Configuring An Http Inspection Policy Map For Additional Inspection Control - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
HTTP Inspection
Configuring an HTTP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can
then apply the inspection policy map when you enable HTTP inspection according to the
Application Inspection" section on page
When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the
Note
action reset and log is enabled by default. You can change the actions performed in response to
inspection failure, but you cannot disable strict inspection as long as the inspection policy map remains
enabled.
To create an HTTP inspection policy map, perform the following steps:
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
Step 1
"Creating a Regular Expression" section on page
commands described in
(Optional) Create one or more regular expression class maps to group regular expressions according to
Step 2
the
(Optional) Create an HTTP inspection class map by performing the following steps.
Step 3
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The
difference between creating a class map and defining the traffic match directly in the inspection policy
map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection,
reset, mask, set the rate limit, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic
directly in the policy map.
a.
b.
c.
d.
Cisco Security Appliance Command Line Configuration Guide
25-44
Step
3.
"Creating a Regular Expression Class Map" section on page
Create the class map by entering the following command:
hostname(config)# class-map type inspect http [match-all] class_map_name
hostname(config-cmap)#
Where class_map_name is the name of the class map. The match-all keyword specifies that traffic
must match all criteria to match the class map. match-all is the default and only option. The CLI
enters class-map configuration mode, where you can enter one or more match commands.
(Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)# description string
(Optional) To match traffic with a content-type field in the HTTP response that does not match the
accept field in the corresponding HTTP request message, enter the following command:
hostname(config-cmap)# match [not] req-resp content-type mismatch
(Optional) To match text found in the HTTP request message arguments, enter the following
command:
Chapter 25
Configuring Application Layer Protocol Inspection
25-5.
21-6. See the types of text you can match in the match
21-8.
"Configuring
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
