Disable http inspection in global_policy FWSM

Similar Messages

• Dropbox and HTTPS inspection

  Greetings, community!
  We have a trouble with Dropbox application connection to their servers through our TMG servers array.
  HTTPS-Inspection is enabled.
  So, the error in the logs is:
  Failed Connection Attempt
  Log type: Web Proxy (Forward)
  Status: 0x80090325
  Rule: Allow Web Access for All Users
  Source: Internal (10.0.128.15:53328)
  Destination: External (108.160.165.11:443)
  Request: client60.dropbox.com:443
  Filter information: Req ID: 0ab2df8b; Compression: client=No, server=No, compress rate=0% decompress rate=0%
  Protocol: https-inspect
  User: anonymous
  Additional
  information
  Object source: Internet (Source is the Internet. Object was added to the cache.)
  Cache info: 0x0
  Processing time: 0 MIME type:
  I try to:
  1. Disable HTTPS-Inspection for *.dropbox.com destination
  2. Enable direct access to *.dropbox.com
  Same trouble.
  Does anyone seen same problem?

  Hi,
  your clients are configured as Webproxy clients (TMG proxy in browser specified)?
  Dropbox may not use the proxy settings from your browser.
  Please try to set the proxy on the client with NETSH WINHTTP SET PROXY
  regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.galileocomputing.de/3570

• CSM 3.3.0, FWSM 4.0(6), HTTP Inspection

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  i have a firewall module (FWSM) ,(version  4.0(6)) which is managed with CSM (3.3.0). There is a problem about regular expression configuration with CSM. HTTP Inspection with regular expression is configured with ASDM successfully but this configuration is not deployed with CSM on FWSM. It seems CSM does not support regular expression for FWSM. The following picture shows that CSM support HTTP advanced inspection configuration only for ASA7,2 and PIX7.2. i need to know  does CSM 4.0 has this limitation or is there any solution for this CSM version?

  Here is the guide for Flex configs http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.3/user/guide/tmplchap.html
  There is no predefined flex config for the http inspection. But you can create a new Flex config that has the commands
  regex ...class-map type inspect http   match header host regex ...
  The Flex config in CSM will be deploying the commands as if you were doing it with CLI.
  I hope it makes sense.
  PK

• Potential Impact of Disabling Default HTTP Inspection Policy

  I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map.  The software for this firewall is recent 8.2(x).
  Some questions:
  1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration.  All such traffic is inspected by the appliance.  Am I correct in this understanding?
  2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
  3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting?  Would I see any noticeable impact to HTTP traffic by doing this?
  Thank you for your responses in advance.
  Jeff

  Hi,
  These are the response to your queries:-
  1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
  2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do  some extra processing.
  3) No , I think you would reduce the processing for the ASA after disabling this inspection.
  This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
  Also , check this:-
  http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
  Thanks and Regards,
  Vibhor Amrodia

• HTTP Inspection Cisco PIX 525

  I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
  My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
  My class-maps are: 
  class-map type regex match-any HACKBLOCK_METHOD
  match regex GET
  class-map XXXXTWBLOCK
  match access-list HACKBLOCK_HOSTS
  class-map type regex match-any HACKBLOCK_URL
  match regex HACKBLOCK
  class-map type inspect http match-all HACKBLOCK_FILTER
  match request uri regex class HACKBLOCK_URL
  class-map inspection_default
  match default-inspection-traffic
  My policy-maps are:
  policy-map type inspect http HACKBLOCK_HTTP
  parameters
  class HACKBLOCK_FILTER
    log
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect dns
    inspect h323 ras
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  policy-map OUTSIDE
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  class class-default
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 1200
  As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
  #sh service-pol inspec http
  Global policy:
    Service-policy: global_policy
      Class-map: inspection_default
      Class-map: XXXXTWBLOCK
        Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
          protocol violations
            packet 34206
          class HACKBLOCK_FILTER
            log, packet 0
  enp-amer-clt-pix525-a#
  I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
  Any idea whats going on here and why I am not macthing the HTTP uri's ????
  Thanks,
  Matthias  CCIE# 28445

  I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

• Advantage/disavantage of disabling "no inspect sqlnet"

  What is the advantage of enabling sqlnet inspection and what is the down side of disabling sqlnet inspection "no inspection sqlnet"?
  I know very well the pro and con of enabling ftp inspection and disabling of ftp inspection but for the past five years, I have not seen anyone has been to explain the pro and con of enabling/disabling sqlnet inspection
  I asked this question five years ago and someone replied but I dont' think he knows what it is.  He just copied from cisco documentation:  https://supportforums.cisco.com/discussion/10838696/what-advantage-enabling-sqlnet-inspection-asa-appliance
  From my production experience, enabling/disabling sqlnet inspection makes no differences and my previous life was an Oracle DBA. 
  I've seen my security vulnerabilities and when Oracle does not work across the ASA firewalls, Cisco TAC response is always "disable sqlnet inspection".
  If that is the case, why have it enable by default in the first place?

  Hi,
  The advantage of having the any protocol inspection enabled on the ASA device is to make ASA device aware of these two things mainly:-
  1) Any Embedded IP address at the application layer for the specific protocol
  2) To allow secondary Channel by opening Pin Holes through the ASA device without explicitly allowing it using the ACL rules.
  Some other inspections are also used to implement/enforce the RFC for the protocols as well (For Ex:- SMTP , DNS etc.)
  Just picking the example from Inspect sqlnet:-
  NoteDisable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues. Disable SQL*Net inspection when SQL data transfer occurs on the same port as the SQL control TCP port 1521. The ASA acts as a proxy when SQL*Net inspection is enabled and reduces the client window size from 65000 to about 16000 causing data transfer issues.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/i2.html#pgfId-1762719
  These inspections are enabled by default but can be modified or disabled depending on the application that you are using through the ASA device.
  Hope that clarifies your query. Let me know if you have any other questions.
  Thanks and Regards,
  Vibhor Amrodia

• Disable esmtp Inspection for Specific Host

  Hello.  Is it possible to disable esmtp inspection for a specific INSIDE host with use of a policy-map?  If so, could you provide an example configuration.
   

  Yes it is possible.  You could do something like the following:
  access-list ESMTP deny ip host 1.1.1.10 any
  access-list ESMTP permit ip 1.1.1.0 255.255.255.0 any
  class-map CMAP
  match access-list ESMTP
  policy-map PMAP
  class CMAP
  inspect esmtp
  service-policy PMAP interface inside
  Please remember to select a correct answer and rate helpful posts

• Default HTTP inspection map

  Hi guys.
  When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
  Its used here as an example on the documentation;
  From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
  However I cannot actually see anywhere what these Default settings are.
  For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
  I cannot find any reference to these.
  If anyone can help that would be great.
  Thanks.
  Mike

  I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
  (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
  See the following screenshot for what I wan talking about in my first paragraph:

• CSW: Filtered Google Images still appearing with HTTPS Inspect configured

  Hi,
  I'm currently testing https Inspect to close a hole in the Google Images search.
  I was under the impression that https inspect would not display any images that are in the a blocked category.
  I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted.  If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
  However, with the cert running on the PC, images are not being filtered within a Google search.  It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not.  I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
  Any help is very appreciated.
  Thanks
  Craig

  Thanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
  I can't see how safe search can be enforced?  I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi.  Even when they are VPN'd, we use split tunnelling so that won't work either.
  Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's?  Or can you?
  Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere.

• Would like to disable HTTP and use only HTTPS yet I get side effects

  Hello,
  I have established a secure connection between the AS ABAP and AS Java.
  I would like assure that all communication between the servers is using https and for that, as a test, I have deactivated the http service using SMICM transaction.
  The only side effect I could recognize so far is that the Web Dynpro for ABAP stuff doesn't work through transaction SE80, the working area simply doesn't come up. If I activate HTTP again it is working.
  Am I doing the right thing by disabling HTTP completely and if yes, what else do I need to do in order to prevent this side effect from happening?
  Roy

  humuhumunukunukuapuaa wrote:
  If I get some nice approvals on my app spree in 10 days, I would like to close Talbots and Abercrombie and Fitch store cards. Total CL for the 2 is $2,700 ($1,350 each)  but I can make up for that closure and utilization loss by getting quite a bit more than those amounts on majors during my app spree. Talbots has only been open 4 months, A&F one year. I have other cards that are the same age or older so should not majorly affect AaoA. Thoughts? I know some will say don't close cards, but they're store cards and I don't need to be responsible for store cards I don't use.If you have no use for them and don't foresee using them in the future then you should probably close them out.  They won't affect your AAoA as the cards will stay in your reports for 10 years.  No sense in keeping cards that you don't want just to take up room in your sock drawer.

• How do I disable http at the AP level with 5508 running 7.4.100.0

                     I have a 5508 with 7.4.100.0, with 76 3602I AP's connected. Each AP responds to an HTTP request, asking for username and password at the AP. How do you disable this, and not disable https:// at the WLC?
  This is the IP of the AP, not the controller. I only want to allow SSH to the AP's, for diagnostic support when neccesary.
  I have other 5508's running 7.0.98.0, 7.0.240.0, and 7.3.116.0, and they do not do this.

  This issue is:
  CSCuf66202    HTTP port 80 open on Access Points when controller is 7.4.100.0
  To be fixed in the 7.4 MR1 release, due out this summer.
  In general, lightweight APs are not supposed to have TCP port 80 open, unless they are operating in OEAP mode.
  As far as manually configuring "no ip http server" on the AP - this does not survive a reboot.  TAC has asked for a general purpose way to configure lightweight APs:
  CSCsy17873    support general purpose method of configuring APs
  This has not been committed ... if people in the field think this would be useful, please communicate that to your friendly neighborhood Cisco sales team.
  Cheers,
  Aaron

• How do I disable http proxy settings on iPad mini?

  How do I disable http proxy settings on iPad mini?

  You can save zip file to GoodReader and unzip with GoodReader (tap to enlarge image)

• Prime 2.0: Disable HTTPS (GUi)

  Hi,
  Howto disable HTTPS by default in Cisco Prime 2.0?
  I cannot see that it's stated in the Documentation. This function was able to set in LMS 4.2 & PI 1.3.
  Best Regards,
  / W

  Hi Again,
  I went this question through Cisco TAC.
  The answer i recieved was: "It is not supported to disable HTTPS, as it may cause other issues."

• Toying with https inspection. Do access lists now have to be in decryption policies?

  Hello,
  I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
  Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
  I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

  Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
  At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
  When would the "decrypt" option be a good idea?

• Re: Disable HTTP access to Weblogic 6.0

  Appears to be: http://e-docs.bea.com/wls/docs60///////config_xml/properties.html
  On 20 Jul 2001 08:35:38 -0800, "Florian Kirchhoff" <[email protected]> wrote:
  >
  Is this possible in Weblogic 6.0?
  "Don Dwoske" <[email protected]> wrote:
  It looks like you've got a couple of different things going on
  here.
  If you want to disable http, do this in the WL properties file:
  weblogic.httpd.enable=false
  your getInitialContext should figure out what port your naming
  service is on unless you've hardcoded it to be localhost:80, true?
  I switch between ports 80 and 7001 all the time without problems.
  -Don
  "Gagan Bhalla" <[email protected]> wrote:
  Hi,
  Can someone tell me how do I disable the HTTP access to
  Weblogic.
  The environment I am running on my dev machine would be
  Win2000+
  Weblogic 5.1+ SP6. I am redirecting any HTTP request to
  the secure
  port and that part is working. But I want to be able to
  completely
  disable any HTTP requests all together. Is there a way
  to do this.
  In the weblogic.properties file, if I change the weblogic.system.listenPort
  property to point to anything other than port 80, it gives
  me errors
  on the WLInitialContext. What else do I need to change
  in this
  so that I can listen on a port other than 80?
  Thanks for your help,
  Gagan
  javax.naming.CommunicationException. Root exception is
  java.net.ConnectException: No server found at T3://localhost:80
  at weblogic.rjvm.RJVMFinder.findOrCreate(RJVMFinder.java,
  Compiled Code)
  at weblogic.rjvm.ServerURL.findOrCreateRJVM(ServerURL.java,
  Compiled Code)
  at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java,
  Compiled Code)
  at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:148)
  at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:123)
  at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:671)

  I Need to keep HTTP session alive.
  But i need to block trace method or say get method.
  Any clue how can we do that.
  thanks