Cisco ASA 5506-X Configuration Manual page 161
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 7
Inspection of Basic Internet Protocols
HTTP Inspection Overview
You can install a service module that performs application and URL filtering, which includes HTTP
Tip
inspection, such as ASA CX or ASA FirePOWER. The HTTP inspection running on the ASA is not
compatible with these modules. Note that it is far easier to configure application filtering using a
purpose-built module rather than trying to manually configure it on the ASA using an HTTP inspection
policy map.
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic.
HTTP application inspection scans HTTP headers and body, and performs various checks on the data.
These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols
from traversing the security appliance.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP inspection policy map, can help prevent attackers from using HTTP
messages for circumventing network security policy.
HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP
requests and responses, preventing malicious content from reaching the web server. Size limiting of
various elements in HTTP request and response headers, URL blocking, and HTTP server header type
spoofing are also supported.
Enhanced HTTP inspection verifies the following for all HTTP messages:
•
•
•
Configure HTTP Inspection
HTTP inspection is not enabled by default. If you are not using a purpose-built module for HTTP
inspection and application filtering, such as ASA CX or ASA FirePOWER, you can manually configure
HTTP inspection on the ASA using the following process.
Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not
Tip
compatible.
Procedure
Configure an HTTP Inspection Policy Map, page
Step 1
Configure the HTTP Inspection Service Policy, page
Step 2
Conformance to RFC 2616
Use of RFC-defined methods only.
Compliance with the additional criteria.
7-16.
7-19.
Cisco ASA Series Firewall CLI Configuration Guide
HTTP Inspection
7-15
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
