by the FWSM and a return connection that is inbound between the same two devices on an external host. The established command lets you specify the destination port that is used for connection lookups. This addition allows more control over the command and provides support for protocols where the destination port is known, but the source port is unknown. The permitto and permitfrom keywords define the return inbound connection.


Caution We recommend that you always specify the established command with the permitto and permitfrom keywords. Using the established command without these keywords is a security risk because when connections are made to external systems, those system can make unrestricted connections to the internal host involved in the connection. This situation can be exploited for an attack of your internal systems.

Examples

The following set of examples shows potential security violations could occur if you do not use the established command correctly.

This example shows that if an internal system makes a TCP connection to an external host on port 4000, then the external host could come back in on any port using any protocol:

hostname(config)# established tcp 4000 0

You can specify the source and destination ports as 0 if the protocol does not specify which ports are used. Use wildcard ports (0) only when necessary.

hostname(config)# established tcp 0 0 


Note To allow the established command to work properly, the client must listen on the port that is specified with the permitto keyword.


You can use the established command with the nat 0 command (where there are no global commands).


Note You cannot use the established command with PAT.


The FWSM supports XDMCP with assistance from the established command.


Caution Using XWindows system applications through the FWSM may cause security risks.

XDMCP is on by default, but it does not complete the session unless you enter the established command as follows:

hostname(config)# established tcp 6000 0 permitto tcp 6000 permitfrom tcp 1024-65535

Entering the established command enables the internal XDMCP-equipped (UNIX or ReflectionX) hosts to access external XDMCP-equipped XWindows servers. UDP/177-based XDMCP negotiates a TCP-based XWindows session, and subsequent TCP back connections are permitted. Because the source port(s) of the return traffic is unknown, specify the source_port field as 0 (wildcard). The dest_port should be 6000 + n, where n represents the local display number. Use this UNIX command to change this value:

hostname(config)# setenv DISPLAY hostname:displaynumber.screennumber

The established command is needed because many TCP connections are generated (based on user interaction) and the source port for these connections is unknown. Only the destination port is static. The FWSM performs XDMCP fixups transparently. No configuration is required, but you must enter the established command to accommodate the TCP session.

The following example shows a connection between two hosts using protocol A destined for port B from source port C. To permit return connections through the FWSM and protocol D (protocol D can be different from protocol A), the source port(s) must correspond to port F and the destination port(s) must correspond to port E.

hostname(config)# established A B C permitto D E permitfrom D F

The following example shows how a connection is started by an internal host to an external host using TCP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and any TCP source port.

hostname(config)# established tcp 6060 0 permitto tcp 6061 permitfrom tcp 0

The following example shows how a connection is started by an internal host to an external host using UDP destination port 6060 and any source port. The FWSM permits return traffic between the hosts through TCP destination port 6061 and TCP source port 1024-65535.

hostname(config)# established udp 6060 0 permitto tcp 6061 permitfrom tcp 1024-65535

The following example shows how a local host starts a TCP connection on port 9999 to a foreign host. The example allows packets from the foreign host on port 4242 back to local host on port 5454.

hostname(config)# established tcp 9999 permitto tcp 5454 permitfrom tcp 4242

Related Commands

Command
Description

clear configure established

Removes all established commands.

show running-config established

Displays the allowed inbound connections that are based on established connections.


exit

To exit the current configuration mode, or to logout from privileged or user EXEC modes, use the exit command.

exit

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

User EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

You can also use the key sequence Ctrl Z to exit global configuration (and higher) modes. This key sequence does not work with privileged or user EXEC modes.

When you enter the exit command in privileged or user EXEC modes, you log out from the FWSM. Use the disable command to return to user EXEC mode from privileged EXEC mode.

Examples

The following example shows how to use the exit command to exit global configuration mode, and then logout from the session:

hostname(config)# exit
hostname# exit

Logoff

The following example shows how to use the exit command to exit global configuration mode, and then use the disable command to exit privileged EXEC mode:

hostname(config)# exit
hostname# disable
hostname>

Related Commands

Command
Description

quit

Exits a configuration mode or logs out from privileged or user EXEC modes.


failover

To enable failover, use the failover command in global configuration mode. To disable failover, use the no form of this command.

failover

no failover

Syntax Description

This command has no arguments or keywords.

Defaults

Failover is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

This command was limited to enable or disable failover in the configuration (see the failover active command).


Usage Guidelines

Use the no form of this command to disable failover.


Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Any usernames, passwords, and preshared keys configured on the FWSM are transmitted in clear text and could pose a significant security risk. We recommend securing the failover communication with a failover key.

Examples

The following example disables failover:

hostname(config)# no failover
hostname(config)#

Related Commands

Command
Description

clear configure failover

Clears failover commands from the running configuration and restores failover default values.

failover active

Switches the standby unit to active.

show failover

Displays information about the failover status of the unit.

show running-config failover

Displays the failover commands in the running configuration.


failover active

To switch a standby FWSM or failover group to the active state, use the failover active command in privileged EXEC mode. To switch an active FWSM or failover group to standby, use the no form of this command.

failover active [group group_id]

no failover active [group group_id]

Syntax Description

group group_id

(Optional) Specifies the failover group to make active.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Use the failover active command to initiate a failover switch from the standby unit, or use the no failover active command from the active unit to initiate a failover switch. You can use this feature to return a failed unit to service, or to force an active unit offline for maintenance. If you are not using Stateful Failover, all active connections are dropped and must be reestablished by the clients after the failover occurs.

Switching for a failover group is available only for Active/Active failover. If you enter the failover active command on an Active/Active failover unit without specifying a failover group, all groups on the unit become active.

Examples

The following example switches the standby group 1 to active:

hostname# failover active group 1

Related Commands

Command
Description

failover reset

Moves a FWSM from a failed state to standby.


failover group

To configure an Active/Active failover group, use the failover group command in global configuration mode. To remove a failover group, use the no form of this command.

failover group num

no failover group num

Syntax Description

num

Failover group number. Valid values are 1 or 2.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

You can define a maximum of 2 failover groups. The failover group command can only be added to the system context of devices configured for multiple context mode. You can create and remove failover groups only when failover is disabled.

Entering this command puts you in the failover group command mode. The primary, secondary, preempt, replication http, interface-policy, and polltime interface commands are available in the failover group configuration mode. Use the exit command to return to global configuration mode.


Note The failover polltime interface, failover interface-policy, and failover replication http commands have no effect in Active/Active failover configurations. They are overridden by the following failover group configuration mode commands: polltime interface, interface-policy, and replication http.


When removing failover groups, you must remove failover group 1 last. Failover group 1 always contains the admin context. Any context not assigned to a failover group defaults to failover group 1. You cannot remove a failover group that has contexts explicitly assigned to it.

Examples

The following partial example shows a possible configuration for two failover groups:

hostname(config)# failover group 1 
hostname(config-fover-group)# primary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)# failover group 2
hostname(config-fover-group)# secondary
hostname(config-fover-group)# preempt 100
hostname(config-fover-group)# exit
hostname(config)#

Related Commands

Command
Description

asr-group

Specifies an asymmetrical routing interface group ID.

interface-policy

Specifies the failover policy when monitoring detects interface failures.

join-failover-group

Assigns a context to a failover group.

polltime interface

Specifies the amount of time between hello messages sent to monitored interfaces.

preempt

Specifies that a unit with a higher priority becomes the active unit after a reboot.

primary

Gives the primary unit higher priority for a failover group.

replication http

Specifies HTTP session replication for the selected failover group.

secondary

Gives the secondary unit higher priority for a failover group.


failover interface ip

To specify the IP address and mask for the failover interface and the Stateful Failover interface, use the failover interface ip command in global configuration mode. To remove the IP address, use the no form of this command.

failover interface ip if_name ip_address mask standby ip_address

no failover interface ip if_name ip_address mask standby ip_address

Syntax Description

if_name

Interface name for the failover or Stateful Failover interface.

ip_address mask

Specifies the IP address and mask for the failover or Stateful Failover interface on the primary module.

standby ip_address

Specifies the IP address used by the secondary module to communicate with the primary module.


Defaults

Not configured.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

Failover and Stateful Failover interfaces are functions of Layer 3, even when the FWSM is operating in transparent firewall mode, and are global to the system.

In multiple context mode, you configure failover in the system context (except for the monitor-interface command).

This command must be part of the configuration when bootstrapping a FWSM for LAN failover.

Examples

The following example shows how to specify the IP address and mask for the failover interface:

hostname(config)# failover interface ip lanlink 172.27.48.1 255.255.255.0 standby 
172.27.48.2 

Related Commands

Command
Description

clear configure failover

Clears failover commands from the running configuration and restores failover default values.

failover lan interface

Specifies the interface used for failover communication.

failover link

Specifies the interface used for Stateful Failover.

monitor-interface

Monitors the health of the specified interface.

show running-config failover

Displays the failover commands in the running configuration.


failover interface-policy

To specify the policy for failover when monitoring detects an interface failure, use the failover interface-policy command in global configuration mode. To restore the default, use the no form of this command.

failover interface-policy num[%]

no failover interface-policy num[%]

Syntax Description

num

Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces when used as a number.

%

(Optional) Specifies that the number num is a percentage of the monitored interfaces.


Defaults

The default interface policy is 50%.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

There is no space between the num argument and the optional % keyword.

If the number of failed interfaces meets the configured policy and the other FWSM is functioning properly, the FWSM will mark itself as failed and a failover may occur (if the active FWSM is the one that fails). Only interfaces that are designated as monitored by the monitor-interface command count towards the policy.


Note This command applies to Active/Standby failover only. In Active/Active failover, you configure the interface policy for each failover group with the interface-policy command in failover group configuration mode.


Examples

The following examples show two ways to specify the failover policy:

hostname(config)# failover interface-policy 20%

hostname(config)# failover interface-policy 5

Related Commands

Command
Description

failover polltime

Specifies the unit and interface poll times.

failover reset

Restores a failed unit to an unfailed state.

monitor-interface

Specifies the interfaces being monitored for failover.

show failover

Displays information about the failover state of the unit.


failover key

To specify the key for encrypted and authenticated communication between units in a failover pair, use the failover key command in global configuration mode. To remove the shared secret, use the no form of this command.

failover key {secret | hex key}

no failover key

Syntax Description

hex key

Specifies a hexadecimal value for the encryption key. The key must be 32 hexadecimal characters (0-9, a-f).

secret

Specifies an alphanumeric shared secret. The secret can be from 1 to 63 characters. Valid character are any combination of numbers, letters, or punctuation. The shared secret is used to generate the encryption key.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

To encrypt and authenticate failover communications between the units, you must configure both units with a shared secret or hexadecimal key. If you do not specify a failover key, failover communication is transmitted in the clear.


Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Any usernames, passwords, and preshared keys configured on the FWSM are transmitted in clear text and could pose a significant security risk. We recommend securing the failover communication with a failover key.

Examples

The following example shows how to specify a shared secret for securing failover communication between units in a failover pair:

hostname(config)# failover key abcdefg

The following example shows how to specify a hexadecimal key for securing failover communication between two units in a failover pair:

hostname(config)# failover key hex 6a1ed228381cf5c68557cb0c32e614dc

Related Commands

Command
Description

show running-config failover

Displays the failover commands in the running configuration.


failover lan interface

To specify the interface name and VLAN used for failover communication, use the failover lan interface command in global configuration mode. To remove the failover interface, use the no form of this command.

failover lan interface if_name vlan vlan

no failover lan interface if_name vlan vlan

Syntax Description

if_name

Specifies the name of the FWSM interface dedicated to failover.

vlan vlan

Specifies the VLAN number.


Defaults

Not configured.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The active and standby modules constantly communicate over this link to determine the operating status of each module. Communications over the failover link include the the module state (active or standby), hello messages (also sent on all other interfaces), and configuration synchronization between the two modules.

Failover requires a dedicated interface for passing failover traffic, however you can also use the LAN failover interface for the Stateful Failover link. If you use the same interface for both LAN failover and Stateful Failover, the interface needs enough capacity to handle both the failover and Stateful Failover traffic.

Use a dedicated VLAN for the failover link. Sharing the failover link VLAN with any other VLANs can cause intermittent traffic problems and ping and ARP failures.

You can use any unused interface on the module as the failover interface. You cannot specify an interface that is currently configured with a name. The failover interface is not configured as a normal networking interface; it exists only for failover communications. This interface should only be used for the failover link (and optionally for the state link).

On systems running in multiple context mode, the failover link resides in the system context. This interface and the state link, if used, are the only interfaces that you can configure in the system context. All other interfaces are allocated to and configured from within security contexts.


Note The IP address and MAC address for the failover link do not change at failover.


The no form of this command also clears the failover interface IP address configuration.

This command must be part of the configuration when bootstrapping an FWSM for failover.

Examples

The following example configures the failover LAN interface:

hostname(config)# failover lan interface folink vlan 101

Related Commands

Command
Description

failover lan unit

Specifies the LAN-based failover primary or secondary unit.

failover link

Specifies the Stateful Failover interface.


failover lan unit

To configure the FWSM as either the primary or secondary unit in a failover configuration, use the failover lan unit command in global configuration mode. To restore the default setting, use the no form of this command.

failover lan unit {primary | secondary}

no failover lan unit {primary | secondary}

Syntax Description

primary

Specifies the FWSM as a primary unit.

secondary

Specifies the security appliance as a secondary unit.


Defaults

Secondary.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

For Active/Standby failover, the primary and secondary designation for the failover unit refers to which unit becomes active at boot time. The primary unit becomes the active unit at boot time when the following occurs:

The primary and secondary unit both complete their boot sequence within the first failover poll check.

The primary unit boots before the secondary unit.

If the secondary unit is already active when the primary unit boots, the primary unit does not take control; it becomes the standby unit. In this case, you need to issue the no failover active command on the secondary (active) unit to force the primary unit back to active status.

For Active/Active failover, each failover group is assigned a primary or secondary unit preference. This preference determines on which unit in the failover pair the contexts in the failover group become active at startup when both units start simultaneously (within the failover polling period).

This command must be part of the configuration when bootstrapping an FWSM for failover.

Examples

The following example sets the FWSM as the primary unit:

hostname(config)# failover lan unit primary

Related Commands

Command
Description

failover lan interface

Specifies the interface used for failover communication.


failover link

To specify the Stateful Failover interface and VLAN, use the failover link command in global configuration mode. To remove the Stateful Failover interface, use the no form of this command.

failover link if_name [vlan vlan]

no failover link

Syntax Description

if_name

Specifies the name of the FWSM interface dedicated to Stateful Failover.

vlan vlan

(Optional) Sets the VLAN used for stateful update information. If the Stateful Failover interface is sharing the interface assigned for failover communication, then this argument is not required.


Defaults

Not configured.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The physical or logical interface argument is required when not sharing the failover communication interface.

The failover link command enables Stateful Failover. Enter the no failover link command to disable Stateful Failover and also clear the Stateful Failover interface IP address configuration.

To use Stateful Failover, you must configure a state link to pass all state information. You have two options for configuring a state link: you can use a dedicated interface for the state link or you can use the failover link.


Caution Sharing the Stateful Failover link with a regular firewall interface is not supported. This restriction was not enforced in previous versions of the software. If you are upgrading from a previous version of the FWSM software, and have a configuration that shares the state link with a regular firewall interface, then the configuration related to the firewall interface will be lost when you upgrade. To prevent your configuration from being lost, move the state link to a separate physical interface or disable Stateful Failover before upgrading.

The state traffic can be large. If you are using the failover link as the state link and you experience performance problems, consider dedicating a separate link for the state traffic.

In multiple context mode, the state link resides in the system context. This interface and the failover interface are the only interfaces in the system context. All other interfaces are allocated to and configured from within security contexts.


Note The IP address and MAC address for the state link do not change at failover.



Caution All information sent over the failover and Stateful Failover links is sent in clear text unless you secure the communication with a failover key. Any usernames, passwords, and preshared keys configured on the FWSM are transmitted in clear text and could pose a significant security risk. We recommend securing the failover communication with a failover key.

Examples

The following example shows how to specify the Stateful Failover interface:

hostname(config)# failover link stateful_if vlan 101

Related Commands

Command
Description

failover interface ip

Configures the IP address of the failover command and Stateful Failover interface.

failover lan interface

Specifies the interface used for failover communication.

mtu

Specifies the maximum transmission unit for an interface.


failover polltime

To specify the failover unit and interface poll times and unit hold time, use the failover polltime command in global configuration mode. To restore the default poll time, use the no form of this command.

failover polltime [unit] [msec] time [holdtime time]

failover polltime interface time

no failover polltime [unit] [msec] time [holdtime time]

no failover polltime interface time

Syntax Description

holdtime time

(Optional) Sets the time during which a unit must receive a hello message on the failover link, after which the peer unit is declared failed. Valid values range from 3 to 45 seconds.

interface time

Specifies the poll time for interface monitoring. Valid values range from 3 to 15 seconds.

msec

(Optional) Specifies that the time interval between messages is in milliseconds. Valid values are from 500 to 999 milliseconds.

time

Amount of time between hello messages. Valid values range from 1 to 15 seconds, or from 500 to 999 milliseconds if the optional msec keyword is used.

unit

(Optional) Sets how often hello messages are sent on the failover link.


Defaults

The defaults are as follows:

The unit poll time is 1 second.

The holdtime time is 3 times the poll time (with a minimum value of 3 seconds) if you specify a poll time but do not specify a hold time with the holdtime keyword. If you specify a hold time using the holdtime keyword, it must be at least 3 times the poll time. If you enter the clear configure failover command, the hold time is 15 seconds.

The interface poll time is 15 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

2.2(1)

This command was changed from the failover poll command to the failover polltime command and now includes unit, interface, and holdtime keywords.


Usage Guidelines

You cannot enter a holdtime value that is less than 3 times the unit poll time. With a faster poll time, the FWSM can detect failure and trigger failover faster. However, faster detection can cause unnecessary switchovers when the network is temporarily congested.

When the unit or interface keywords are not specified, the poll time configured is for the unit.

You can include both failover polltime unit and failover polltime interface commands in the configuration.


Note The failover polltime interface command applies to Active/Standby failover only. For Active/Active failover, use the polltime interface command in failover group configuration mode instead of the failover polltime interface command.


If a hello packet is not heard on the failover communication interface during the hold time, the standby unit switches to active and the peer is considered failed. Five missed consecutive interface hello packets cause interface testing.


Note When CTIQBE traffic is passed through an FWSM in a failover configuration, you should decrease the failover hold time on the security appliance to below 30 seconds. The CTIQBE keepalive timeout is 30 seconds and may time out before failover occurs in a failover situation. If CTIQBE times out, Cisco IP SoftPhone connections to the Cisco CallManager are dropped, and the IP SoftPhone clients will need to reregister with the CallManager.


Examples

The following example sets the unit poll time frequency to 3 seconds:

hostname(config)# failover polltime 3

Related Commands

Command
Description

polltime interface

Specifies the interface polltime for Active/Active failover configurations.

show failover

Displays failover configuration information.


failover reload-standby

To force the standby unit to reboot, use the failover reload-standby command in privileged EXEC mode.

failover reload-standby

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Use this command when your failover units do not synchronize. The standby unit restarts and resynchronizes to the active unit after it finishes booting.

Examples

The following example shows how to use the failover reload-standby command on the active unit to force the standby unit to reboot:

hostname# failover reload-standby

Related Commands

Command
Description

write standby

Writes the running configuration to the memory on the standby unit.


failover replication http

To enable HTTP (port 80) connection replication, use the failover replication http command in global configuration mode. To disable HTTP connection replication, use the no form of this command.

failover replication http

no failover replication http

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

By default, the FWSM does not replicate HTTP session information when Stateful Failover is enabled. Because HTTP sessions are typically short-lived, and because HTTP clients typically retry failed connection attempts, not replicating HTTP sessions increases system performance without causing serious data or connection loss. The failover replication http command enables the stateful replication of HTTP sessions in a Stateful Failover environment, but could have a negative effect on system performance.

In Active/Active failover configurations, you control HTTP session replication per failover group using the replication http command in failover group configuration mode.

Examples

The following example shows how to enable HTTP connection replication:

hostname(config)# failover replication http

Related Commands

Command
Description

replication http

Enables HTTP session replication for a specific failover group.

show running-config failover

Displays the failover commands in the running configuration.


failover reset

To restore a failed FWSM to an unfailed state, use the failover reset command in privileged EXEC mode.

failover reset [group group_id]

Syntax Description

group

(Optional) Specifies a failover group.

group_id

Failover group number.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

This command was modified to allow the optional failover group ID.


Usage Guidelines

The failover reset command lets you change the failed unit or group to an unfailed state. The failover reset command can be entered on either unit, but we recommend that you always enter the command on the active unit. Entering the failover reset command at the active unit will "unfail" the standby unit.

You can display the failover status of the unit with the show failover or show failover state commands.

There is no no version of this command.

In Active/Active failover, entering failover reset resets the whole unit. Specifying a failover group with the command resets only the specified group.

Examples

The following example shows how to change a failed unit to an unfailed state:

hostname# failover reset

Related Commands

Command
Description

failover interface-policy

Specifies the policy for failover when monitoring detects interface failures.

show failover

Displays information about the failover status of the unit.


failover suspend-config-sync

To suspend failover configuration synchronization, use the failover suspend-config-sync command in global configuration mode. To disable failover, use the no form of this command.

failover suspend-config-sync

no failover suspend-config-sync

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.3(1)

This command was introduced.


Usage Guidelines

This command can be run only on the active unit. Running this command disables interface monitoring and logical updates.

Examples

The following example suspends failover configuration synchronization:

hostname(config)# failover suspend-config-sync
hostname(config)#

Related Commands

Command
Description

clear configure failover

Removes the failover commands from the running configuration.

failover

Enables failover.

show running-config failover

Displays the failover commands in the running configuration.


filter activex

To remove ActiveX objects in HTTP traffic passing through the FWSM, use the filter activex command in global configuration mode. To remove the configuration, use the no form of this command.

filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]

no filter activex {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask]

Syntax Description

except

Creates an exception to a previous filter condition.

foreign_ip

The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_ip

The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask

Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

port

The TCP port to which filtering is applied. Typically, this is port 21, but other values are accepted. The http or url literal can be used for port 21. The range of values permitted is 0 to 65535. For a listing of the well-known ports and their literal values, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide.

port-port

(Optional) Specifies a port range.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

ActiveX objects may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can disable ActiveX objects with the filter activex command.

ActiveX controls, formerly known as OLE or OCX controls, are components you can insert in a web page or other application. These controls include custom forms, calendars, or any of the extensive third-party forms for gathering or displaying information. As a technology, ActiveX creates many potential problems for network clients including causing workstations to fail, introducing network security problems, or being used to attack servers.

The filter activex command command blocks the HTML <object> commands by commenting them out within the HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET> and </APPLET> and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested tags is supported by converting top-level tags to comments.


Caution The <object> tag is also used for Java applets, image files, and multimedia objects, which will also be blocked by this command.

If the <OBJECT> or </OBJECT> HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the FWSM cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command.

Examples

The following example specifies that Activex objects are blocked on all outbound connections:

hostname(config)# filter activex 80 0 0 0 0

This command specifies that the ActiveX object blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.

Related Commands

Commands
Description

filter url

Directs traffic to a URL filtering server.

filter java

Removes Java applets from HTTP traffic passing through the FWSM.

show running-config filter

Displays filtering configuration.

url-server

Identifies anN2H2 or Websense server for use with the filter command.


filter ftp

To identify the FTP traffic to be filtered by a Websense server, use the filter ftp command in global configuration mode. To remove the configuration, use the no form of this command.


Note Enabling the filter ftp command also enables FTP inspection even if this inspection is not configured in any policy-map. This will cause active FTP connections to succeed. If this is not desired, make sure that the FTP server only accepts passive FTP connections.


filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]

no filter ftp {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [interact-block]

Syntax Description

port

The TCP port to which filtering is applied. Typically, this is port 21, but other values are accepted. The ftp literal can be used for port 80.

port-port

(Optional) Specifies a port range.

except

Creates an exception to a previous filter condition.

local_ip

The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask

Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_ip

The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

allow

(Optional) When the server is unavailable, let outbound connections pass through the FWSM without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the FWSM stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

interact-block

(Optional) Prevents users from connecting to the FTP server through an interactive FTP program.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

The filter ftp command lets you identify the FTP traffic to be filtered by a Websense server. FTP filtering is not supported on N2H2 servers.

After enabling this feature, when a user issues an FTP GET request to a server, the FWSM sends the request to the FTP server and to the Websense server at the same time. If the Websense server permits the connection, the FWSM allows the successful FTP return code to reach the user unchanged. For example, a successful return code is "250: CWD command successful."

If the Websense server denies the connection, the FWSM alters the FTP return code to show that the connection was denied. For example, the FWSM would change code 250 to "550 Requested file is prohibited by URL filtering policy." Websense only filters FTP GET commands and not PUT commands).

Use the interactive-block option to prevent interactive FTP sessions that do not provide the entire directory path. An interactive FTP client allows the user to change directories without typing the entire path. For example, the user might enter cd ./files instead of cd /public/files. You must identify and enable the URL filtering server before using these commands.

Examples

The following example shows how to enable FTP filtering:

hostname(config)# url-server (perimeter) host 10.0.1.1
hostname(config)# filter ftp 21 0 0 0 0
hostname(config)# filter ftp except 10.0.2.54 255.255.255.255 0 0

Related Commands

Commands
Description

filter https

Identifies the HTTPS traffic to be filtered by a Websense server.

filter java

Removes Java applets from HTTP traffic passing through the FWSM.

filter url

Directs traffic to a URL filtering server.

show running-config filter

Displays filtering configuration.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


filter https

To identify the HTTPS traffic to be filtered by a Websense server, use the filter https command in global configuration mode. To remove the configuration, use the no form of this command.

filter https {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask] [allow]

no filter https {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask] [allow]

Syntax Description

port

The TCP port to which filtering is applied. Typically, this is port 443, but other values are accepted. The https literal can be used for port 443.

port-port

(Optional) Specifies a port range.

except

(Optional) Creates an exception to a previous filter condition.

dest-port

The destination port number.

local_ip

The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask

Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_ip

The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

allow

(Optional) When the server is unavailable, let outbound connections pass through the FWSM without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the FWSM stops outbound port 443 traffic until the N2H2 or Websense server is back on line.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.


Usage Guidelines

The FWSM supports filtering of HTTPS and FTP sites using an external Websense filtering server.


Note HTTPS is not supported for the N2H2 filtering server.


HTTPS filtering works by preventing the completion of SSL connection negotiation if the site is not allowed. The browser displays an error message such as "The Page or the content cannot be displayed."

Because HTTPS content is encrypted, the FWSM sends the URL lookup without directory and filename information.

Examples

The following example filters all outbound HTTPS connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) host 10.0.1.1
hostname(config)# filter https 443 0 0 0 0
hostname(config)# filter https except 10.0.2.54 255.255.255.255 0 0

Related Commands

Commands
Description

filter activex

Removes ActiveX objects from HTTP traffic passing through the FWSM.

filter java

Removes Java applets from HTTP traffic passing through the FWSM.

filter url

Directs traffic to a URL filtering server.

show running-config filter

Displays filtering configuration.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


filter java

To remove Java applets from HTTP traffic passing through the FWSM, use the filter java command in global configuration mode. To remove the configuration, use the no form of this command.

filter java {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask]

no filter java {[port[-port] | except} local_ip local_mask foreign_ip foreign_mask]

Syntax Description

port 

The TCP port to which filtering is applied. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80.

port-port

(Optional) Specifies a port range.

except

(Optional) Creates an exception to a previous filter condition.

local_ip

The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask

Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_ip

The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Java applets may pose security risks because they can contain code intended to attack hosts and servers on a protected network. You can remove Java applets with the filter java command.

The filter java command filters out Java applets that return to the FWSM from an outbound connection. The user still receives the HTML page, but the web page source for the applet is commented out so that the applet cannot execute.

If the applet or /applet HTML tags split across network packets or if the code in the tags is longer than the number of bytes in the MTU, the FWSM cannot block the tag. If Java applets are known to be in <object> tags, use the filter activex command to remove them.

Examples

The following example specifies that Java applets are blocked on all outbound connections:

hostname(config)# filter java 80 0 0 0 0

This command specifies that the Java applet blocking applies to web traffic on port 80 from any local host and for connections to any foreign host.

The following example blocks downloading of Java applets to a host on a protected network:

hostname(config)# filter java http 192.168.3.3 255.255.255.255 0 0

This command prevents host 192.168.3.3 from downloading Java applets.

Related Commands

Commands
Description

filter activex

Removes ActiveX objects from HTTP traffic passing through the FWSM.

filter url

Directs traffic to a URL filtering server.

show running-config filter

Displays filtering configuration.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


filter url

To direct traffic to a URL filtering server, use the filter url command in global configuration mode. To remove the configuration, use the no form of this command.

filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]

no filter url {[port[-port] | except } local_ip local_mask foreign_ip foreign_mask] [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]

Syntax Description

allow

When the server is unavailable, let outbound connections pass through the FWSM without filtering. If you omit this option, and if the N2H2 or Websense server goes off line, the FWSM stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back on line.

cgi_truncate

When a URL has a parameter list starting with a question mark (?), such as a CGI script, truncate the URL sent to the filtering server by removing all characters after and including the question mark.

except

Creates an exception to a previous filter condition.

foreign_ip

The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask

Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

http

Specifies port 80. You can enter http or www instead of 80 to specify port 80.)

local_ip

The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask

Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

longurl-deny

Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available.

longurl-truncate

Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit.

mask

Any mask.

[port[-port]

(Optional) The TCP port to which filtering is applied. Typically, this is port 80, but other values are accepted. The http or url literal can be used for port 80. Adding a second port after a hyphen optionally identifies a range of ports.

proxy-block

Prevents users from connecting to an HTTP proxy server.

url

Filter URLs from data moving through the FWSM.


Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The filter url command lets you prevent outbound users from accessing World Wide Web URLs that you designate using the N2H2 or Websense filtering application.


Note The url-server command must be configured before issuing the filter url command.


The allow option to the filter url command determines how the FWSM behaves if the N2H2 or Websense server goes off line. If you use the allow option with the filter url command and the N2H2 or Websense server goes offline, port 80 traffic passes through the FWSM without filtering. Used without the allow option and with the server off line, the FWSM stops outbound port 80 (Web) traffic until the server is back on line, or if another URL server is available, passes control to the next URL server.


Note With the allow option set, the FWSM now passes control to an alternate server if the N2H2 or Websense server goes off line.


The N2H2 or Websense server works with the FWSM to deny users from access to websites based on the company security policy.

Using the Websense Filtering Server

Websense protocol Version 4 enables group and username authentication between a host and a FWSM. The FWSM performs a username lookup, and then the Websense server handles URL filtering and username logging.

The N2H2 server must be a Windows workstation (2000, NT, or XP), running an IFP Server, with a recommended minimum of 512 MB of RAM. Also, the long URL support for the N2H2 service is capped at 3 KB, less than the cap for Websense.

Websense protocol Version 4 contains the following enhancements:

URL filtering allows the FWSM to check outgoing URL requests against the policy defined on the Websense server.

Username logging tracks username, group, and domain name on the Websense server.

Username lookup enables the FWSM to use the user authentication table to map the host IP address to the username.

Information on Websense is available at the following website:

http://www.websense.com/

Configuration Procedure

To filter URLs, perform the following steps:


Step 1 Designate an N2H2 or Websense server with the appropriate vendor-specific form of the url-server command.

Step 2 Enable filtering with the filter command.

Step 3 If needed, improve throughput with the url-cache command.


Note The url-cache command does not update Websense logs, which may affect Websense accounting reports. Accumulate Websense run logs before using the url-cache command.


Step 4 To view run information, use the show url-cache statistics and the show perfmon commands.


Working with Long URLs

Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.

Use the longurl-truncate and cgi-truncate options to allow handling of URL requests longer than the maximum permitted size.

If a URL is longer than the maximum, and you do not enable the longurl-truncate or longurl-deny options, the FWSM drops the packet.

The longurl-truncate option causes the FWSM to send only the hostname or IP address portion of the URL for evaluation to the filtering server when the URL is longer than the maximum length permitted. Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum permitted.

Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very long, waiting and sending the complete CGI request including the parameter list can use up memory resources and affect FWSM performance.

Buffering HTTP Responses

By default, when a user issues a request to connect to a specific website, the FWSM sends the request to the web server and to the filtering server at the same time. If the filtering server does not respond before the web content server, the response from the web server is dropped. This delays the web server response from the point of view of the web client.

By enabling the HTTP response buffer, replies from web content servers are buffered and the responses will be forwarded to the requesting user if the filtering server allows the connection. This prevents the delay that may otherwise occur.

To enable the HTTP response buffer, enter the following command:

url-block block block-buffer-limit

Replace block-buffer-limit with the maximum number of blocks that will be buffered. The permitted values are from 0 to 128, which specifies the number of 1550-byte blocks that can be buffered at one time.

Examples

The following example filters all outbound HTTP connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) host 10.0.1.1
hostname(config)# filter url 80 0 0 0 0
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0

The following example blocks all outbound HTTP connections destined to a proxy server that listens on port 8080:

hostname(config)# filter url 8080 0 0 0 0 proxy-block

Related Commands

Commands
Description

filter activex

Removes ActiveX objects from HTTP traffic passing through the FWSM.

filter java

Removes Java applets from HTTP traffic passing through the FWSM.

url-block

Manages the URL buffers used for web server responses while waiting for a filtering decision from the filtering server.

url-cache

Enables URL caching while pending responses from an N2H2 or Websense server and sets the size of the cache.

url-server

Identifies an N2H2 or Websense server for use with the filter command.


firewall transparent

To set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode. To restore routed mode, use the no form of this command. A transparent firewall is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. You can set the mode independently for each security context in multiple context mode.

firewall transparent

no firewall transparent

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

2.2(1)

This command was introduced.

3.1(1)

You can set the mode independently for each security context in multiple context mode. Previously, you entered this command in the system execution space, and set the mode for all contexts.


Usage Guidelines

When you change modes, the FWSM clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration.

If you download a text configuration to the FWSM that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the FWSM changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the FWSM clears all the preceding lines in the configuration.

Examples

The following example changes the firewall mode to transparent:

hostname(config)# firewall transparent

Related Commands

Command
Description

arp-inspection

Enables ARP inspection, which compares ARP packets to static ARP entries.

mac-address-table static

Adds static MAC address entries to the MAC address table.

mac-learn

Disables MAC address learning.

show firewall

Shows the firewall mode.

show mac-address-table

Shows the MAC address table, including dynamic and static entries.


format

To erase all files and format the file system, use the format command in privileged EXEC mode. This command erases all files on the file system, including hidden system files, and reinstalls the file system.

format disk:

Syntax Description

disk:

Device to format.


Defaults

disk: is required.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

The format command erases all data on the specified file system and then rewrites the FAT information to the device.


Caution Use the format command with extreme caution, only when necessary to clean up corrupted Flash memory.

To delete all visible files (excluding hidden system files), enter the delete /recursive command, instead of the format command.

Examples

This example shows how to format the disk system:

fwsm(config)# format disk:
format operation may take a while. Continue? [confirm]

Related Commands

Command
Description

delete

Removes all user-visible files.

erase

Deletes all files and formats the Flash memory.

fsck

Repairs a corrupt file system.


fqdn

To include the indicated FQDN in the Subject Alternative Name extension of the certificate during enrollment, use the fqdn command in crypto ca trustpoint configuration mode. To restore the default setting of the fqdn, use the no form of the command.

fqdn fqdn

no fqdn

Syntax Description

fqdn

Specifies the fully qualified domain name. The maximum length of fqdn is 64 characters.


Defaults

The default setting is not to include the FQDN.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Crypto ca trustpoint configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example enters crypto ca trustpoint configuration mode for trustpoint central, and includes the FQDN engineering in the enrollment request for trustpoint central:

hostname(config)# crypto ca trustpoint central
hostname(ca-trustpoint)# fqdn engineering
hostname(ca-trustpoint)# 

Related Commands

Command
Description

crypto ca trustpoint

Enters trustpoint configuration mode.

default enrollment

Returns enrollment parameters to their defaults.

enrollment retry count

Specifies the number of retries to attempt to send an enrollment request.

enrollment retry period

Specifies the number of minutes to wait before trying to send an enrollment request.

enrollment terminal

Specifies cut and paste enrollment with this trustpoint.


fragment

To provide additional management of packet fragmentation and improve compatibility with NFS, use the fragment command in global configuration mode. To restore the value to the default, use the no form of the command.

fragment {size | chain | timeout limit} [interface]

no fragment {size | chain | timeout limit} [interface]

Syntax Description

chain limit

Specifies the maximum number of packets into which a full IP packet can be fragmented, between 1 and 8200. The default is 24.

interface

(Optional) Specifies the FWSM interface. If an interface is not specified, the command applies to all interfaces.

size limit

Sets the maximum number of packets that can be in the IP reassembly database waiting for reassembly, between 1 and 30000. The default is 200.

timeout limit

Specifies the maximum number of seconds to wait for an entire fragmented packet to arrive, between 1 and 30. The default is 5. The timer starts after the first fragment of a packet arrives. If all fragments of the packet do not arrive by the number of seconds specified, all fragments of the packet that were already received will be discarded.


Defaults

The defaults are as follows:

chain is 24 packets

interface is all interfaces

size is 200

timeout is 5 seconds

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(3)

This command was introduced.

3.1(1)

This command was modified so that you now must choose one of the following arguments: chain, size, or timeout. You can no longer enter the fragment command without entering one of these arguments, as was supported in prior releases of the software.


Usage Guidelines

By default, the FWSM accepts up to 24 fragments to reconstruct a full IP packet. Based on your network security policy, you should consider configuring the FWSM to prevent fragmented packets from traversing the FWSM by entering the fragment chain 1 interface command on each interface. Setting the limit to 1 means that all packets must be whole; that is, unfragmented.

If a large percentage of the network traffic through the FWSM is NFS, additional tuning might be necessary to avoid database overflow.

In an environment where the MTU size is small between the NFS server and client, such as a WAN interface, the chain keyword might require additional tuning. In this case, we recommend using NFS over TCP to improve efficiency.

Examples

The following example shows how to prevent fragmented packets on the outside and inside interfaces:

hostname(config)# fragment chain 1 outside
hostname(config)# fragment chain 1 inside

Continue entering the fragment chain 1 interface command for each additional interface on which you want to prevent fragmented packets.

The following example shows how to configure the fragment database on the outside interface to a maximum size of 2000, a maximum chain length of 45, and a wait time of 10 seconds:

hostname(config)# fragment size 2000 outside
hostname(config)# fragment chain 45 outside
hostname(config)# fragment timeout 10 outside

Related Commands

Command
Description

clear configure fragment

Resets all the IP fragment reassembly configurations to defaults.

clear fragment

Clears the operational data of the IP fragment reassembly module.

show fragment

Displays the operational data of the IP fragment reassembly module.

show running-config fragment

Displays the IP fragment reassembly configuration.


fsck

To perform a file system check and to repair corruptions, use the fsck command in privileged EXEC mode.

fsck [/no confirm]{disk0: | disk1: | flash:}

Syntax Description

/noconfirm

Optional. Do not prompt for confirmation to repair.

disk0:

Specifies the internal Flash memory, followed by a colon.

disk1:

Specifies the external Flash memory card, followed by a colon.

flash:

Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Privileged EXEC


Command History

Release
Modification

7.0

This command was introduced.


Usage Guidelines

The fsck command checks and attempts to repair corrupt file systems. Try using this command before resorting to more permanent procedures.

The /noconfirm keyword automatically repairs corruptions without seeking your confirmation first.

Examples

This example shows how to check the file system of the Flash memory:

hostname# fsck flash:

Related Commands

Command
Description

delete

Removes all user-visible files.

erase

Deletes all files and formats the Flash memory.

format

Erases all files on a file system, including hidden system files, and reinstalls the file system.


ftp mode passive

To set the FTP mode to passive, use the ftp mode passive command in global configuration mode. To reset the FTP client to active mode, use the no form of this command.

ftp mode passive

no ftp mode passive

Defaults

This command is disabled by default.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

Support for this command was introduced.


Usage Guidelines

The ftp mode passive command sets the FTP mode to passive.The FWSM can use FTP to upload or download image files or configuration files to or from an FTP server. The ftp mode passive command controls how the FTP client on the FWSM interacts with the FTP server.

In passive FTP, the client initiates both the control connection and the data connection. Passive mode refers to the server state, in that the server is passively accepting both the control connection and the data connection, which are initiated by the client.

In passive mode, both destination and source ports are ephemeral ports (greater than 1023). The mode is set by the client, as the client issues the passive command to initiate the setup of the passive data connection. The server, which is the recipient of the data connection in passive mode, responds with the port number to which it is listening for the specific connection.

Examples

The following example sets the FTP mode to passive:

hostname(config)# ftp mode passive

Related Commands

copy

Uploads or downloads image files or configuration files to or from an FTP server.

debug ftp client

Displays detailed information about FTP client activity.

show running-config ftp mode

Displays FTP client configuration.


ftp-map

To identify a specific map for defining the parameters for strict FTP inspection, use the ftp-map command in global configuration mode. To remove the map, use the no form of this command.

ftp-map map_name

no ftp-map map_name

Syntax Description

map_name

The name of the FTP map.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

Use the ftp-map command to identify a specific map to use for defining the parameters for strict FTP inspection. When you enter this command, the system enters the FTP map configuration mode, which lets you enter the different commands used for defining the specific map. Use the request-command deny command to prevent the FTP client from sending specific commands to the FTP server.

After defining the FTP map, use the inspect ftp strict command to enable the map. Then use the class-map, policy-map, and service-policy commands to define a class of traffic, to apply the inspect command to the class, and to apply the policy to one or more interfaces.

Examples

The following example shows how to identify FTP traffic, define an FTP map, define a policy, and apply the policy to the outside interface:

hostname(config)# class-map ftp-port 
hostname(config-cmap)# match port tcp eq 21
hostname(config)# ftp-map inbound_ftp
hostname(config-ftp-map)# request-command deny put stou appe
hostname(config-ftp-map)# policy-map inbound_policy 
hostname(config-pmap)# class ftp-port
hostname(config-pmap-c)# inspect ftp strict inbound_ftp 
hostname(config-pmap-c)# exit
hostname(config-pmap)# exit
hostname(config)# service-policy inbound_policy interface outside

Related Commands

Commands
Description

class-map

Defines the traffic class to which to apply security actions.

inspect ftp

Applies a specific FTP map to use for application inspection.

mask-syst-reply

Hides the FTP server response from clients.

policy-map

Associates a class map with specific security actions.

request-command deny

Specifies FTP commands to disallow.