Configuring an HTTP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can then apply the inspection policy map when you enable HTTP inspection.
Note When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the inspection policy map remains enabled.
To create an HTTP inspection policy map, perform the following steps:
Step 1 (Optional) Add one or more regular expressions for use in traffic matching commands according to the general operations configuration guide. See the types of text you can match in the
match
commands described in Step 3.
Step 2 (Optional) Create one or more regular expression class maps to group regular expressions according to the general operations configuration guide.
Step 3 (Optional) Create an HTTP inspection class map by performing the following steps.
A class map groups multiple traffic matches. Traffic must match
all
of the
match
commands to match the class map. You can alternatively identify
match
commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the
match not
command. For example, if the
match not
command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection, reset, mask, set the rate limit, and/or log the connection in the inspection policy map.
If you want to perform different actions for each
match
command, you should identify the traffic directly in the policy map.
a. Create the class map by entering the following command:
ciscoasa(config)# class-map type inspect http [match-all | match-any] class_map_name
Where
class_map_name
is the name of the class map. The
match-all
keyword is the default, and specifies that traffic must match all criteria to match the class map. The
match-any
keyword specifies that the traffic matches the class map if it matches at least one of the criteria. The CLI enters class-map configuration mode, where you can enter one or more
match
commands.
b. (Optional) To add a description to the class map, enter the following command:
ciscoasa(config-cmap)# description string
c. (Optional) To match traffic with a content-type field in the HTTP response that does not match the accept field in the corresponding HTTP request message, enter the following command:
ciscoasa(config-cmap)# match [not] req-resp content-type mismatch
d. (Optional) To match text found in the HTTP request message arguments, enter the following command:
ciscoasa(config-cmap)# match [not] request args regex [regex_name | class regex_class_name]
Where the
regex_name
is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2.
e. (Optional) To match text found in the HTTP request message body or to match traffic that exceeds the maximum HTTP request message body length, enter the following command:
ciscoasa(config-cmap)# match [not] request body {regex [regex_name | class regex_class_name] | length gt max_bytes}
Where the
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2. The
length gt
max_bytes
is the maximum message body length in bytes.
f. (Optional) To match text found in the HTTP request message header, or to restrict the count or length of the header, enter the following command:
ciscoasa(config-cmap)# match [not] request header {[field] [regex [regex_name | class regex_class_name]] | [length gt max_length_bytes | count gt max_count_bytes]}
Where the
field
is the predefined message header keyword. The
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2. The
length gt
max_bytes
is the maximum message body length in bytes. The
count gt
max_count
is the maximum number of header fields.
g. (Optional) To match text found in the HTTP request message method, enter the following command:
ciscoasa(config-cmap)# match [not] request method {[method] | [regex [regex_name | class regex_class_name]]
Where the
method
is the predefined message method keyword. The
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2.
h. (Optional) To match text found in the HTTP request message URI, enter the following command:
ciscoasa(config-cmap)# match [not] request uri {regex [regex_name | class regex_class_name] | length gt max_bytes}
Where the
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2. The
length gt
max_bytes
is the maximum message body length in bytes.
i. Optional) To match text found in the HTTP response message body, or to comment out Java applet and Active X object tags in order to filter them, enter the following command:
ciscoasa(config-cmap)# match [not] response body {[active-x] | [java-applet] | [regex [regex_name | class regex_class_name]] | length gt max_bytes}
Where the
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2. The
length gt
max_bytes
is the maximum message body length in bytes.
j. (Optional) To match text found in the HTTP response message header, or to restrict the count or length of the header, enter the following command:
ciscoasa(config-cmap)# match [not] response header {[field] [regex [regex_name | class regex_class_name]] | [length gt max_length_bytes | count gt max_count]}
Where the
field
is the predefined message header keyword. The
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2. The
length gt
max_bytes
is the maximum message body length in bytes. The
count gt
max_count
is the maximum number of header fields.
k. (Optional) To match text found in the HTTP response message status line, enter the following command:
ciscoasa(config-cmap)# match [not] response status-line {regex [regex_name | class regex_class_name]}
Where the
regex
regex_name
argument is the regular expression you created in Step 1. The
class
regex_class_name
is the regular expression class map you created in Step 2.
Step 4 Create an HTTP inspection policy map, enter the following command:
ciscoasa(config)# policy-map type inspect http policy_map_name
Where the
policy_map_name
is the name of the policy map. The CLI enters policy-map configuration mode.
Step 5 (Optional) To add a description to the policy map, enter the following command:
ciscoasa(config-pmap)# description string
Step 6 To apply actions to matching traffic, perform the following steps.
a. Specify the traffic on which you want to perform actions using one of the following methods:
-
Specify the HTTP class map that you created in Step 3 by entering the following command:
ciscoasa(config-pmap)# class class_map_name
-
Specify traffic directly in the policy map using one of the
match
commands described in Step 3. If you use a
match not
command, then any traffic that does not match the criterion in the
match not
command has the action applied.
b. Specify the action you want to perform on the matching traffic by entering the following command:
ciscoasa(config-pmap-c)# {[drop [send-protocol-error] | drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each
match
or
class
command. See the CLI help or the command reference for the exact options available.
The
drop
keyword drops all packets that match.
The
send-protocol-error
keyword sends a protocol error message.
The
drop-connection
keyword drops the packet and closes the connection.
The
mask
keyword masks out the matching portion of the packet.
The
reset
keyword drops the packet, closes the connection, and sends a TCP reset to the server and/or client.
The
log
keyword, which you can use alone or with one of the other keywords, sends a system log message.
The
rate-limit
message_rate
argument limits the rate of messages.
You can specify multiple
class
or
match
commands in the policy map. For information about the order of
class
and
match
commands, see the “Defining Actions in an Inspection Policy Map” section.
Step 7 To configure parameters that affect the inspection engine, perform the following steps:
a. To enter parameters configuration mode, enter the following command:
ciscoasa(config-pmap)# parameters
b. To check for HTTP protocol violations, enter the following command:
ciscoasa(config-pmap-p)# protocol-violation [action [drop-connection | reset | log]]
Where the
drop-connection
action closes the connection. The
reset
action closes the connection and sends a TCP reset to the client. The
log
action sends a system log message when this policy map matches traffic.
c. To substitute a string for the server header field, enter the following command:
ciscoasa(config-pmap-p)# spoof-server string
Where the
string
argument is the string to substitute for the server header field. Note: WebVPN streams are not subject to the spoof-server comand.
The following example shows how to define an HTTP inspection policy map that will allow and log any HTTP connection that attempts to access “www\.xyz.com/.*\.asp" or "www\.xyz[0-9][0-9]\.com" with methods "GET" or "PUT." All other URL/Method combinations will be silently allowed.
ciscoasa(config)# regex url1 “www\.xyz.com/.*\.asp” ciscoasa(config)# regex url2 “www\.xyz[0-9][0-9]\.com” ciscoasa(config)# regex get “GET” ciscoasa(config)# regex put “PUT” ciscoasa(config)# class-map type regex match-any url_to_log ciscoasa(config-cmap)# match regex url1 ciscoasa(config-cmap)# match regex url2 ciscoasa(config-cmap)# exit ciscoasa(config)# class-map type regex match-any methods_to_log ciscoasa(config-cmap)# match regex get ciscoasa(config-cmap)# match regex put ciscoasa(config-cmap)# exit ciscoasa(config)# class-map type inspect http http_url_policy ciscoasa(config-cmap)# match request uri regex class url_to_log ciscoasa(config-cmap)# match request method regex class methods_to_log ciscoasa(config-cmap)# exit ciscoasa(config)# policy-map type inspect http http_policy ciscoasa(config-pmap)# class http_url_policy ciscoasa(config-pmap-c)# log