|
Command or Action |
Purpose |
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode. |
|
appfw policy-name policy-name
Example:
Router(config)# appfw policy-name mypolicy
|
Defines an application firewall policy and puts the router in application firewall policy configuration mode. |
|
application protocol
Example:
Router(cfg-appfw-policy)# application http
|
Allows you to configure inspection parameters for a given protocol. Currently, only HTTP traffic can be inspected.
- protocol --Specify the http keyword.
This command puts you in appfw-policy-protocolconfiguration mode, where "protocol" is dependent upon the specified protocol. Because only HTTP can be specified, the configuration mode is appfw-policy-http. |
|
strict-http action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# strict-http action allow alarm
|
(Optional) Allows HTTP messages to pass through the firewall or resets the TCP connection when HTTP noncompliant traffic is detected. |
|
content-length {min bytes max bytes | min bytes | max bytes} action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# content-length max 1 action allow alarm
|
(Optional) Permits or denies HTTP traffic through the firewall on the basis of message size.
- min | max bytes--Minimum or maximum content length, in bytes, allowed per message. Number of bytes range: 0 to 65535.
|
|
content-type-verification [match-req-resp] action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# content-type- verification match-req-resp action allow alarm
|
(Optional) Permits or denies HTTP traffic through the firewall on the basis of content message type. |
|
max-header-length {request bytes response bytes} action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# max-header-length request 1 response 1 action allow alarm
|
(Optional) Permits or denies HTTP traffic on the basis of the message header length.
- bytes --Number of bytes ranging from 0 to 65535.
|
|
max-uri-length bytes action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# max-uri-length 1 action allow alarm
|
(Optional) Permits or denies HTTP traffic on the basis of the URI length in the request message. |
|
request method {rfc rfc-method | extension extension-method} action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# request-method rfc default action allow alarm
|
(Optional) Permits or denies HTTP traffic according to either the request methods or the extension methods.
- rfc --Specifies that the supported methods of RFC 2616, Hypertext Transfer Protocol--HTTP/1.1 , are to be used for traffic inspection.
- rfc-method --Any one of the following RFC 2616 methods can be specified: connect, default, delete, get, head, options, post, put, trace.
- extension --Specifies that the extension methods are to be used for traffic inspection.
- extension-method --Any one of the following extension methods can be specified: copy, default, edit, getattribute, getproperties, index, lock, mkdir, move, revadd, revlabel, revlog, save, setattribute, startrev, stoprev, unedit, unlock.
|
|
port-misuse {p2p | tunneling | im | default} action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# port-misuse default action allow alarm
|
(Optional) Permits or denies HTTP traffic through the firewall on the basis of specified applications in the HTTP message.
- p2p --Peer-to-peer protocol applications subject to inspection: Kazaa and Gnutella.
- tunneling --Tunneling applications subject to inspection: HTTPPort/HTTPHost, GNU Httptunnel, GotoMyPC, Firethru, Http-tunnel.com Client
- im --Instant messaging protocol applications subject to inspection: Yahoo Messenger.
- default --All applications are subject to inspection.
|
|
transfer-encoding type {chunked | compress | deflate | gzip | identity | default} action {reset | allow} [alarm]
Example:
Router(cfg-appfw-policy-http)# transfer-encoding type default action allow alarm
Example:
|
(Optional) Permits or denies HTTP traffic according to the specified transfer-encoding of the message.
- chunked --Encoding format (specified in RFC 2616, Hypertext Transfer Protocol--HTTP/1 ) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.
- compress --Encoding format produced by the UNIX "compress" utility.
- deflate --"ZLIB" format defined in RFC 1950, ZLIB Compressed Data Format Specification version 3.3 , combined with the "deflate" compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification version 1.3 .
- gzip --Encoding format produced by the "gzip" (GNU zip) program.
- identity --Default encoding, which indicates that no encoding has been performed.
- default --All of the transfer encoding types.
|
|
timeout seconds
Example:
Router(cfg-appfw-policy-http)# timeout 60
|
(Optional) Overrides the global TCP idle timeout value for HTTP traffic.
Note |
If this command is not issued, the default value specified via the ip inspect tcp idle-timecommand will be used. |
|
|
audit-trail {on | off}
Example:
Router(cfg-appfw-policy-http)# audit-trail on
|
(Optional) Turns audit trail messages on or off.
Note |
If this command is not issued, the default value specified via the ip inspect audit-trailcommand will be used. |
|
|
exit
Example:
Router(cfg-appfw-policy-http)# exit
|
Exits cfg-appfw-policy-http configuration mode. |
|
exit
Example:
Router(cfg-appfw-policy)# exit
|
Exits cfg-appfw-policy configuration mode. |