Instant Messaging Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
To configure parameters that affect the inspection engine, perform the following steps:
Step 7
a.
b.
c.
The following example shows how to define an HTTP inspection policy map that will allow and log any
HTTP connection that attempts to access "www\.xyz.com/.*\.asp" or "www\.xyz[0-9][0-9]\.com" with
methods "GET" or "PUT." All other URL/Method combinations will be silently allowed.
hostname(config)# class-map type regex match-any url_to_log
hostname(config-cmap)# match regex "www\.xyz.com/.*\.asp"
hostname(config-cmap)# match regex "www\.xyz[0-9][0-9]\.com"
hostname(config-cmap)# exit
hostname(config)# class-map type regex match-any methods_to_log
hostname(config-cmap)# match regex "GET"
hostname(config-cmap)# match regex "PUT"
hostname(config-cmap)# exit
hostname(config)# class-map type http http_url_policy
hostname(config-cmap)# match request url regex class url_to_log
hostname(config-cmap)# match request method regex class methods_to_log
hostname(config-cmap)# exit
hostname(config)# policy-map type http http_policy
hostname(config-pmap)# class http_url_policy
hostname(config-pmap-c)# log
Instant Messaging Inspection
This section describes the IM inspection engine. This section includes the following topics:
•
•
OL-10088-01
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
To check for HTTP protocol violations, enter the following command:
hostname(config-pmap-p)# protocol-violation [action [drop-connection | reset | log]]
Where the drop-connection action closes the connection. The reset action closes the connection
and sends a TCP reset to the client. The log action sends a system log message when this policy map
matches traffic.
To substitute a string for the server header field, enter the following command:
hostname(config-pmap-p)# spoof-server string
Where the string argument is the string to substitute for the server header field.
IM Inspection Overview, page 25-48
Configuring an Instant Messaging Inspection Policy Map for Additional Inspection Control, page
25-48
Cisco Security Appliance Command Line Configuration Guide
Instant Messaging Inspection
25-47
Advertisement
Table of Contents
Troubleshooting
