Default HTTP inspection map
Hi guys.
When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
Its used here as an example on the documentation;
From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
However I cannot actually see anywhere what these Default settings are.
For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
I cannot find any reference to these.
If anyone can help that would be great.
Thanks.
Mike
I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
(Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
See the following screenshot for what I wan talking about in my first paragraph:
Similar Messages
-
Potential Impact of Disabling Default HTTP Inspection Policy
I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map. The software for this firewall is recent 8.2(x).
Some questions:
1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration. All such traffic is inspected by the appliance. Am I correct in this understanding?
2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting? Would I see any noticeable impact to HTTP traffic by doing this?
Thank you for your responses in advance.
JeffHi,
These are the response to your queries:-
1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do some extra processing.
3) No , I think you would reduce the processing for the ASA after disabling this inspection.
This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
Also , check this:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
Thanks and Regards,
Vibhor Amrodia -
I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
My regex is: regex HACKBLOCK "*/admin/.*\.jsp*"
My class-maps are:
class-map type regex match-any HACKBLOCK_METHOD
match regex GET
class-map XXXXTWBLOCK
match access-list HACKBLOCK_HOSTS
class-map type regex match-any HACKBLOCK_URL
match regex HACKBLOCK
class-map type inspect http match-all HACKBLOCK_FILTER
match request uri regex class HACKBLOCK_URL
class-map inspection_default
match default-inspection-traffic
My policy-maps are:
policy-map type inspect http HACKBLOCK_HTTP
parameters
class HACKBLOCK_FILTER
log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns
inspect h323 ras
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
policy-map OUTSIDE
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
class class-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1200
As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK. This matches traffic based on destination of our class C. I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
#sh service-pol inspec http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: XXXXTWBLOCK
Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
protocol violations
packet 34206
class HACKBLOCK_FILTER
log, packet 0
enp-amer-clt-pix525-a#
I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
Any idea whats going on here and why I am not macthing the HTTP uri's ????
Thanks,
Matthias CCIE# 28445I get hits on the ACL. The issue is that the HTTP inspection does not seem to function. Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20 -
ACE - HTTPS CLASS MAP CONFIGURATION
Hi,
We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
https://abc.com/ABC/* -> serverfarm#1
https://abc.com/* -> serverfarm#2 (Default)
Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
=========================================================Kanwaljeet,
Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
=========================================================
serverfarm host serverfarm#1
predictor leastconns
probe https_probe
rserver rs_server#1
inservice
rserver rs_server#2
inservice
serverfarm host serverfarm#2
predictor leastconns
probe https_probe
rserver rs_server#3
inservice
rserver rs_server#4
inservice
sticky http-cookie STICKY_HTTPS_serverfarm#1
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#1
sticky http-cookie STICKY_HTTPS_serverfarm#2
cookie insert browser-expire
timeout 15
replicate sticky
serverfarm serverfarm#2
class-map match-all vs_serverfarm
2 match virtual-address 10.178.50.140 tcp eq https
class-map type http loadbalance match-any class-map-serverfarm#1
2 match http url /ABC/.*
policy-map type loadbalance first-match vs_serverfarm_https
class class-map-serverfarm#1
sticky-serverfarm STICKY_HTTPS_serverfarm#1
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
class class-default
sticky-serverfarm STICKY_HTTPS_serverfarm#2
insert-http x-forward header-value "%is"
ssl-proxy client ssl_serverfarm
policy-map multi-match PRODWEB_POLICY
class vs_serverfarm
loadbalance vip inservice
loadbalance policy vs_serverfarm_https
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
ssl-proxy server ssl_serverfarm
========================================================= -
Toying with https inspection. Do access lists now have to be in decryption policies?
Hello,
I am toying with https inspection. I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies. Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
Lets say you want facebook blocked. In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example. Well facebook has both an http and an https (now increasingly more common) site. So could they just circumvent this block by typing in https? They can do that now (since were not inspecting https), but we want to put a stop to that.
I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine. We don't even get redirected to our server hosting the "you are blocked" page.Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
At least if you "hit" on an access policy, the WLC forwards us to our customized block page. In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
When would the "decrypt" option be a good idea? -
Disable http inspection in global_policy FWSM
I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
Looking into the config on the FWSM i see that under the global_policy we are inspecting http
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
I don't really understand what the inspection engine does?Well,
I removed the http inspection and it broke all inbound and outbound web services!
Then I discover this
url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
This web-sense server is down and no longer used.
But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
Thanks
Roger -
CSM 3.3.0, FWSM 4.0(6), HTTP Inspection
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
i have a firewall module (FWSM) ,(version 4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know does CSM 4.0 has this limitation or is there any solution for this CSM version?Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
regex ...class-map type inspect http match header host regex ...
The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
I hope it makes sense.
PK -
Overriding default jsp servlet mapping
I want to override the default jsp servlet mapping under a specific directory. I have the following entries in my application's web.xml file:
<servlet>
<servlet-name>CMS</servlet-name>
<jsp-file>/template/main.jsp</jsp-file>
</servlet>
<servlet-mapping>
<servlet-name>CMS</servlet-name>
<url-pattern>/raw/*.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>CMS</servlet-name>
<url-pattern>/raw/*.jsp</url-pattern>
</servlet-mapping>
When I call up the page /raw/test.jsp, it is processed as a normal jsp page instead of by the custom mapping. Calling up the page /raw/test.html works as expected.
I am using the embedded server under JDeveloper 10.1.2.1.0.
Isn't an entry in the application's web.xml file meant to override system wide mappings?
Thanks for any help.
MartinI'm no expert on this but I have a hunch. 1st of all, your using a servlet mapping for a JSP. That's good and well but it seems that the container is complaining that there is no servlet named org.apache.jsp.jsp.info.ContactUs_jsp. In other words it looks like the JSP has not been compiled. At least not yet. Maybe try two things. Visit the JSP once with a browser at it's actual path "http://localhost:8080/<webapp>/jsp/info/ContactUs.jsp" the coerce a page compile. Then try it with your new mapped path. You see, just telling the container that there is a servlet mapped to the new URL doesn't force the container to generate the class. Something or someone must generate the servlet class file.
Honestly, I'm not sure of what your end goal is but maybe you might consider using a JSP pre-compiler? Or even better, register a servlet at the mapped path that fowards all requests into the desired folder.
Cliff -
CSW: Filtered Google Images still appearing with HTTPS Inspect configured
Hi,
I'm currently testing https Inspect to close a hole in the Google Images search.
I was under the impression that https inspect would not display any images that are in the a blocked category.
I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted. If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
However, with the cert running on the PC, images are not being filtered within a Google search. It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not. I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
Any help is very appreciated.
Thanks
CraigThanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
I can't see how safe search can be enforced? I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi. Even when they are VPN'd, we use split tunnelling so that won't work either.
Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's? Or can you?
Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere. -
Default class inspection policy
Hi Everyone,
Need to know if default class inspection policy matches the incoming or outging traffic flowing through the ASA?
Example when i ping from PC connecting to the ASA to outside world will then it will match icmp traffic entering the ASA then ICMP reply coming
to outside interface?
Thanks
MAheshHello,
The ASA is stateful in both directions, so the policy matches incoming and outgoing traffic.
What happens is that you also have security levels, so from high to low it is allow but from low to high it will be deny unless you configure an ACL.
Regards,
Felipe. -
Can you reload the default HTTPS certificate for a Border Controller?
The HTTPS page does not work for the Tandberg Border Controller (Q6.3). HTTP is fine. I believe that the customer uploaded their own certificate which has now “broken” the HTTPS page.
So the question is – can you reload the default HTTPS certificate for a Border Controller?
There’s a handy button to do this on the VCS but not on the BC it seems. The only option I can see is for the customer to generate a “working” certificate and upload it, is this the only option?
Thanks,
DavidHi sherylz,
It is also possible to edit the theme, but it may be wise to make a copy of it:
*[https://support.mozilla.org/en-US/questions/940165]
*[https://developer.mozilla.org/en-US/Add-ons/Themes/Background MDN Reference]
*Add on to make own skin: [https://addons.mozilla.org/en-Us/firefox/addon/bt-canvas/] -
HTTPS Inspection and MAC OS X Clients
Hi together,
we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.
So i am aware of this blogpost
http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx
We had a certificate generated by our own internal CA, generated like described in this blogpost
http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx
After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.
But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.
I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:
Aussteller:
CN=TMG HTTPS CNG Inspection
[0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
Antragsteller:
CN=*.facebook.com
O=Facebook, Inc.
L=Menlo Park
S=CA
C=US
[0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
2.5.4.6 Land/Region (C)="US"
55 53 US
55 00 53 00 U.S.
[1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
2.5.4.8 Bundesland oder Kanton (S)="CA"
43 41 CA
43 00 41 00 C.A.
[2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
2.5.4.7 Ort (L)="Menlo Park"
4d 65 6e 6c 6f 20 50 61 72 6b Menlo Park
4d 00 65 00 6e 00 6c 00 6f 00 20 00 50 00 61 00 M.e.n.l.o. .P.a.
72 00 6b 00 r.k.
[3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
2.5.4.10 Organisation (O)="Facebook, Inc."
46 61 63 65 62 6f 6f 6b 2c 20 49 6e 63 2e Facebook, Inc.
46 00 61 00 63 00 65 00 62 00 6f 00 6f 00 6b 00 F.a.c.e.b.o.o.k.
2c 00 20 00 49 00 6e 00 63 00 2e 00 ,. .I.n.c...
[4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"
So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?
The template which generated the TMG Certificate has the following settings:
General
Validity: 10 Years
Renewal period: 2 Years
Issuance Requirements
Suspended Templates
Extensions
Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
Basic Constraints: everything is checked
Certificate Template Information: -
Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical
Have you any ideas why i still get utf8 subjects?
Thanks for your help in advanceHi Vasu,
isn`t this needed to issue a cng certificate (
http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx ) ?
I give it a try and give you a Status update.
Regards
edit
so while it isnt possible to use sha256, i am unable to issue cng certificates after using a 2003 based CA Template. So this cant be a solution.... -
Greetings, community!
We have a trouble with Dropbox application connection to their servers through our TMG servers array.
HTTPS-Inspection is enabled.
So, the error in the logs is:
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 0x80090325
Rule: Allow Web Access for All Users
Source: Internal (10.0.128.15:53328)
Destination: External (108.160.165.11:443)
Request: client60.dropbox.com:443
Filter information: Req ID: 0ab2df8b; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
Additional
information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
I try to:
1. Disable HTTPS-Inspection for *.dropbox.com destination
2. Enable direct access to *.dropbox.com
Same trouble.
Does anyone seen same problem?Hi,
your clients are configured as Webproxy clients (TMG proxy in browser specified)?
Dropbox may not use the proxy settings from your browser.
Please try to set the proxy on the client with NETSH WINHTTP SET PROXY
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570 -
Default FWSM inspection policy
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:
class-map inspection_default
match default-inspection-traffic
Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
Any insight would be greatly appreciated.
David W.The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:
FWSM/context1(config)# class-map inspection_default
FWSM/context1(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
xdmcp-----udp--177
port Match TCP/UDP port(s) -
This is what I want to achieve USING the ACE as a reverse proxy.
User uses the url https://abc/password - gets to the destination server & the web page
If user tries to use any thing additional then the connection is dropped at the ACE such as
https://abc/password/test or any such variation.
Following is the config I have to achieve this
class-map type http loadbalance match-any L7-CLASS-TEST
match http url /password
match http url /password/
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url .*.*
policy-map type loadbalance first-match LBP-TEST
class L7-CLASS-TEST
serverfarm FARM-TEST
ssl-proxy client TEST
class L7-CLASS-TEST-deny
drop
class class-default
serverfarm FARM-TEST
ssl-proxy client TEST
The problem with this is when the page opens I get broken links on all the images. If I use the following line
match http url /password.*
I get the images to work but the user can use the https://abc/password/test which is not what I want.
Has any one faced this issue ?
Any help will be appreciated.
Thanks in advance
PrasannaPrasanna,
What about if you try it in HTTP and apply the following change?
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url /.*
This should work in HTTP but not with HTTPS
Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
Jorge
Maybe you are looking for
-
FDM Script - Set to run at a specific time of day??
Can you set an FDM script to run at a certain time of day (based on server time)? I've currently got a Custom/General script I'd like to run once a day at a set time. Thanks!
-
Frame layout changes when button is pressed again...
Okay so basically I have a button on my frame and when it's pressed it opens up another frame. This is fine, but when the button is pressed again it opens up the frame again but the layout is all over the place. Here is the code: if (ev.getSource() =
-
Multi Monitor - Windows Key + Left/Right not working?
Hi everyone, Just checking whether it's just me or other people having this issue (I can't find a similar thread for the Windows 10 Technical Preview). Windows Key + Left/Right does not seem to snap to another monitor. On my setup it continually cycl
-
E1EDKT1 Data Record of an IDoc.
We are working on an Outbound Inovice IDOC of Basic Type INOVICE02 and Mesg type INVOIC. In data record E1EDKT1 which has got E1EDKT2 Segment is mapped some unknown field whre email ID was coming. We need to change the value of this emil ID. We dont
-
I want to be able to change my security questions and answers