Filtering URLs and FTP Requests with an External Server
This section describes how to filter URLs and FTP requests with an external server and includes the following topics:
Information About URL Filtering
You can apply filtering to connection requests originating from a more secure network to a less secure network. Although you can use ACLs to prevent outbound access to specific content servers, managing usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify configuration and improve ASA performance by using a separate server running one of the following Internet filtering products:
-
Websense Enterprise for filtering HTTP, HTTPS, and FTP.
-
McAfee SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL filtering.
In long URLs, the URL in the Referer field might contain a “host:” text string, which could cause the HTTP GET header to be incorrectly parsed as containing the HTTP Host parameter. The ASA, however, correctly parses the Referer field even when it contains a “host:” text string and forwards the header to the McAfee SmartFilter server with the correct Referer URL.
Note URL caching will only work if the version of the URL server software from the URL server vendor supports it.
Although ASA performance is less affected when using an external server, you might notice longer access times to websites or FTP servers when the filtering server is remote from the ASA.
When filtering is enabled and a request for content is directed through the ASA, the request is sent to the content server and to the filtering server at the same time. If the filtering server allows the connection, the ASA forwards the response from the content server to the originating client. If the filtering server denies the connection, the ASA drops the response and sends a message or return code indicating that the connection was not successful.
If user authentication is enabled on the ASA, then the ASA also sends the username to the filtering server. The filtering server can use user-specific filtering settings or provide enhanced reporting about usage.
Licensing Requirements for URL Filtering
The following table shows the licensing requirements for URL filtering:
Table 29-3 Licensing Requirements
|
|
All models
|
Base License.
|
Guidelines and Limitations for URL Filtering
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
Supported in routed and transparent firewall mode.
IPv6 Guidelines
Does not support IPv6.
Identifying the Filtering Server
You can identify up to four filtering servers per context. The ASA uses the servers in order until a server responds. In single mode, a maximum of 16 of the same type of filtering servers are allowed. You can only configure a single type of server (Websense or Secure Computing SmartFilter) in your configuration.
Note You must add the filtering server before you can configure filtering for HTTP or HTTPS.
To specify the external filtering server, perform the following steps:
Step 1 In the ASDM main window, choose
Configuration > Firewall > URL Filtering Servers
.
Step 2 In the URL Filtering Server Type area, click one of the following options:
-
Websense
-
Secure Computing SmartFilter
Step 3 If you chose the second option, enter the Secure Computing SmartFilter port number if it is different than the default port number, which is 4005.
Step 4 In the URL Filtering Servers area, click
Add
.
If you chose the Websense option, the Add Parameters for Websense URL Filtering dialog box appears.
-
Choose the interface on which the URL filtering server is connected from the drop-down list.
-
Enter the IP address of the URL filtering server.
-
Enter the number of seconds after which the request to the URL filtering server times out. The default is 30 seconds.
-
In the Protocol area, to specify which TCP version to use to communicate with the URL filtering server, click one of the following radio buttons:
– TCP 1
– TCP 4
– UDP 4
-
Enter the maximum number of TCP connections allowed for communicating with the URL filtering server, and click
OK
.
The new Websense URL filtering server properties appear in the URL Filtering Servers pane. To change these properties, click
Edit
. To add more Websense URL filtering servers after you have added the first Websense URL filtering server, click
Add
or
Insert
. To remove a Websense URL filtering server, click
Delete
.
If you chose the Secure Computing SmartFilter URL Filtering option, the Add Parameters for Secure Computing SmartFilter URL Filtering dialog box appears.
-
Choose the interface on which the URL filtering server is connected from the drop-down list.
-
Enter the IP address of the URL filtering server.
-
Enter the number of seconds after which the request to the URL filtering server times out. The default is 30 seconds.
-
In the Protocol area, to specify which protocol type to use to communicate with the URL filtering server, click one of the following radio buttons:
– TCP
– UDP
-
Enter the maximum number of TCP connections allowed for communicating with the URL filtering server, and click
OK
.
The new Secure Computing SmartFilter URL filtering server properties appear in the URL Filtering Servers pane. To change these properties, click
Edit
. To add more Secure Computing SmartFilter URL filtering servers after you have defined the first Secure Computing SmartFilter URL filtering server, click
Add
or
Insert
. To remove a Secure Computing SmartFilter URL filtering server, click
Delete
.
Configuring Additional URL Filtering Settings
After you have accessed a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again to obtain the server address.
Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports.
This section describes how to configure additional URL filtering settings and includes the following topics:
Buffering the Content Server Response
When you issue a request to connect to a content server, the ASA sends the request to the content server and to the filtering server at the same time. If the filtering server does not respond before the content server, the server response is dropped. This behavior delays the web server response for the web client, because the web client must reissue the request.
By enabling the HTTP response buffer, replies from web content servers are buffered, and the responses are forwarded to the requesting client if the filtering server allows the connection. This behavior prevents the delay that might otherwise occur.
To configure buffering for responses to HTTP or FTP requests, perform the following steps:
Step 1 In the URL Filtering Servers pane, click
Advanced
to display the Advanced URL Filtering dialog box.
Step 2 In the URL Buffer Size area, check the
Enable buffering
check box.
Step 3 Enter the number of 1550-byte buffers. Valid values range from 1 to 128.
Step 4 Click
OK
to close this dialog box.
Caching Server Addresses
After you access a website, the filtering server can allow the ASA to cache the server address for a certain period of time, as long as each website hosted at the address is in a category that is permitted at all times. When you access the server again, or if another user accesses the server, the ASA does not need to consult the filtering server again.
Note Requests for cached IP addresses are not passed to the filtering server and are not logged. As a result, this activity does not appear in any reports. You can accumulate Websense run logs before using the url-cache command.
To improve throughput, perform the following steps:
Step 1 In the URL Filtering Servers pane, click
Advanced
to display the Advanced URL Filtering dialog box.
Step 2 In the URL Cache Size area, check the
Enable caching based on
check box to enable caching according to the specified criteria.
Step 3 Click one of the following radio buttons:
-
Destination Address—This option caches entries according to the URL destination address. Choose this setting if all users share the same URL filtering policy on the Websense server.
-
Source/Destination Address—This option caches entries according to both the source address that initiates the URL request and the URL destination address. Choose this setting if users do not share the same URL filtering policy on the server.
Step 4 Enter the cache size within the range from 1 to 128 (KB).
Step 5 Click
OK
to close this dialog box.
Filtering HTTP URLs
This section describes how to configure HTTP filtering with an external filtering server and includes the following topics:
Enabling Filtering of Long HTTP URLs
By default, the ASA considers an HTTP URL to be a long URL if it is greater than 1159 characters. You can increase the maximum length allowed.
To configure the maximum size of a single URL, perform the following steps:
Step 1 In the URL Filtering Servers pane, click
Advanced
to display the Advanced URL Filtering dialog box.
Step 2 In the Long URL Support area, check the
Use Long URL
check box to enable long URLs for filtering servers.
Step 3 Enter the maximum URL length allowed, up to a maximum of 4 KB.
Step 4 Enter the memory allocated for long URLs in KB.
Step 5 Click
OK
to close this dialog box.
Configuring Filtering Rules
Before you can add an HTTP, HTTPS, or FTP filter rule, you must enable a URL filtering server. To enable a URL filtering server, choose
Configuration > Firewall > URL Filtering Servers
.
To configure filtering rules, perform the following steps:
Step 1 From the ASDM main window, choose
Configuration > Firewall > Filter Rules
.
Step 2 In the toolbar, click
Add
to display the types of filter rules that are available to add from the following list:
-
Add Filter ActiveX Rule
-
Add Filter Java Rule
-
Add Filter HTTP Rule
-
Add Filter HTTPS Rule
-
Add Filter FTP Rule
Step 3 If you chose Add Filter ActiveX Rule, specify the following settings:
-
Click one of the following radio buttons:
Filter ActiveX
or
Do not filter ActiveX
.
-
Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any source address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list.
-
Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any destination address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list.
-
Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following:
– tcp/
port
—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:
!=—Not equal to. For example, !=tcp/443.
<—Less than. For example, <tcp/2000.
>—Greater than. For example, >tcp/2000.
- —Range. For example, tcp/2000-3000.
– Enter a well-known service name, such as HTTP or FTP.
– Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list.
-
Click
OK
to close this dialog box.
-
Click
Apply
to save your changes.
Step 4 If you chose Add Filter Java Rule, specify the following settings:
-
Click one of the following radio buttons:
Filter Java
or
Do not filter Java
.
-
Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any source address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list.
-
Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any destination address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list.
-
Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following:
– tcp/
port
—The port number can be from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:
!=—Not equal to. For example, !=tcp/443.
<—Less than. For example, <tcp/2000.
>—Greater than. For example, >tcp/2000.
- —Range. For example, tcp/2000-3000.
– Enter a well-known service name, such as HTTP or FTP.
– Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list.
-
Click
OK
to close this dialog box.
-
Click
Apply
to save your changes.
Step 5 If you chose Add Filter HTTP Rule, specify the following settings:
-
Click one of the following radio buttons:
Filter HTTP
or
Do not filter HTTP
.
-
Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any source address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list.
-
Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any destination address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list.
-
Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following:
– tcp/
port
—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:
!=—Not equal to. For example, !=tcp/443.
<—Less than. For example, <tcp/2000.
>—Greater than. For example, >tcp/2000.
- —Range. For example, tcp/2000-3000.
– Enter a well-known service name, such as HTTP or FTP.
– Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list.
-
Choose the action to take when the URL exceeds the specified size from the drop-down list.
-
Check the
Allow outbound traffic if URL server is not available check box
to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable.
-
Check the
Block users from connecting to an HTTP proxy server check box to
prevent HTTP requests made through a proxy server.
-
Check the
Truncate CGI parameters from URL sent to URL server
check box to have the ASA forward only the CGI script location and the script name, without any parameters, to the filtering server.
-
Click
OK
to close this dialog box.
-
Click
Apply
to save your changes.
Step 6 If you chose Add Filter HTTPS Rule, specify the following settings:
-
Click one of the following radio buttons:
Filter HTTPS
or
Do not filter HTTPS
.
-
Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any source address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list.
-
Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any destination address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list.
-
Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following:
– tcp/
port
—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:
!=—Not equal to. For example, !=tcp/443
<—Less than. For example, <tcp/2000.
>—Greater than. For example, >tcp/2000.
- —Range. For example, tcp/2000-3000.
– Enter a well-known service name, such as HTTP or FTP.
– Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list.
-
Check the
Allow outbound traffic if URL server is not available check box
to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable.
-
Click
OK
to close this dialog box.
-
Click
Apply
to save your changes.
Step 7 If you chose Add Filter FTP Rule, specify the following settings:
-
Click one of the following radio buttons:
Filter FTP
or
Do not filter FTP
.
-
Enter the source of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any source address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Source dialog box. Choose a host or address from the drop-down list.
-
Enter the destination of the traffic to which the filtering action applies. To enter the source, choose from the following options:
– Enter
any
to indicate any destination address.
– Enter a hostname.
– Enter an IP address and optional network mask. You can express the netmask in CIDR or dotted decimal notation. For example, you can enter
10.1.1.0/24
or
10.1.1.0/255.255.255.0
.
– Click the ellipses to display the Browse Destination dialog box. Choose a host or address from the drop-down list.
-
Identify the service of the traffic to which the filtering action applies. To identify the service, enter one of the following:
– tcp/
port
—The port number can range from 1 to 65535. Additionally, you can use the following modifiers with the TCP service:
!=—Not equal to. For example, !=tcp/443
<—Less than. For example, <tcp/2000.
>—Greater than. For example, >tcp/2000.
- —Range. For example, tcp/2000-3000.
– Enter a well-known service name, such as http or ftp.
– Click the ellipses to display the Browse Service dialog box. Choose a service from the drop-down list.
-
Check the
Allow outbound traffic if URL server is not available check box
to connect without URL filtering being performed. When this check box is unchecked, you cannot connect to Internet websites if the URL server is unavailable.
-
Check the
Block interactive FTP sessions (block if absolute FTP path is not provided)
check box to drop FTP requests if they use a relative path name to the FTP directory.
-
Click
OK
to close this dialog box.
-
Click
Apply
to save your changes.
Step 8 To modify a filtering rule, select it and click
Edit
to display the Edit Filter Rule dialog box for the specified filtering rule.
Step 9 Make the required changes, then click
OK
to close this dialog box.
Step 10 Click
Apply
to save your changes.
Filtering the Rule Table
To find a specific rule if your rule table includes a lot of entries, you can apply a filter to the rule table to show only the rules specified by the filter. To filter the rule table, perform the following steps:
Step 1 Click Find on the toolbar to display the Filter toolbar.
Step 2 Choose the type of filter from the Filter drop-down list:
-
Source—Displays rules based on the specified source address or hostname.
-
Destination—Displays rules based on the specified destination address or hostname.
-
Source or Destination—Displays rules based on the specified source or destination address or hostname.
-
Service—Displays rules based on the specified service.
-
Rule Type—Displays rules based on the specified rule type.
-
Query—Displays rules based on a complex query composed of source, destination, service, and rule type information.
Step 3 For Source, Destination, Source or Destination, and Service filters, perform the following steps:
a. Enter the string to match using one of the following methods:
– Type the source, destination, or service name in the adjacent field.
– Click the ellipses
to open a Browse dialog box from which you can choose existing services, IP addresses, or host names.
b. Choose the match criteria from the drop-down list. Choose
is
for exact string matches or
contains
for partial string matches.
Step 4 For Rule Type filters, choose the rule type from the list.
Step 5 For Query filters, click
Define Query
. To define queries, see the “Defining Queries” section.
Step 6 To apply the filter to the rule table, click
Filter
.
Step 7 To remove the filter from the rule table and display all rule entries, click
Clear
.
Step 8 To show the packet trace for the selected rule, click
Packet Trace
.
Step 9 To show and hide the selected rule diagram, click
Diagram
.
Step 10 To remove a filter rule and place it elsewhere, click
Cut
.
Step 11 To copy a filter rule, click
Copy
. Then to move the copied filter rule elsewhere, click
Paste
.
Step 12 To delete a selected filter rule, click
Delete
.
Defining Queries
To define queries, perform the following steps:
Step 1 Enter the IP address or hostname of the source. Choose
is
for an exact match or choose
contains
for a partial match. Click the ellipses to display the Browse Source dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas.
Step 2 Enter the IP address or hostname of the destination. Choose
is
for an exact match or choose
contains
for a partial match. Click the ellipses to display the Browse Destination dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas.
Step 3 Enter the IP address or hostname of the source or destination. Choose
is
for an exact match or choose
contains
for a partial match. Click the ellipses to display the Browse Source dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas.
Step 4 Enter the protocol, port, or name of a service. Choose
is
for an exact match or choose
contains
for a partial match. Click the ellipses to display the Browse Service dialog box. You can specify a network mask using CIDR notation (address/bit-count). You can specify multiple addresses by separating them with commas.
Step 5 Choose the rule type from the drop-down list.
Step 6 Click
OK
to close this dialog box.
After you click
OK
, the filter is immediately applied to the rule table. To remove the filter, click Clear.
Feature History for URL Filtering
Table 29-4
lists the release history for URL filtering. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Table 29-4 Feature History for URL Filtering
|
|
|
URL filtering
|
7.0(1)
|
Filters URLs based on an established set of filtering criteria.
|