Potential Impact of Disabling Default HTTP Inspection Policy

Similar Messages

• Default HTTP inspection map

  Hi guys.
  When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
  Its used here as an example on the documentation;
  From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
  However I cannot actually see anywhere what these Default settings are.
  For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
  I cannot find any reference to these.
  If anyone can help that would be great.
  Thanks.
  Mike

  I'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
  (Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
  See the following screenshot for what I wan talking about in my first paragraph:

• Default class inspection policy

  Hi Everyone,
  Need to know if default class inspection policy matches the incoming or outging traffic flowing through the ASA?
  Example when i ping from PC  connecting to the ASA  to outside world will then it will match icmp traffic entering the ASA  then ICMP reply coming
  to outside interface?
  Thanks
  MAhesh

  Hello,
  The ASA is stateful in both directions, so the policy matches incoming and outgoing traffic.
  What happens is that you also have security levels, so from high to low it is allow but from low to high it will be deny unless you configure an ACL.
  Regards,
  Felipe.

• Default FWSM inspection policy

  On FWSM (running version 4.1 in my case) the default global policy uses the following class map:
  class-map inspection_default
  match default-inspection-traffic
  Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
  Any insight would be greatly appreciated.
  David W.

  The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:
  FWSM/context1(config)# class-map inspection_default
  FWSM/context1(config-cmap)# match ?
  mpf-class-map mode commands/options:
    access-list                 Match an Access List
    any                         Match any packet
    default-inspection-traffic  Match default inspection traffic:
                                ctiqbe----tcp--2748      dns-------udp--53      
                                ftp-------tcp--21        gtp-------udp--2123,3386
                                h323-h225-tcp--1720      h323-ras--udp--1718-1719
                                http------tcp--80        icmp------icmp         
                                ils-------tcp--389       mgcp------udp--2427,2727
                                netbios---udp--137-138   rpc-------udp--111     
                                rsh-------tcp--514       rtsp------tcp--554     
                                sip-------tcp--5060      sip-------udp--5060    
                                skinny----tcp--2000      smtp------tcp--25      
                                sqlnet----tcp--1521      tftp------udp--69      
                                xdmcp-----udp--177     
    port                        Match TCP/UDP port(s)

• Disable http inspection in global_policy FWSM

  I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.
  Looking into the config on the FWSM i see that under the global_policy we are inspecting http
  policy-map global_policy
   class inspection_default
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect icmp
    inspect http
  I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?
  Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?
  I don't really understand what the inspection engine does?

  Well,
  I removed the http inspection and it broke all inbound and outbound web services!
  Then I discover this
  url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5
  filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
  This web-sense server is down and no longer used.
  But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?
  I am unclear as to exactly how the inspection and the url-server / filter url commands interact.
  Thanks
  Roger

• HTTP Inspection Cisco PIX 525

  I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.
  My regex is:    regex HACKBLOCK "*/admin/.*\.jsp*"
  My class-maps are: 
  class-map type regex match-any HACKBLOCK_METHOD
  match regex GET
  class-map XXXXTWBLOCK
  match access-list HACKBLOCK_HOSTS
  class-map type regex match-any HACKBLOCK_URL
  match regex HACKBLOCK
  class-map type inspect http match-all HACKBLOCK_FILTER
  match request uri regex class HACKBLOCK_URL
  class-map inspection_default
  match default-inspection-traffic
  My policy-maps are:
  policy-map type inspect http HACKBLOCK_HTTP
  parameters
  class HACKBLOCK_FILTER
    log
  policy-map global_policy
  class inspection_default
    inspect ftp
    inspect h323 h225
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect sip
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect xdmcp
    inspect dns
    inspect h323 ras
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  policy-map OUTSIDE
  class XXXXTWBLOCK
    inspect http HACKBLOCK_HTTP
  class class-default
  policy-map type inspect dns migrated_dns_map_1
  parameters
    message-length maximum 1200
  As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK.  This matches traffic based on destination of our class C.  I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:
  #sh service-pol inspec http
  Global policy:
    Service-policy: global_policy
      Class-map: inspection_default
      Class-map: XXXXTWBLOCK
        Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0
          protocol violations
            packet 34206
          class HACKBLOCK_FILTER
            log, packet 0
  enp-amer-clt-pix525-a#
  I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp
  Any idea whats going on here and why I am not macthing the HTTP uri's ????
  Thanks,
  Matthias  CCIE# 28445

  I get hits on the ACL.  The issue is that the HTTP inspection does not seem to function.  Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20
  enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS
  access-list HACKBLOCK_HOSTS; 1 elements
  access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

• Toying with https inspection. Do access lists now have to be in decryption policies?

  Hello,
  I am toying with https inspection.  I am wondering now with the WCCP redirect from the firewall for https on two of our test IP's (before rolling it in production), if I need to basically duplicate all of my Access Policies on the Decrypt Policies.  Is Access Policies just for http websites and Decrypt Policies just for https websites, or am I wrong?
  Lets say you want facebook blocked.  In Access Policies it is blocked by default, unless you fall into an upper category like AD group Management for example.  Well facebook has both an http and an https (now increasingly more common) site.  So could they just circumvent this block by typing in https?  They can do that now (since were not inspecting https), but we want to put a stop to that.
  I tested and put drop for social networking but we just get a page cannot be displayed then on our test machine.  We don't even get redirected to our server hosting the "you are blocked" page.

  Ok so its fine to have a global decription policy that has everything set to monitor, and just continue to let the access policy do all the work?
  At least if you "hit" on an access policy, the WLC forwards us to our customized block page.  In decryption policy if you hit drop, quite understandably so you just get a page cannot be displayed (since it is dropped of course).
  When would the "decrypt" option be a good idea?

• CSW: Filtered Google Images still appearing with HTTPS Inspect configured

  Hi,
  I'm currently testing https Inspect to close a hole in the Google Images search.
  I was under the impression that https inspect would not display any images that are in the a blocked category.
  I have a CSW created certificate installed on the PC I'm testing on which I see as being accepted.  If I delete the cert from the PC, then I can't get to google (via https) as the cert is not accepted.
  However, with the cert running on the PC, images are not being filtered within a Google search.  It's not practical for us to change to a "safesearch on" policy and was under the impression that https inspect would indeed filter the images, but it's not.  I've tested on some images that they are blocked as if I click the "visit site" or "view image" links, then I get the blocked page.
  Any help is very appreciated.
  Thanks
  Craig

  Thanks for the answer, but that's crazy, it didn't used to be like that before Google forced https on everyone.
  I can't see how safe search can be enforced?  I know it can be done on at DNS, but that doesn't help our field users who connect to their own/public wifi.  Even when they are VPN'd, we use split tunnelling so that won't work either.
  Seems a real limitation of CWS that you cannot simply manipulate URLs or make custom suffix's?  Or can you?
  Our contract is up later this year and with all the issues we've had lately combined with it not being a very powerful solution, I suspect we'll be looking elsewhere.

• Windows 2012 R2 default domain controllers policy set to enforced

  Hi Guys,
  So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
  i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
  previously setup by someone else.
  I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
  on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
  it up at this stage.
  One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
  Any advise you guys have on this would be greatly appreciated.
  David

  > So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
  > and so far everything is running ok.
  This does NOT touch any GPOs, so your GPOs are not "migrated" or
  something like that - they are still what they were before.
  > enforced on my newly migrated domain. At home on my test server i see it
  > is not enforced by default and am wondering why this is?
  "A sever misunderstanding of how group policy inheritance and link order
  works" is the closest reason I see for this. The DDCP is linked to
  "Domain Controllers", and as long as you do not create subordinate OUs
  there (which I've never seen) and block inheritance on them, there's no
  reason to enforce.
  To add my experience from the field: When I see enforced GPOs, in most
  cases this enforcement is not required. People simply use it because
  they do not understand "link order".
  > One thing that i did find odd is when i first opened up the GPO's, i was
  > prompted with a message which stated that the policies in the sysvol
  > folder where not consistent with the ones in AD so i followed its
  > recommendation to update.
  That's fairly ok and nothing to hassle about.
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Restore Default Domain Controllers Policy in its original state

  Hello,
  Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
  Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
  I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
  What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
  go.

  Hi,
  Any update?
  Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
  Best Regards,
  Andy Qi
  TechNet Subscriber Support
  If you are
  TechNet Subscription user and have any feedback on our support quality, please send your feedback
  here.
  Andy Qi
  TechNet Community Support

• Default Domain Controller Policy

  Hello All,
  We will be starting promotion of Windows Server 2012 R2 Domain Controller in our organisation. For that we are trying to implement the Default Domain Controller Policy for 2012 r2 related.
  We already have Account Policies, Password policy, Audit Policy and Security Option Firewall Settings
  But would like your advice about any new features which we can applied in our Default Domain Controller
  policy.
  Thanks.
  Thanks HA

  Hi,
  >>But would like your advice about any new features which we can applied in our Default Domain
  Controller policy.
  Regarding this point, the following articles can be referred to as reference.
  Chapter 4: Strengthening Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773205(v=ws.10).aspx
  Applying Selected Domain and Domain Controller Policy Settings
  https://technet.microsoft.com/en-us/library/cc773164(v=ws.10).aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Problem with HTTP inspection.

  Hi,
  I would like to find a way to give access to one website ( let say cisco.com ), give access to whatever website that have the word "test" in the URL and block the access to all the other websites for only one server ( let say the_server ).
  Here the config I have now :
  regex cisco.com "\.cisco\.com"
  regex test "test"
  regex all ".*"
  access-list acl_test extended permit tcp object GLOUBIER any eq www
  class-map inside-test
  match access-list acl_test
  class-map type inspect http match-all http_url_filtering_test
  match request header host regex cisco.com
  class-map type inspect http match-all http_url_filtering_test2
  match request uri regex test
  class-map type inspect http match-all http_url_filtering_test3
  match request header host regex all
  policy-map type inspect http http_url_inspection_test
  parameters
  class http_url_filtering_test
    log
  class http_url_filtering_test2
    log
  class http_url_filtering_test3
  drop-connection
  policy-map inside-policy
  class inside-test
    inspect http http_url_inspection_test
  Those rules aren't working ( everything is blocked ), but if I'm try each class-map individualy, it's working fine.
  Is there a way to make the 3 rules ( allow cisco.com, allow word test in URL, block the rest ) work together ?
  Thanks for the answers and help.

  Hello,
  I would suggest flipping your logic around to drop everything that doesn't match your allowed requests like this:
  regex cisco.com "cisco\.com"regex test "test"!access-list acl_test extended permit tcp object GLOUBIER any eq www !class-map inside-test   match access-list acl_test!class-map type inspect http match-all filter-class   match not request header host regex cisco.com   match not request uri regex test!policy-map type inspect http filter-policy   parameters   class filter-class      drop-connectionpolicy-map inside-policy   class inside-test      inspect http filter-policy
  That makes the config a bit more manageable and should do what you are looking for.
  -Mike

• Disable friendly http error

  I want to disable friendly http error in firefox. I have followed steps in this link:http://firefoxmobile.co.uk/firefox-tips-tricks/54/how-to-turn-off-friendly-http-error-messages-in-firefox/, It works for earlier versions of firefox, however it doesn't work for the current version that I am using 3.6.6. Anyone know how to do this?

  I do not believe that the setting has anything to do with your code not executing properly. That particular browser setting should not impact whether a URL is accessible or not.
  That having been said, you would need to write to the user's registry. You could only accomplish this if the user either browsed to a page with an applet or downloaded a standalone Java application to change the settings. As the latter option is not a good one, you are stuck with an applet. You would need to override the Sandbox security restrictions by signing your applet's CAB.
  - Saish

• What would be the impact for disabling admin$, IPC$, Admin Share$

  Can any one update,
  what would be the impact by disabling admin$, IPC$, on Members server.
  we have windows server 2008 r2.
  Only we need to disable memebrs server not on domain controller.
  D.K Konar. NMS

  Hi,
  Disable Administrative Shares permanently disable: IPC$, ADMIN$, C$, D$, E$
  Batch Script Code:
  REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters” /f /v AutoShareWks /t REG_DWORD /d 0
  REG ADD “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters” /f /v AutoShareServer /t REG_DWORD /d 0
  REG ADD “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa” /f /v restrictanonymous /t REG_DWORD /d 1@echo.
  net share admin$ /delete
  net share C$ /delete
  net share D$ /delete
  net share E$ /delete
  net stop LanmanServer
  sc config LanmanServer start= disabled
  Auto Share Disable Script Download: http://siberblog.org/wp-content/uploads/2013/10/AutoShareAllDisabled.rar
  Auto Share Enable Script Download: http://siberblog.org/wp-content/uploads/2013/10/AutoShareAllEnabled.rar
  Site Link: http://siberblog.org/index.php/windows-yonetimsel-gizli-paylasimlari-devre-disi-birakma/
  www.siberblog.org

• Can't find the option to disable "Default Gateway" of a VPN.

  Whenever I try to go to the "Networking" tab of a VPN connection. I get the following error.: "Unable to allow the editing of networking components at this time because they are currently being modified elsewhere" This prevents me from
  disabling the default gateway of a VPN. Any help is greatly appreciated!

  Whenever I try to go to the "Networking" tab of a VPN connection. I get the following error.: "Unable to allow the editing of networking components at this time because they are currently being modified elsewhere" This prevents
  me from disabling the default gateway of a VPN. Any help is greatly appreciated!
  I have got the same issue using Windows 10 Insider Preview build 10074, please could somebody show us an alternative method to disable the use of the remote default gateway through a VPN ? Thanks.
  Edit - From that post : https://social.technet.microsoft.com/Forums/en-US/709f9e02-d903-41a8-b5f8-d0f46d4685bf/how-to-disable-default-gateway-remote-in-vpm-with-windows-10-tp-10049?forum=WinPreview2014General
  it seems to be possible to use a PowerShell command to modify this option, by setting "RouteIPv4TrafficOverRAS" to "False" instead of "True" (which is WIndows Default), but I do not know how to do that. Could somebody explain