Filtering Http Urls - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 14
Filtering HTTP, HTTPS, or FTP Requests Using an External Server
Filtering HTTP URLs
To filter HTTP web access for specified users, or to exempt some traffic from filtering, enter the
following commands:
•
•
For example, to filter all HTTP requests from the 10.1.1.0 network to any web server, but to exempt an
administrator user (10.1.1.1) from filtering, enter the following commands:
FWSM/contexta(config)# filter url except 10.1.1.1 255.255.255.255 0 0
FWSM/contexta(config)# filter url http 10.1.1.0 255.255.255.0 0 0 longurl-truncate
cgi-truncate
To filter users only on the 10.1.2.0 network, enter the following commands:
FWSM/contexta(config)# filter url http 10.1.2.0 255.255.255.0 0 0
OL-6392-01
To identify HTTP traffic to be filtered by a filtering server, enter the following command:
FWSM/contexta(config)# filter url [http | port [- port ]] source_ip source_mask dest_ip
dest_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
See the following options:
http | port[-port]—The port to which the HTTP request is sent. http specifies port 80, which is
–
commonly used, but you can specify other ports.
source_ip source_mask—The source address and mask. Specify 0 0 for all addresses. These
–
addresses are the local, untranslated addresses. When you configure the filtering server, use
these local addresses and not the translated addresses.
dest_ip dest_mask—The destination server address and mask. Specify 0 0 for all addresses. You
–
typically specify all addresses and allow the filtering server to determine the websites that are
allowed.
–
allow—When the filtering server is unavailable, this option allows connections to pass without
filtering. Without this option, the FWSM stops HTTP traffic until the filtering server is back
online.
–
proxy-block—Prevents users from connecting to an HTTP proxy server.
–
longurl-truncate | longurl-deny—By default, if a URL is longer than the maximum length
then the FWSM drops the packet. (The default maximum length is 1159 bytes, but can be made
larger for Websense. See the
page
14-4). If you specify the longurl-truncate option, the FWSM sends the host name or IP
address portion of the URL for evaluation to the filtering server. The longurl-deny option
denies the URL, and forwards the user to the block page.
cgi-truncate—Truncates CGI URLs to include only the CGI script location and the script name
–
(but not parameters). Many long HTTP requests are CGI requests. If the parameters list is very
long, waiting and sending the complete CGI request including the parameter list can waste
memory resources and impact performance.
To exempt traffic from being filtered, enter the following command:
FWSM/contexta(config)# filter url except source_ip source_mask dest_ip dest_mask
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
"Setting the Maximum Length of Long HTTP URLs" section on
Filtering HTTP URLs
14-5
Advertisement
Table of Contents
Troubleshooting
