Content Filtering Policy Configuration Mode Commands

Content Filtering Policy Configuration Mode Commands
 
 
In the Content Filtering Policy (CFP) Configuration Mode, you can configure analysis and action on matching results of content filtering analysis for Content Filtering Category Policy Identifier.
 
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
analyze
This command specifies the action to take for the indicated result after content filtering analysis.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
analyze priority priority { all | category category | x-category string } action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ edr edr_format_name ]
no analyze priority priority
no
Removes the specified analyze priority configuration.
priority priority
Specifies the precedence of a category in the content filtering policy.
priority must be an integer from 1 through 65535, and must be unique in the content filtering policy.
all
Specifies the default action to take if the category returned after rating is not configured in the subscriber’s content filtering policy. This has the lowest priority.
category category
Specifies the category. category must be one of the following.
Important: Content can simultaneously match multiple categories, therefore specific priority must be used for required evaluation precedence.
x-category string
This keyword can be used to configure runtime categories not present in the CLI.
string specifies the unclassified category to be rated, and must be an alpha and/or numeric string of 1 through 6 characters in length.
A maximum of 10 x-categories can be configured.
action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code }
Specifies the action to take for the indicated result of content filtering analysis.
allow: In the case of static content filtering this option allows the request for content, and in dynamic content filtering allows the content itself.
content-insert content_string: Specifies the content string to be inserted in place of the message returned from prohibited/restricted site or content server.
In case of static content filtering, content_string is used to create a response to the subscriber’s attempt to get content, and in dynamic content filtering, it is used to replace the content returned by a server.
content_string must be an alpha and/or numeric string of 1 through 1023 characters in length.
discard: in case of static content filtering this option discards the packet(s) that requested, and in dynamic content filtering it discards the packet(s) that contain(s) the content.
redirect-url url: Specifies redirecting the subscriber to the specified URL.
url must be a string of 1 through 1023 characters in length, and in the http://search.com/subtarg=#HTTP.URL# format.
terminate-flow: Specifies terminating the TCP connection gracefully between the subscriber and server, and sends a TCP FIN to the subscriber and a TCP RST to the server.
www-reply-code-and-terminate-flow reply_code: Specifies terminating flow with the specified reply code. reply_code must be a reply code, and must be an integer from 100 through 599.
Important: Static-and-Dynamic Content Filtering is only supported in StarOS 9.0 and later.
edr edr_format_name
Specifies to generate separate EDRs for content filtering based on action and content category using EDR file format name edr_format_name.
edr_format_name is the name of a pre-defined EDR file format name in the EDR Format Configuration Mode, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Important: EDRs generated through this keyword are different from charging EDRs generated for subscriber accounting and billing. For more information on generation of charging EDRs, refer to the Rulebase Configuration Mode Commands chapter.
Usage
Use this command to specify the action and priorities for the indicated result of content filtering analysis.
Up to 64 priorities and actions can be entered with this command.
Example
The following command sets priority 10 for category ADULT with action as terminate-flow:
analyze priority 10 category ADULT action terminate-flow
 
discarded-flow-content-id
This command is used in the configuration to account for packets discarded as a result of content filtering action.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
discarded-flow-content-id content_id
no discarded-flow-content-id
content_id
Specifies content ID for discarded flows.
content_id must be an integer from 1 through 65535.
Usage
Use this command in the configuration to account for packets discarded as a result of CF action.
A flow end-condition EDR would be generated as a charging EDR for content-filtered packets. No billing EDRs (even with flow-end) would be generated for a discarded packet as the flow will not end. Dual EDRs would exist for customers who want to use “flow end” to get EDRs for charging, plus CF-specific EDRs. The second EDR for charging comes from the flow end-condition content-filtering configuration in the Rulebase Configuration Mode.
The discarded-flow-content-id configuration can be used for accumulating stats for UDR generation in case CF discards the packets. These stats for UDR generation (based on the CF content ID) would also be accumulated in case of ACS error scenarios where the packets are discarded but the flow does not end.
If, in the Rulebase Configuration Mode, the content-filtering flow-any-error configuration is set to deny, then all the denied packets will be accounted for by the discarded-flow-content-id config. I.e. the content_id will be used to generate UDRs for the denied packets in case of content filtering.
Example
Use the following command to set the accumulation of stats for UDR generation based on the CF content ID 1003:
discarded-flow-content-id 1003
 
failure-action
This command specifies the failure action when the content filtering analysis results are not available to analyze.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
failure-action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ edr edr_format_name ]
default failure-action [ edr edr_format_name ]
default
Configures the default setting.
Default: discard
allow
In static content filtering, this option allows the request for content, and in dynamic content filtering allows the content itself.
Important: Static-and-Dynamic Content Filtering is only supported in StarOS 9.0 and later.
content-insertion content_string
Specifies the content string to be inserted in place of the message returned from the content server due to connection timeout or when no category policy ID is available for the content.
In case of static content filtering, the content_string is used to create a response to the subscriber’s attempt to get content, and in dynamic content filtering it replaces the content returned by a server.
content_string must be an alpha and/or numeric string of 1 through 1023 characters in length.
Important: Static-and-Dynamic Content Filtering is only supported in StarOS 9.0 and later.
discard
In static content filtering, specifies discarding the packet(s) that requested, and in dynamic content filtering discards the packet(s) that contain the content.
Important: Static-and-Dynamic Content Filtering is only supported in StarOS 9.0 and later.
redirect-url url
Redirects the subscriber to the specified URL.
url must be a string of 1 through 1023 characters in length, and must be in the following format:
http://search.com/subtarg=#HTTP.URL#
terminate-flow
Terminates the TCP connection gracefully between the subscriber and external server and sends a TCP FIN to the subscriber and a TCP RST to the server.
www-reply-code-and-terminate-flow reply_code
Sets action as terminate-flow with specified reply code.
reply_code must be a reply code, and must be an integer from 100 through 599.
edr edr_format_name
Specifies name of the EDR format to be generated on the content filtering action using EDR file format name edr_format_name.
edr_format_name is the name of a pre-defined EDR file format name in the EDR Format Configuration Mode, and must be an alpha and/or numeric string of 1 through 63 characters in length.
Usage
Use this command to set the failure action to take when no content filtering analysis result is available to analyze for analyze priority priority category category_string command.
Example
The following command sets the failure action as discard:
failure-action discard
 
timeout action
 
This command has been deprecated, and is replaced by the failure-action command.
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883