Url Filtering Overview - Cisco FirePOWER ASA 5500 series Configuration Manual

Filtering URLs and FTP Requests with an External Server
•
•
•

URL Filtering Overview

You can apply filtering to connection requests originating from a more secure network to a less secure
network. Although you can use ACLs to prevent outbound access to specific content servers, managing
usage this way is difficult because of the size and dynamic nature of the Internet. You can simplify
configuration and improve security appliance performance by using a separate server running one of the
following Internet filtering products:
•
•
Although security appliance performance is less affected when using an external server, users may notice
longer access times to websites or FTP servers when the filtering server is remote from the security
appliance.
When filtering is enabled and a request for content is directed through the security appliance, the request
is sent to the content server and to the filtering server at the same time. If the filtering server allows the
connection, the security appliance forwards the response from the content server to the originating client.
If the filtering server denies the connection, the security appliance drops the response and sends a
message or return code indicating that the connection was not successful.
If user authentication is enabled on the security appliance, then the security appliance also sends the user
name to the filtering server. The filtering server can use user-specific filtering settings or provide
enhanced reporting regarding usage.
Identifying the Filtering Server
You can identify up to four filtering servers per context. The security appliance uses the servers in order
until a server responds. You can only configure a single type of server (Websense or Secure Computing
SmartFilter ) in your configuration.
You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter
Note
command. If you remove the filtering servers from the configuration, then all filter commands are also
removed.
Identify the address of the filtering server using the url-server command:
For Websense:
hostname(config)# url-server (if_name) host local_ip [timeout seconds] [protocol TCP | UDP
version [1|4] [connections num_conns] ]
For Secure Computing SmartFilter (formerly N2H2):
hostname(config)# url-server (if_name) vendor {secure-computing | n2h2} host
<local_ip> [port <number>] [timeout <seconds>] [protocol {TCP [connections <number>]} |
UDP]
Cisco Security Appliance Command Line Configuration Guide
20-4
Filtering HTTP URLs, page 20-6
Filtering HTTPS URLs, page 20-8
Filtering FTP Requests, page 20-8
Websense Enterprise for filtering HTTP, HTTPS, and FTP.
Secure Computing SmartFilter (formerly N2H2) for filtering HTTP, HTTPS, FTP, and long URL
filtering.
Chapter 20 Applying Filtering Services
OL-10088-01