Filtering Https Urls - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Filtering URLs and FTP Requests with an External Server
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0
Filtering HTTPS URLs
You must identify and enable the URL filtering server before enabling HTTPS filtering.
Websense and Smartfilter currently support HTTPS; older versions of Secure Computing SmartFilter
Note
(formerly N2H2) did not support HTTPS filtering.
Because HTTPS content is encrypted, the security appliance sends the URL lookup without directory
and filename information. When the filtering server approves an HTTPS connection request, the security
appliance allows the completion of SSL connection negotiation and allows the reply from the web server
to reach the originating client. If the filtering server denies the request, the security appliance prevents
the completion of SSL connection negotiation. The browser displays an error message such as "The Page
or the content cannot be displayed."
The security appliance does not provide an authentication prompt for HTTPS, so a user must
Note
authenticate with the security appliance using HTTP or FTP before accessing HTTPS servers.
To enable HTTPS filtering, enter the following command:
hostname(config)# filter https port[-port] localIP local_mask foreign_IP foreign_mask
[allow]
Replace port[-port] with a range of port numbers if a different port than the default port for HTTPS (443)
is used.
Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making
requests.
Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork
responding to requests.
The allow option causes the security appliance to forward HTTPS traffic without filtering when the
primary filtering server is unavailable.
Filtering FTP Requests
You must identify and enable the URL filtering server before enabling FTP filtering.
Websense and Smartfilter currently support FTP; older versions of Secure Computing SmartFilter
Note
(formerly known as N2H2) did not support FTP filtering.
When the filtering server approves an FTP connection request, the security appliance allows the
successful FTP return code to reach originating client. For example, a successful return code is "250:
CWD command successful." If the filtering server denies the request, alters the FTP return code to show
that the connection was denied. For example, the security appliance changes code 250 to "550 Requested
file is prohibited by URL filtering policy."
Cisco Security Appliance Command Line Configuration Guide
20-8
Chapter 20
Applying Filtering Services
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
