Default HTTP inspection map

Hi guys.
When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
Its used here as an example on the documentation;
From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
However I cannot actually see anywhere what these Default settings are.
For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
I cannot find any reference to these.
If anyone can help that would be great.
Thanks.
Mike

I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
(Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
See the following screenshot for what I wan talking about in my first paragraph:

Similar Messages

  • Potential Impact of Disabling Default HTTP Inspection Policy

    I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map.  The software for this firewall is recent 8.2(x).
    Some questions:
    1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration.  All such traffic is inspected by the appliance.  Am I correct in this understanding?
    2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
    3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting?  Would I see any noticeable impact to HTTP traffic by doing this?
    Thank you for your responses in advance.
    Jeff

    Hi,
    These are the response to your queries:-
    1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
    2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do  some extra processing.
    3) No , I think you would reduce the processing for the ASA after disabling this inspection.
    This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
    Also , check this:-
    http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
    Thanks and Regards,
    Vibhor Amrodia

  • HTTP Inspection Cisco PIX 525

    I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
    My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
    My class-maps are: 
    class-map type regex match-any HACKBLOCK_METHOD
    match regex GET
    class-map XXXXTWBLOCK
    match access-list HACKBLOCK_HOSTS
    class-map type regex match-any HACKBLOCK_URL
    match regex HACKBLOCK
    class-map type inspect http match-all HACKBLOCK_FILTER
    match request uri regex class HACKBLOCK_URL
    class-map inspection_default
    match default-inspection-traffic
    My policy-maps are:
    policy-map type inspect http HACKBLOCK_HTTP
    parameters
    class HACKBLOCK_FILTER
      log
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect sip
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect xdmcp
      inspect dns
      inspect h323 ras
    class XXXXTWBLOCK
      inspect http HACKBLOCK_HTTP
    policy-map OUTSIDE
    class XXXXTWBLOCK
      inspect http HACKBLOCK_HTTP
    class class-default
    policy-map type inspect dns migrated_dns_map_1
    parameters
      message-length maximum 1200
    As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
    #sh service-pol inspec http
    Global policy:
      Service-policy: global_policy
        Class-map: inspection_default
        Class-map: XXXXTWBLOCK
          Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
            protocol violations
              packet 34206
            class HACKBLOCK_FILTER
              log, packet 0
    enp-amer-clt-pix525-a#
    I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
    Any idea whats going on here and why I am not macthing the HTTP uri's ????
    Thanks,
    Matthias  CCIE# 28445

    I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
    enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
    access-list HACKBLOCK_HOSTS; 1 elements
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
    enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
    access-list HACKBLOCK_HOSTS; 1 elements
    access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

  • ACE - HTTPS CLASS MAP CONFIGURATION

    Hi,
    We have a secured web site (HTTPS) currently fronted by Cisco ACE 4170, running version A5(1.2). We are trying to use the http class map to manipulate the traffic flow in the following manner:
    https://abc.com/ABC/* -> serverfarm#1
    https://abc.com/* -> serverfarm#2           (Default)
    Tecnically this should not be difficult and below is a sample of our configuration. We have similar configuration working on our non-secured web site (HTTP) However for the secure web site, the https request https://abc.com/ABC/xxx is continued being routed to serverfarm#2 instead of serverfarm#1 which is very frustrating.
    We can easily get this working on my F5 LTM within 5 minutes but this Cisco ACE continue to frustrate me...Appreciate if any expert on Cisco ACE can help to advise on our configuration.. Thanks.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    =========================================================

    Kanwaljeet,
    Yes, we are using ACE for SSL termination i.e. front end is https and back-end is also https.
    We are doing end-to-end encryption as our IT security and audit wanted end-to-end encryption between the client and servers. ACE should be able to look at the HTTP header at the front end since the client SSL session is terminate on the ACE.
    Below is an extract of the configuration, I've leave out the remaining configuration which is not required.
    =========================================================
    serverfarm host serverfarm#1
    predictor leastconns
    probe https_probe
    rserver rs_server#1
      inservice
    rserver rs_server#2
      inservice
    serverfarm host serverfarm#2
    predictor leastconns
    probe https_probe
    rserver rs_server#3
      inservice
    rserver rs_server#4
      inservice
    sticky http-cookie STICKY_HTTPS_serverfarm#1
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#1
    sticky http-cookie STICKY_HTTPS_serverfarm#2
    cookie insert browser-expire
    timeout 15
    replicate sticky
    serverfarm serverfarm#2
    class-map match-all vs_serverfarm
      2 match virtual-address 10.178.50.140 tcp eq https
    class-map type http loadbalance match-any class-map-serverfarm#1
    2 match http url /ABC/.*
    policy-map type loadbalance first-match vs_serverfarm_https
    class class-map-serverfarm#1
      sticky-serverfarm STICKY_HTTPS_serverfarm#1
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    class class-default
      sticky-serverfarm STICKY_HTTPS_serverfarm#2
      insert-http x-forward header-value "%is"
      ssl-proxy client ssl_serverfarm
    policy-map multi-match PRODWEB_POLICY
      class vs_serverfarm
        loadbalance vip inservice
        loadbalance policy vs_serverfarm_https
        loadbalance vip icmp-reply active
        nat dynamic 100 vlan 100
        ssl-proxy server ssl_serverfarm
    =========================================================

  • Toying with https inspection. Do access lists now have to be in decryption policies?

    Hello,
    I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
    Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
    I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

    Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
    At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
    When would the "decrypt" option be a good idea?

  • Disable http inspection in global_policy FWSM

    I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
    Looking into the config on the FWSM i see that under the global_policy we are inspecting http
    policy-map global_policy
     class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect skinny
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
      inspect icmp
      inspect http
    I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
    Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
    I don't really understand what the inspection engine does?

    Well,
    I removed the http inspection and it broke all inbound and outbound web services!
    Then I discover this
    url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
    filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
    This web-sense server is down and no longer used.
    But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
    I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
    Thanks
    Roger

  • CSM 3.3.0, FWSM 4.0(6), HTTP Inspection

    Hi,
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    i have a firewall module (FWSM) ,(version  4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know  does CSM 4.0 has this limitation or is there any solution for this CSM version?

    Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
    There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
    regex ...class-map type inspect http   match header host regex ...
    The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
    I hope it makes sense.
    PK

  • Overriding default jsp servlet mapping

    I want to override the default jsp servlet mapping under a specific directory. I have the following entries in my application's web.xml file:
    <servlet>
    <servlet-name>CMS</servlet-name>
    <jsp-file>/template/main.jsp</jsp-file>
    </servlet>
    <servlet-mapping>
    <servlet-name>CMS</servlet-name>
    <url-pattern>/raw/*.html</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
    <servlet-name>CMS</servlet-name>
    <url-pattern>/raw/*.jsp</url-pattern>
    </servlet-mapping>
    When I call up the page /raw/test.jsp, it is processed as a normal jsp page instead of by the custom mapping. Calling up the page /raw/test.html works as expected.
    I am using the embedded server under JDeveloper 10.1.2.1.0.
    Isn't an entry in the application's web.xml file meant to override system wide mappings?
    Thanks for any help.
    Martin

    I'm no expert on this but I have a hunch. 1st of all, your using a servlet mapping for a JSP. That's good and well but it seems that the container is complaining that there is no servlet named org.apache.jsp.jsp.info.ContactUs_jsp. In other words it looks like the JSP has not been compiled. At least not yet. Maybe try two things. Visit the JSP once with a browser at it's actual path "http://localhost:8080/<webapp>/jsp/info/ContactUs.jsp" the coerce a page compile. Then try it with your new mapped path. You see, just telling the container that there is a servlet mapped to the new URL doesn't force the container to generate the class. Something or someone must generate the servlet class file.
    Honestly, I'm not sure of what your end goal is but maybe you might consider using a JSP pre-compiler? Or even better, register a servlet at the mapped path that fowards all requests into the desired folder.
    Cliff

  • CSW: Filtered Google Images still appearing with HTTPS Inspect configured

    Hi,
    I'm currently testing https Inspect to close a hole in the Google Images search.
    I was under the impression that https inspect would not display any images that are in the a blocked category.
    I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted.  If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
    However, with the cert running on the PC, images are not being filtered within a Google search.  It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not.  I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
    Any help is very appreciated.
    Thanks
    Craig

    Thanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
    I can't see how safe search can be enforced?  I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi.  Even when they are VPN'd, we use split tunnelling so that won't work either.
    Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's?  Or can you?
    Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere.

  • Default class inspection policy

    Hi Everyone,
    Need to know if default class inspection policy matches the incoming or outging traffic flowing through the ASA?
    Example when i ping from PC  connecting to the ASA  to outside world will then it will match icmp traffic entering the ASA  then ICMP reply coming
    to outside interface?
    Thanks
    MAhesh

    Hello,
    The ASA is stateful in both directions, so the policy matches incoming and outgoing traffic.
    What happens is that you also have security levels, so from high to low it is allow but from low to high it will be deny unless you configure an ACL.
    Regards,
    Felipe.

  • Can you reload the default HTTPS certificate for a Border Controller?

    The HTTPS page does not work for the Tandberg Border Controller (Q6.3). HTTP is fine. I believe that the customer uploaded their own certificate which has now “broken” the HTTPS page.
    So the question is – can you reload the default HTTPS certificate for a Border Controller?
    There’s a handy button to do this on the VCS but not on the BC it seems. The only option I can see is for the customer to generate a “working” certificate and upload it, is this the only option?
    Thanks,
    David

    Hi sherylz,
    It is also possible to edit the theme, but it may be wise to make a copy of it:
    *[https://support.mozilla.org/en-US/questions/940165]
    *[https://developer.mozilla.org/en-US/Add-ons/Themes/Background MDN Reference]
    *Add on to make own skin: [https://addons.mozilla.org/en-Us/firefox/addon/bt-canvas/]

  • HTTPS Inspection and MAC OS X Clients

    Hi together,
    we want to enable HTTPS Inspection at our TMG Cluster....but the counterpart is, Mac OS X Clients wont be able to connect to SSL Sites after we activate it.
    So i am aware of this blogpost
    http://blogs.technet.com/b/isablog/archive/2012/04/20/mac-os-clients-fail-to-access-ssl-websites-after-you-enable-https-inspection-in-forefront-tmg-2010.aspx
    We had a certificate generated by our own internal CA, generated like described in this blogpost
    http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx
    After we faced the problems with os x we didnt do more research and renewed the certificate with the options of the second blogpost but as Windows Server 2008 CA Cert.
    But still, MAC OS X (Safari) cant reach HTTPS Sites, Firefox on MAC OS X works fine.
    I`ve downloaded the certificates to check if it is ASCII or Unicode...here are the results:
    Aussteller:
    CN=TMG HTTPS CNG Inspection
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 40 (40/64 Zeichen)
    2.5.4.3 Allgemeiner Name (CN)="TMG HTTPS CNG Inspection"
    Antragsteller:
    CN=*.facebook.com
    O=Facebook, Inc.
    L=Menlo Park
    S=CA
    C=US
    [0,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/2 Zeichen)
    2.5.4.6 Land/Region (C)="US"
    55 53 US
    55 00 53 00 U.S.
    [1,0]: CERT_RDN_PRINTABLE_STRING, Länge = 2 (2/128 Zeichen)
    2.5.4.8 Bundesland oder Kanton (S)="CA"
    43 41 CA
    43 00 41 00 C.A.
    [2,0]: CERT_RDN_PRINTABLE_STRING, Länge = 10 (10/128 Zeichen)
    2.5.4.7 Ort (L)="Menlo Park"
    4d 65 6e 6c 6f 20 50 61 72 6b Menlo Park
    4d 00 65 00 6e 00 6c 00 6f 00 20 00 50 00 61 00 M.e.n.l.o. .P.a.
    72 00 6b 00 r.k.
    [3,0]: CERT_RDN_PRINTABLE_STRING, Länge = 14 (14/64 Zeichen)
    2.5.4.10 Organisation (O)="Facebook, Inc."
    46 61 63 65 62 6f 6f 6b 2c 20 49 6e 63 2e Facebook, Inc.
    46 00 61 00 63 00 65 00 62 00 6f 00 6f 00 6b 00 F.a.c.e.b.o.o.k.
    2c 00 20 00 49 00 6e 00 63 00 2e 00 ,. .I.n.c...
    [4,0]: CERT_RDN_UTF8_STRING, Länge = 14 (14/64 Zeichen)
    2.5.4.3 Allgemeiner Name (CN)="*.facebook.com"
    So i think the problem is the last one while this is still as utf8 issued...but why? Shouldn`t this also a printable/ASCII one? How can i fix it?
    The template which generated the TMG Certificate has the following settings:
    General
    Validity: 10 Years
    Renewal period: 2 Years
    Issuance Requirements
    Suspended Templates
    Extensions
    Application Policies: Code Signing (Codesignatur), Private Key Archival (Archivierung des privaten Schlüssels), Server Authentication (Serverauthentifizierung)
    Basic Constraints: everything is checked
    Certificate Template Information: -
    Key Usage: Digital signature, Signature is proof of origina (nonrepudiation), Certificate signing, CRL signing, Make this Extension critical
    Have you any ideas why i still get utf8 subjects?
    Thanks for your help in advance

    Hi Vasu,
    isn`t this needed to issue a cng certificate (
    http://blogs.technet.com/b/isablog/archive/2014/08/29/how-to-create-a-cng-httpsi-cert-using-a-2008r2-ca.aspx ) ?
    I give it a try and give you a Status update.
    Regards
    edit
    so while it isnt possible to use sha256, i am unable to issue cng certificates after using a 2003 based CA Template. So this cant be a solution.... 

  • Dropbox and HTTPS inspection

    Greetings, community!
    We have a trouble with Dropbox application connection to their servers through our TMG servers array.
    HTTPS-Inspection is enabled.
    So, the error in the logs is:
    Failed Connection Attempt
    Log type: Web Proxy (Forward)
    Status: 0x80090325
    Rule: Allow Web Access for All Users
    Source: Internal (10.0.128.15:53328)
    Destination: External (108.160.165.11:443)
    Request: client60.dropbox.com:443
    Filter information: Req ID: 0ab2df8b; Compression: client=No, server=No, compress rate=0% decompress rate=0%
    Protocol: https-inspect
    User: anonymous
    Additional
    information
    Object source: Internet (Source is the Internet. Object was added to the cache.)
    Cache info: 0x0
    Processing time: 0 MIME type:
    I try to:
    1. Disable HTTPS-Inspection for *.dropbox.com destination
    2. Enable direct access to *.dropbox.com
    Same trouble.
    Does anyone seen same problem?

    Hi,
    your clients are configured as Webproxy clients (TMG proxy in browser specified)?
    Dropbox may not use the proxy settings from your browser.
    Please try to set the proxy on the client with NETSH WINHTTP SET PROXY
    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

  • Default FWSM inspection policy

    On FWSM (running version 4.1 in my case) the default global policy uses the following class map:
    class-map inspection_default
    match default-inspection-traffic
    Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
    Any insight would be greatly appreciated.
    David W.

    The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:
    FWSM/context1(config)# class-map inspection_default
    FWSM/context1(config-cmap)# match ?
    mpf-class-map mode commands/options:
      access-list                 Match an Access List
      any                         Match any packet
      default-inspection-traffic  Match default inspection traffic:
                                  ctiqbe----tcp--2748      dns-------udp--53      
                                  ftp-------tcp--21        gtp-------udp--2123,3386
                                  h323-h225-tcp--1720      h323-ras--udp--1718-1719
                                  http------tcp--80        icmp------icmp         
                                  ils-------tcp--389       mgcp------udp--2427,2727
                                  netbios---udp--137-138   rpc-------udp--111     
                                  rsh-------tcp--514       rtsp------tcp--554     
                                  sip-------tcp--5060      sip-------udp--5060    
                                  skinny----tcp--2000      smtp------tcp--25      
                                  sqlnet----tcp--1521      tftp------udp--69      
                                  xdmcp-----udp--177     
      port                        Match TCP/UDP port(s)

  • Issue with ACE HTTP class map

    This is what I want to achieve USING the ACE as a reverse proxy.
    User uses the url https://abc/password - gets to the destination server & the web page
    If user tries to use any thing additional then the connection is dropped at the ACE such as
    https://abc/password/test or any such variation.
    Following is the config I have to achieve this
    class-map type http loadbalance match-any L7-CLASS-TEST
      match http url /password
      match http url /password/
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url .*.*
    policy-map type loadbalance first-match LBP-TEST
      class L7-CLASS-TEST
        serverfarm FARM-TEST
        ssl-proxy client TEST
      class L7-CLASS-TEST-deny
        drop
      class class-default
        serverfarm FARM-TEST
        ssl-proxy client TEST
    The problem with this is when the page opens I get broken links on all the images. If I use the following line
    match http url /password.*
    I get the images to work but the user can use the https://abc/password/test which is not what I want.
    Has any one faced this issue ?
    Any help will be appreciated.
    Thanks in advance
    Prasanna

    Prasanna,
    What about if you try it in HTTP and apply the following change?
    class-map type http loadbalance match-any L7-CLASS-TEST-deny
      2 match http url /.*
    This should work in HTTP but not with HTTPS
    Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
    Jorge

Maybe you are looking for