Content Filtering Policy Configuration Mode Commands

Content Filtering Policy Configuration Mode Commands
 
The Content Filtering Policy Configuration Mode allows you to configure analysis and action when Content Filtering (CF) matches a Content Filtering Category Policy Identifier.
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
analyze
Specifies the action to take for the indicated result after content filtering analysis.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
In 12.1 and earlier releases:
analyze priority priority { all | category category | x-category string } action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ edr edr_format_name ]
no analyze priority priority
In 12.2 and later releases:
analyze priority priority { all | category category | x-category string } action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ reporting-edr reporting_edr_format_name ]
no analyze priority priority
no
Removes the specified analyze priority configuration.
priority priority
Specifies the precedence of a category in the content filtering policy.
priority must be an integer from 1 to 65535 that is unique in the content filtering policy.
all
Specifies the default action to take if the category returned after rating is not configured in the subscriber’s content filtering policy. This has the lowest priority.
category category
Specifies the category.
category must be one of the following.
ABOR
ADULT
ADVERT
ANON
ART
AUTO
BACKUP
BLACK
BLOG
BUSI
CAR
CDN
CHAT
CMC
CRIME
CULT
DRUG
DYNAM
EDU
ENERGY
ENT
FIN
FORUM
GAMB
GAME
GLAM
GOVERN
HACK
HATE
HEALTH
HOBBY
HOSTS
KIDS
LEGAL
LIFES
MAIL
MIL
NEWS
OCCULT
PEER
PERS
PHOTO
PLAG
POLTIC
PORN
PORTAL
PROXY
REF
REL
SCI
SEARCH
SHOP
SPORT
STREAM
SUIC
SXED
TECH
TRAV
VIOL
VOIP
WEAP
WHITE
UNKNOW
note_smallImportant: Content can simultaneously match multiple categories, therefore specific priority must be used for required evaluation precedence.
x-category string
This keyword can be used to configure runtime categories not present in the CLI.
string specifies the unclassified category to be rated, and must be an alphanumeric string of 1 through 6 characters.
A maximum of 10 x-categories can be configured.
action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code }
Specifies the action to take for the indicated result of content filtering analysis.
allow: With static content filtering, this option allows the request for content. In dynamic content filtering it allows the content itself.
content-insert content_string: Specifies the content string to be inserted in place of the message returned from prohibited/restricted site or content server.
For static content filtering, content_string is used to create a response to the subscriber’s attempt to get content. In dynamic content filtering, it is used to replace the content returned by a server.
content_string must be an alphanumeric string of 1 through 1023 characters.
discard: For static content filtering, this option discards the packet(s) that requested. In dynamic content filtering, it discards the packet(s) that contain(s) the content.
redirect-url url: Redirects the subscriber to the specified URL.
url must be an alphanumeric string of 1 through 1023 characters in the http://search.com/subtarg=#HTTP.URL# format.
terminate-flow: Terminates the TCP connection gracefully between the subscriber and server, and sends a TCP FIN to the subscriber and a TCP RST to the server.
www-reply-code-and-terminate-flow reply_code: Terminates the flow with the specified reply code. reply_code must be a reply code that is an integer from 100 through 599.
note_smallImportant: Static-and-Dynamic Content Filtering is only supported in 9.0 and later releases.
edr edr_format_name
note_smallImportant: This option is applicable only to 12.1 and earlier releases. In 12.2 and later releases, it is deprecated and replaced by the reporting-edr option.
Generates separate EDRs for content filtering based on action and content category using a specified EDR file format name.
edr_format_name is the name of a pre-defined EDR file format name in the EDR Format Configuration Mode, and must be an alphanumeric string of 1 through 63 characters.
note_smallImportant: EDRs generated through this keyword are different from charging EDRs generated for subscriber accounting and billing. For more information on generation of charging EDRs, refer to the ACS Rulebase Configuration Mode Commands chapter.
reporting-edr reporting_edr_format_name
note_smallImportant: This option is available only in 12.2 and later releases.
Generates separate reporting EDRs for Content Filtering based on the action and content category using the specified EDR file format name.
reporting_edr_format_name must be an alphanumeric string of 1 through 63 characters.
Usage
Use this command to specify the action and priorities for the indicated result of content filtering analysis.
Up to 64 priorities and actions can be entered with this command.
Example
The following command sets priority 10 for category ADULT with action as terminate-flow:
analyze priority 10 category ADULT action terminate-flow
discarded-flow-content-id
Accounts for packets discarded as a result of content filtering action.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
discarded-flow-content-id content_id
no discarded-flow-content-id
content_id
Specifies the content ID for discarded flows as an integer from 1 through 65535.
Usage
Use this command in the configuration to account for packets discarded as a result of CF action.
A flow end-condition EDR would be generated as a charging EDR for content-filtered packets. No billing EDRs (even with flow-end) would be generated for a discarded packet as the flow will not end. Dual EDRs would exist for customers who want to use “flow end” to get EDRs for charging, plus CF-specific EDRs. The second EDR for charging comes from the flow end-condition content-filtering configuration in the Rulebase Configuration Mode.
The discarded-flow-content-id configuration can be used for accumulating statistics for UDR generation in case CF discards the packets. These statistics for UDR generation (based on the CF content ID) would also be accumulated in case of ACS error scenarios where the packets are discarded but the flow does not end.
If, in the Rulebase Configuration Mode, the content-filtering flow-any-error configuration is set to deny, then all the denied packets will be accounted for by the discarded-flow-content-id config. That is, the content_id will be used to generate UDRs for the denied packets in case of content filtering.
Example
Use the following command to set the accumulation of statistics for UDR generation based on the CF content ID 1003:
discarded-flow-content-id 1003
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
failure-action
Specifies the failure action when the content filtering analysis results are not available to analyze.
Product
CF
Privilege
Security Administrator, Administrator
Syntax
failure-action { allow | content-insert content_string | discard | redirect-url url | terminate-flow | www-reply-code-and-terminate-flow reply_code } [ edr edr_format_name ]
default failure-action [ edr edr_format_name ]
default
Configures the default setting of discard.
allow
In static content filtering, this option allows the request for content. In dynamic content filtering it allows the content itself.
note_smallImportant: Static-and-Dynamic Content Filtering is only supported in 9.0 and later releases.
content-insertion content_string
Specifies the content string to be inserted in place of the message returned from the content server due to connection timeout or when no category policy ID is available for the content.
For content filtering, the content_string is used to create a response to the subscriber’s attempt to get content. In dynamic content filtering it replaces the content returned by a server.
content_string is an alphanumeric string of 1 through 1023 characters.
note_smallImportant: Static-and-Dynamic Content Filtering is only supported in 9.0 and later releases.
discard
In static content filtering, specifies discarding the packet(s) that requested. In dynamic content filtering it discards the packet(s) that contain the content.
note_smallImportant: Static-and-Dynamic Content Filtering is only supported in 9.0 and later releases.
redirect-url url
Redirects the subscriber to the specified URL.
url must be an alphanumeric string of 1 through 1023 characters, in the following format: http://search.com/subtarg=#HTTP.URL#
terminate-flow
Terminates the TCP connection gracefully between the subscriber and external server and sends a TCP FIN to the subscriber and a TCP RST to the server.
www-reply-code-and-terminate-flow reply_code
Sets action as terminate-flow with a reply code that is a 3-digit integer from 100 through 599.
edr edr_format_name
Specifies the name of a pre-defined EDR format to be generated on the content filtering action as an alphanumeric string of 1 through 63 characters.
Usage
Use this command to set the failure action to take when no content filtering analysis result is available to analyze for analyze priority priority category category_string command.
Example
The following command sets the failure action as discard:
failure-action discard
timeout action
This command has been deprecated, and is replaced by the failure-action command.
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883