Disable http inspection in global_policy FWSM
I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
Looking into the config on the FWSM i see that under the global_policy we are inspecting http
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http
I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
I don't really understand what the inspection engine does?
Well,
I removed the http inspection and it broke all inbound and outbound web services!
Then I discover this
url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
This web-sense server is down and no longer used.
But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
Thanks
Roger
Similar Messages
-
Greetings, community!
We have a trouble with Dropbox application connection to their servers through our TMG servers array.
HTTPS-Inspection is enabled.
So, the error in the logs is:
Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 0x80090325
Rule: Allow Web Access for All Users
Source: Internal (10.0.128.15:53328)
Destination: External (108.160.165.11:443)
Request: client60.dropbox.com:443
Filter information: Req ID: 0ab2df8b; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: https-inspect
User: anonymous
Additional
information
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 MIME type:
I try to:
1. Disable HTTPS-Inspection for *.dropbox.com destination
2. Enable direct access to *.dropbox.com
Same trouble.
Does anyone seen same problem?Hi,
your clients are configured as Webproxy clients (TMG proxy in browser specified)?
Dropbox may not use the proxy settings from your browser.
Please try to set the proxy on the client with NETSH WINHTTP SET PROXY
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570 -
CSM 3.3.0, FWSM 4.0(6), HTTP Inspection
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
i have a firewall module (FWSM) ,(version 4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know does CSM 4.0 has this limitation or is there any solution for this CSM version?Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
regex ...class-map type inspect http match header host regex ...
The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
I hope it makes sense.
PK -
Potential Impact of Disabling Default HTTP Inspection Policy
I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map. The software for this firewall is recent 8.2(x).
Some questions:
1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration. All such traffic is inspected by the appliance. Am I correct in this understanding?
2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting? Would I see any noticeable impact to HTTP traffic by doing this?
Thank you for your responses in advance.
JeffHi,
These are the response to your queries:-
1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do some extra processing.
3) No , I think you would reduce the processing for the ASA after disabling this inspection.
This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
Also , check this:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
Thanks and Regards,
Vibhor Amrodia -
I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
My regex is: regex HACKBLOCK "*/admin/.*\.jsp*"
My class-maps are:
class-map type regex match-any HACKBLOCK_METHOD
match regex GET
class-map XXXXTWBLOCK
match access-list HACKBLOCK_HOSTS
class-map type regex match-any HACKBLOCK_URL
match regex HACKBLOCK
class-map type inspect http match-all HACKBLOCK_FILTER
match request uri regex class HACKBLOCK_URL
class-map inspection_default
match default-inspection-traffic
My policy-maps are:
policy-map type inspect http HACKBLOCK_HTTP
parameters
class HACKBLOCK_FILTER
log
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns
inspect h323 ras
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
policy-map OUTSIDE
class XXXXTWBLOCK
inspect http HACKBLOCK_HTTP
class class-default
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1200
As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK. This matches traffic based on destination of our class C. I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
#sh service-pol inspec http
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Class-map: XXXXTWBLOCK
Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
protocol violations
packet 34206
class HACKBLOCK_FILTER
log, packet 0
enp-amer-clt-pix525-a#
I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
Any idea whats going on here and why I am not macthing the HTTP uri's ????
Thanks,
Matthias CCIE# 28445I get hits on the ACL. The issue is that the HTTP inspection does not seem to function. Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
access-list HACKBLOCK_HOSTS; 1 elements
access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20 -
Advantage/disavantage of disabling "no inspect sqlnet"
What is the advantage of enabling sqlnet inspection and what is the down side of disabling sqlnet inspection "no inspection sqlnet"?
I know very well the pro and con of enabling ftp inspection and disabling of ftp inspection but for the past five years, I have not seen anyone has been to explain the pro and con of enabling/disabling sqlnet inspection
I asked this question five years ago and someone replied but I dont' think he knows what it is. He just copied from cisco documentation: https://supportforums.cisco.com/discussion/10838696/what-advantage-enabling-sqlnet-inspection-asa-appliance
From my production experience, enabling/disabling sqlnet inspection makes no differences and my previous life was an Oracle DBA.
I've seen my security vulnerabilities and when Oracle does not work across the ASA firewalls, Cisco TAC response is always "disable sqlnet inspection".
If that is the case, why have it enable by default in the first place?Hi,
The advantage of having the any protocol inspection enabled on the ASA device is to make ASA device aware of these two things mainly:-
1) Any Embedded IP address at the application layer for the specific protocol
2) To allow secondary Channel by opening Pin Holes through the ASA device without explicitly allowing it using the ACL rules.
Some other inspections are also used to implement/enforce the RFC for the protocols as well (For Ex:- SMTP , DNS etc.)
Just picking the example from Inspect sqlnet:-
NoteDisable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues. Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1762719
These inspections are enabled by default but can be modified or disabled depending on the application that you are using through the ASA device.
Hope that clarifies your query. Let me know if you have any other questions.
Thanks and Regards,
Vibhor Amrodia -
Disable esmtp Inspection for Specific Host
Hello. Is it possible to disable esmtp inspection for a specific INSIDE host with use of a policy-map? If so, could you provide an example configuration.
Yes it is possible. You could do something like the following:
access-list ESMTP deny ip host 1.1.1.10 any
access-list ESMTP permit ip 1.1.1.0 255.255.255.0 any
class-map CMAP
match access-list ESMTP
policy-map PMAP
class CMAP
inspect esmtp
service-policy PMAP interface inside
Please remember to select a correct answer and rate helpful posts -
Hi guys.
When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
Its used here as an example on the documentation;
From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
However I cannot actually see anywhere what these Default settings are.
For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
I cannot find any reference to these.
If anyone can help that would be great.
Thanks.
MikeI'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
(Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
See the following screenshot for what I wan talking about in my first paragraph: -
CSW: Filtered Google Images still appearing with HTTPS Inspect configured
Hi,
I'm currently testing https Inspect to close a hole in the Google Images search.
I was under the impression that https inspect would not display any images that are in the a blocked category.
I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted. If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
However, with the cert running on the PC, images are not being filtered within a Google search. It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not. I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
Any help is very appreciated.
Thanks
CraigThanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
I can't see how safe search can be enforced? I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi. Even when they are VPN'd, we use split tunnelling so that won't work either.
Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's? Or can you?
Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere. -
Would like to disable HTTP and use only HTTPS yet I get side effects
Hello,
I have established a secure connection between the AS ABAP and AS Java.
I would like assure that all communication between the servers is using https and for that, as a test, I have deactivated the http service using SMICM transaction.
The only side effect I could recognize so far is that the Web Dynpro for ABAP stuff doesn't work through transaction SE80, the working area simply doesn't come up. If I activate HTTP again it is working.
Am I doing the right thing by disabling HTTP completely and if yes, what else do I need to do in order to prevent this side effect from happening?
Royhumuhumunukunukuapuaa wrote:
If I get some nice approvals on my app spree in 10 days, I would like to close Talbots and Abercrombie and Fitch store cards. Total CL for the 2 is $2,700 ($1,350 each) but I can make up for that closure and utilization loss by getting quite a bit more than those amounts on majors during my app spree. Talbots has only been open 4 months, A&F one year. I have other cards that are the same age or older so should not majorly affect AaoA. Thoughts? I know some will say don't close cards, but they're store cards and I don't need to be responsible for store cards I don't use.If you have no use for them and don't foresee using them in the future then you should probably close them out. They won't affect your AAoA as the cards will stay in your reports for 10 years. No sense in keeping cards that you don't want just to take up room in your sock drawer. -
How do I disable http at the AP level with 5508 running 7.4.100.0
I have a 5508 with 7.4.100.0, with 76 3602I AP's connected. Each AP responds to an HTTP request, asking for username and password at the AP. How do you disable this, and not disable https:// at the WLC?
This is the IP of the AP, not the controller. I only want to allow SSH to the AP's, for diagnostic support when neccesary.
I have other 5508's running 7.0.98.0, 7.0.240.0, and 7.3.116.0, and they do not do this.This issue is:
CSCuf66202 HTTP port 80 open on Access Points when controller is 7.4.100.0
To be fixed in the 7.4 MR1 release, due out this summer.
In general, lightweight APs are not supposed to have TCP port 80 open, unless they are operating in OEAP mode.
As far as manually configuring "no ip http server" on the AP - this does not survive a reboot. TAC has asked for a general purpose way to configure lightweight APs:
CSCsy17873 support general purpose method of configuring APs
This has not been committed ... if people in the field think this would be useful, please communicate that to your friendly neighborhood Cisco sales team.
Cheers,
Aaron -
How do I disable http proxy settings on iPad mini?
How do I disable http proxy settings on iPad mini?
You can save zip file to GoodReader and unzip with GoodReader (tap to enlarge image)
-
Prime 2.0: Disable HTTPS (GUi)
Hi,
Howto disable HTTPS by default in Cisco Prime 2.0?
I cannot see that it's stated in the Documentation. This function was able to set in LMS 4.2 & PI 1.3.
Best Regards,
/ WHi Again,
I went this question through Cisco TAC.
The answer i recieved was: "It is not supported to disable HTTPS, as it may cause other issues." -
Toying with https inspection. Do access lists now have to be in decryption policies?
Hello,
I am toying with https inspection. I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies. Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
Lets say you want facebook blocked. In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example. Well facebook has both an http and an https (now increasingly more common) site. So could they just circumvent this block by typing in https? They can do that now (since were not inspecting https), but we want to put a stop to that.
I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine. We don't even get redirected to our server hosting the "you are blocked" page.Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
At least if you "hit" on an access policy, the WLC forwards us to our customized block page. In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
When would the "decrypt" option be a good idea? -
Re: Disable HTTP access to Weblogic 6.0
Appears to be: http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
On 20 Jul 2001 08:35:38 -0800, "Florian Kirchhoff" <[email protected]> wrote:
>
Is this possible in Weblogic 6.0?
"Don Dwoske" <[email protected]> wrote:
It looks like you've got a couple of different things going on
here.
If you want to disable http, do this in the WL properties file:
weblogic.httpd.enable=false
your getInitialContext should figure out what port your naming
service is on unless you've hardcoded it to be localhost:80, true?
I switch between ports 80 and 7001 all the time without problems.
-Don
"Gagan Bhalla" <[email protected]> wrote:
Hi,
Can someone tell me how do I disable the HTTP access to
Weblogic.
The environment I am running on my dev machine would be
Win2000+
Weblogic 5.1+ SP6. I am redirecting any HTTP request to
the secure
port and that part is working. But I want to be able to
completely
disable any HTTP requests all together. Is there a way
to do this.
In the weblogic.properties file, if I change the weblogic.system.listenPort
property to point to anything other than port 80, it gives
me errors
on the WLInitialContext. What else do I need to change
in this
so that I can listen on a port other than 80?
Thanks for your help,
Gagan
javax.naming.CommunicationException. Root exception is
java.net.ConnectException: No server found at T3://localhost:80
at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java,
Compiled Code)
at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java,
Compiled Code)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java,
Compiled Code)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:148)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:123)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:671)I Need to keep HTTP session alive.
But i need to block trace method or say get method.
Any clue how can we do that.
thanks
Maybe you are looking for
-
Issue in applying SSL selectively to Login JSP Page--Session getting lost.
Hi, I am facing some issues with SSL configuration on my web site running on tomcat 5.5. I am using jdk 1.5 and form based authentication with JAAS framework. The SSL configuration is working perfectly when applied to complete web site, but starts gi
-
Can't see external exFAT hard drive in finder - but can see it under disk utility
I have tried it all. Running Mac Air OS X Lion 10.7.3 - connected to wifi network via 3TB Time Capsule. Just bought an external HDD for moving around. Formatted as exFAT and loaded files from a friends Windows 7 PC. Tried to plug into TC but couldn't
-
Any applications that can make a Pages document open in MS Office for Mac?
I purchased MS Office for Mac and stupidly deleted Pages from my Macbook. I don't have the Mac OS installation disk, and was wondering if there is a utility to open a Pages document? Thanks for any help.
-
Wav files not supported in Froyo
Got the 2.2 update but now my phone won't play wav files. I have Vonage and I kind of like the ability to hear my messages on my phone. Before the update (v2.1) I was able to play messages in .wav format. Any one else having this issue?
-
Error - 1603 on installation of itunes and quicktime
Ive read and trouble shot various threads in this... heres my problem I tried installing, and it didnt work... after that i tried uninstalling both itunes and quicktime, the itunes never showed up in my add/remove section... using the windows install