IOS URL Filtering (FW Feature Set - Websense)
We are considering enabling this feature at our remote sites, with Websense server at corporate location. Has anyone enabled this feature at their remotes? If so, what was the user experience considering the additional latency of WAN? Any feedback would be appreciated.
I've seen WebSense on a LAN only, but I've used SurfControl with local databases and integrated into non-Cisco products. Integrated filtering uses an Internet server for URL filter, so it similar to using a WAN or VPN.
Websense on the LAN didn't slow things down any more than just using 'http inspect' of 'appfw'. Integrated filtering noticeably slows down browsing for non-cached results. Extreme cases like cnn.com or msn.com could take up to 10-12 seconds longer for the first page load. Local caching evens performance out a bit, so it's not that bad.
It really kind of depends on the WAN connection that you are using, the number of users and the response time of the Websense filter server. If latency to the central site is under 100ms and there are less than 20 or so users remotely, your scenario should be fine. Your suggestion is still likely to offer better performance than routing all internet traffic through the central site in a typical setup.
Similar Messages
-
Hi All,
whenever I setup URL filtering in 1841 router with policy-map type http and zone-pair command, I experience 100% CPU spike. is there any workaround?
thanks for any suggestion
AlexDeep packet inspection for URL filtering is pretty much CPU intensive, I am afraid that without HW upgrade, there is nothing you can do about that.
Do you monitor CPU utilization with correlation to traffic load on device?
Best Regards
Please rate all helpful posts and close solved questions -
IOS Content Filtering - Is No More ?
Cisco very quickly End of Lifed the IOS Content Filtering offering last year
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6643/eol_c51-698205.html
For something with a minimum of a yearly lic involved, the EOL timing is shocking - you could have ordered product with a 1 year lic and come back now to find the offering is now dead (as in our case) so much for ROI !
Cisco are pushing Scansafe as their current offering, which has probably led toa falling out with Trend who provided the underlying service for
IOS Content Filtering. Scansafe does not economically cover the low end application, for which IOS Content Filtering was ideal i.e SMB space with 8xx or low end ISR routers. The Cisco answer is basically "perhaps you want to go and investigate solutions form other suppliers"
So we are left with a router platform which is fine and content filtering which was fine but are now unable to re-licence the URL filtering service and will stop working in about 30 days and there is apparently nothing we can do about it
Does anyone know if Trend still operate the URL filtering subscription service and whether theire is a way of geting a subscription renewal direct ?
(i'm not holding my breath on that - I am guessing the IOS content filtering hooks for the service being certificate based + Cisco license process will make that hard for anyone but Cisco)
Or of any alternative simple and cost effective solution we can configure the router to use
(please tell me we're not back to SurfControl/Websense solutions again..)
thanks
SezApproached the Cisco AM - frankly there was little or no interest in fixing such a low value problem. The spin was the Trend relationship ending was beyond Cisco control and Cisco hands tied - i.e. its not our fault (but strangely the problem is the customers)
Yes we could get some TMP discount - against the original hardware purchase but the hardware for lowend installs is negligible, it is the services time/cost in getting solution (and any replacement) into deployment which is the costly part and TMP makes no allowance for that.
Also scansafe solution is much more expensive, compared to IOS URL Filtering, so even taking off the minor TMP discount the answer form Cisco is basically - yep spend more money with us and we'll fix the problem we created for you. And why is there so little normal info on Cisoc.com for scansafe - i.e. covering SKU/ordering models etc... It always just ays 'ask your Cisco AM for details' - that may have worked when Scansafe was a separate company but a Cisco AM is unlikely to even answer the phone to talk about a $3K order
If Cisco really wanted to protect customer investment, why couldn't it provide through Scansafe a replacement service for IOS URL Filtering service, at similar cost and pricing model to that provided by the Trend integration? i.e. same kit, same config but pointed at scansafe cloud rather than Trend cloud. Then there would be no issue and a clean migration path provided for Ciscos valued customers
Probably answering my own question but scansafe appears to return to a cost related to the user count, whereas IOS URL Filtering service was a simple one off cost per router. This was ideal for low end application (the ISR800 series size of deployment) and comparable scansafe is way more expensive.
I have found we are not alone in this, most customers are only finding out about this mess when existing IOS URL Filtering licence's expire and go for renewal only to find the 3 month EOL process has stealthily boatanchored their implementation.
Sez -
IOS Content Filtering Using TrendMicro: Can I customize the block-page redirect-url?
I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription.
Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page http://global.sitesafety.trendmicro.com/result.php or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlfpolicy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect-url') but I wonder if anyone has any ideas on how to do more with either the built in page or the redirect-url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Thanks!
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?Hmm... no thoughts over the weekend. Anyone?
-
Websense URL Filtering is not working in transparent proxy mode
The "sh ip wccp web-cach detail" show that the redirection to CE cluster (5 of them)is working but the url filtering doesnt work at all. The Websense server is on the same VLAN as all the 5 CE. This thing happened when we reconfigured the wccp router list in all the 5 CE point to the msfc vlan ip from the loopback ip address of the msfc. But the strange thing is the filtering work well when we manually configured the proxy server in the internet explorer point to the CE. Any advise?
Thanks.
WilliamProblem is due to absense of Host header field . Most of the browsers will send host header field. But in HTTP/1.0 Host header is not a must , though most of the browsers send it.
-
Hi!
Im planning to upgrade the IOs of our Cisco 7206 router. Just would like to clarify if what feature set does C7200-IS-M is? Actual output from "sh ver: (C7200-IS-M) 12.0(6)W5(14).
Thanks in advance!
udimpasHello,
Thanks for the reply. One more clarification, I have checked with the software advisor but IP Plus has a code of IS-MZ for newer versions. Or maybe because early versions(12.0) of IP Plus has a different code?
Thanks again.
Regards,
udimpas -
Deploying IOS firewall feature set
Hi All,
We are trying to deploy firewall feature in the 2811 router by suing the SDM 2.5. We choosed option for basic firewall setup. It required us to choose trusted and non-trusted interfaces and we did the same. It added access-list inbound on the trusted interface and ip inspect command on the un-trusetd interface.
Also,Intially we want to allow all traffic from untrusted-interface to the trusted interface,so we manually allowed permit ip any to inside network block ?---Is that right ?
We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?
Any help would be really appreciated
Thanks
Regards
Anantha Subramanian NatarajanHello Anantha,
"Also,Intially we want to allow all traffic from untrusted-interface " That would entirely break the idea of deploying the IOS Firewall. Nature of statefull firewall that comes with IOS firewall feature set is, to block all traffic from an untrusted interface by default, then only allow the return traffic of connections, originated from a trusted interface (inspection). And you also can permit some traffic that you trust manually.
"We have another question,we would be having a another interface on that router to connect to a different network and preferrably doesn't want to configure that interface as trusted or non-trusted,in this scenario,if any traffic originated from non-defined interface will be able to access the trusted interface or also non-trusted interface ?"
If the inspection rule is applied to oubound direction of untrusted interface, feel free to unset other interfaces as trusted.
Regards -
Filtering packets w/ IDS feature set based on TTL?
Is it possible to filter and block packets based on TTL using the IDS feature set on a 2611 router? I'm a small ISP, and I'm looking for a way to prevent people from using ICS or routers to share their connections.
Mike
CCNAThe Cisco IOS Firewall Intrusion Detection System (IDS) acts as an in-line intrusion detection sensor, watching packets and sessions as they flow through the router, scanning each to match any of the IDS signatures. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog. The network administrator can configure the IDS system to choose the appropriate response to various threats. When packets in a session match a signature, the IDS system can be configured to:
Send an alarm to a syslog server or a Cisco NetRanger Director (centralized management interface)
Drop the packet
Reset the TCP connection -
Do I need IOS firewall feature set on Catalyst 6500 for FW blade?
Hi all,
If I install a FW blade in Cat6500, should I need to have the IOS firewall feature set on Cat6500 itself?
Thanks and Regards,
makNope.
The FWSM uses it's own OS based on PIX OS. While it uses SVIs configured in the MSFC, it otherwise runs autonomously from the Sup and MSFC, even in Native mode.
Let me know if this helps by rating the post.
Michael -
Guys I'm sure this is a goofy question but I can't seem to find the answer.
I am wanting to know where a can find the difference between the different feature sets?
Example: Entrprise plus, ip, ip plus, remote access server, etc etc
Is there a feature break down of sorts that I can look to know whether I want the ip or ip plus feature set etc etc
Thanks
JimmyHi
there are various types of packages which are defined for specific functions for eg. IP routing, Advanced routing, VPN encryption , voice etc.
Cisco has made different types of packages for different reqirements.For Eg. If a customer is a simple SMB, the he can go for a simple IP feature IOS set.If its an corporate, he needs advanced functionalities such as BGP etc.So he can have IP/PLUS IOS feature set. and so on.....
Please view the IOS packaging guide at the following link
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html
The following is the link for router's IOS
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
And the following is the link for Switchs
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin0900aecd80281b17.html
Hope that will help.
Pls rate helpful posts.
Regards
JD -
Hi, all:
I'm trying to configure TrendMicro IOS content filtering. I have this working on a separate box, running 15.1.
On this particular testbed, I have a 2900 running:
System image file is "flash0:c2900-universalk9-mz.SPA.152-3.T1.bin"
And the following licensing:
Technology Package License Information for Module:'c2900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
uc uck9 Permanent uck9
data datak9 Permanent datak9
Configuration register is 0x2102
CUBE_GOLD_MEX#show ip trm subscription status
Package Name: Security & Productivity (Trial)
Status: Active
Status Update Time: 18:02:51 CST Mon Jul 23 2012
Expiration-Date: Mon Aug 20 02:00:00 2012
Last Req Status: Processed response successfully
Last Req Sent Time: 18:02:51 CST Mon Jul 23 2012
CUBE_GOLD_MEX#
Also, I have the following config lines on it:
ip host trps.trendmicro.com 216.104.8.100
ip name-server 4.2.2.2
ip cef
multilink bundle-name authenticated
parameter-map type urlfpolicy trend tm-pmap
allow-mode on
[snip]
parameter-map type trend-global trend-glob-map
class-map type inspect match-all http-imap
match protocol http
class-map type urlfilter trend match-any drop-category
match url category Abortion
match url category Activist-Groups
match url category Adult-Mature-Content
match url reputation ADWARE
match url reputation DIALER
match url reputation DISEASE-VECTOR
match url reputation HACKING
match url reputation PASSWORD-CRACKING-APPLICATIONS
match url reputation PHISHING
match url reputation POTENTIALLY-MALICIOUS-SOFTWARE
match url reputation SPYWARE
match url reputation VIRUS-ACCOMPLICE
policy-map type inspect urlfilter trend-policy
class type urlfilter trend drop-category
I have not been able to get to the good part of configuring the ZBF.
I've looked over several configuration examples and can't figure out what I'm doing wrong, since I'm not able to see the command 'parameter-map' under the 'policy-map urlfiltering'
XXXXXX(config)#policy-map type inspect urlfilter trend-policy
XXXXXX(config-pmap)#?
Policy-map configuration commands:
class policy criteria
description Policy-Map description
exit Exit from policy-map configuration mode
no Negate or set default values of a command
XXXXXX(config-pmap)#
I thought it might be an issue with version 15.2.3, but according to configuration guides, commands are the same.
Can anyone provide some assistance?
TIA.
c.Hi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
How can I achieve IOS content filtering using a Cisco router
Good day Everybody.
I would like to set up content filtering using IOS on my Cisco router. I already know how to do URL filtering but I want to restrict access to sites based on categories.
Is this possible without having to introduce an external device?Natively in IOS this is not possible. However you can configure CWS (Cisco Web Security). The router will forward web requests to a cloud based web security service.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps10142/ps11720/data_sheet_c78-729637.html -
Time pattern to allow user breakthrough URLFilter over IOS content filtering
hi
i have a client did request me to create such thing for them over IOS content filtering + Trend Micro based subscrition (till this level i'm pretty not sure it is feasible or what)
scenario would be:
like group 1 of users are the martketing subnet, then setting the time from 0800 hour to 1700 hour are prohibited to access any of the block blackilist site (either from local and/or trend micro reputation / category blacklist URL)
is there any way round i can enable the router to recognize the time then let user to gain access after 1700 hour?
Can TCL do this? any other way round for this
thank you
NoelHi Carlos,
I am having the same problem. I have seen a few diffenent configuration examples and they all show adding the "parameter type urlfpolicy trend parm-map-name" command but it doesn't exist, at least in 15.2(3)T1 and I see it listed in the the IOS documentation for 15.2. Maybe they forgot it :-)
I guess I will open a TAC case as I do not want to downgrade...
I will keep you posted if I find the answer.
Regards,
Troy -
IOS content filtering on trend micro subscription
hi
i just finish setup the IOS content filtering on C1841. basically it's combo of local filtering and Trend micro subscrition based. all the parameter-map, class-map, policy-map and zone firewall setting is up and ready to go.
Some question to ask
1. how do i examine trend micro content filtering on it REPUTATION and CATEGORIES is really working?
as usual, after setup these command :
paramater-map type trend-global MY-GLOBAL-PARAM
server trps.trendmicro.com
pamater-map type urlfpolicy trend MY-PARAM
allow-mode on
block-pass message "bla-bla-bla"
class-map type urlfilter trend match-any trend-block-categories
match url catergory Adult-Mature-Content
class-map type urlfilter trend match-any trend-block-reputation
match url reputation ADWARE
policy-map type inspect urlfilter MY-ACTION
parameter type urlfpolicy trend MY-PARAM
class type urlfilter trend trend-block-categories
reset
class type urlfilter trendtrend-block-reputation
reset
so for my zone firewall policy:
policy-map type inspect out->in
class type inspect trafic
inspect
service-policy urlfilter MY-ACTION
then i do apply zone-pair to the outside and inside interface,everything set to go.
so far what i can block is only using URL-blacklist to block the whole domain. anyway how can totally left to trend micro subscription license to do with it all?
noelHmm... no thoughts over the weekend. Anyone?
-
Hi,
I need to buy a firewall with some basic URL filtering. I only need to deny access to some URL and not using a service like Websense or something like that.
I would like to do this with an ISR, like 2800 family, because I don't need anti-x features but only basic firewalling, VPN, and Voice features.
The other option is to use ASA 5520, but I would like to make the simple URL filtering without the need to use CSC module.
Is there any way to to this?
Mario.There is no need to go for an ASA. A 2800 isr will do.
Refer the following url's for more details,
http://cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin09186a00801af451.html
http://cisco.com/en/US/products/ps6643/products_white_paper0900aecd804abb11.shtml
Maybe you are looking for
-
PLEASE HELP Hi,I am trying to do factory recovery of my HP DV6 laptop using original HP recovery disc.My laptop has Windows 7 (64Bit) OS. I am doing below steps By pressing F10,entering BIOS mode, changed the BOO
-
Procedure to know No of delta records
Hi All, There were some changes done in CRMPRD for the DS:Business datasource. So we want to compare the changes is DELTA records in CRM loaded to BI server. Now, Is there any way to know the no. of delta records in the R/3 production(here CRM) for p
-
Hi, I called SPROXY transaction in R/3 4.7 system to define proxy to sen data over PI system. It writes "No Connection to Integration Builder" at the top of proxy area. What must i do? Thanks.
-
Substrating a value from its previous value
suppose i have the data in a column like col 200 230 250 290 300 then the output should show col output 200 Null 230 30 250 20 290 40 300 10 can anybody help?
-
Hai all, i need a help from u ppl, i know how to capture delivery date of sales order header,but i want to know from where we can capture item level delivery dates. i want to find delivery date of each item from a single sales order. Thanks in advanc