14-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 14 Filtering HTTP, HTTPS, or FTP Requests Using an External Server
Configuring General Filtering Parameters
If the filtering server denies the connection, then the following action occurs for each request type:
• For HTTP, the FWSM redirects the user to a block page, indicating that access was denied.
• For HTTPS, the FWSM prevents the completion of SSL connection negotiation. The browser
displays an error message such as “The Page or the content cannot be displayed.”
• For FTP, the FWSM alters the FTP return code to show that the connection was denied. For example,
the FWSM changes code 250 to “code 550: Directory not found.”
For N2H2, if you enabled user authentication on the FWSM for HTTP, HTTPS, or FTP, then the FWSM
also sends the username to the filtering server. The filtering server can then use user-specific filtering
settings or provide enhanced reporting per user. See the “Configuring Authentication for Network
Access” section on page 12-20 to configure user authentication. Websense supports filtering by
IP address only.
Filtering applies only for outbound connections (from a higher security interface to a lower security
interface) or between same security interfaces.
Configuring General Filtering Parameters
This section describes how to configure the FWSM to communicate with the filtering server and how to
handle requests when the filtering server is down, how to handle long URLs, and whether to cache server
addresses. This section includes the following topics:
• Identifying the Filtering Server, page 14-2
• Buffering Replies, page 14-3
• Setting the Maximum Length of Long HTTP URLs, page 14-4
• Caching URL Servers, page 14-4
Identifying the Filtering Server
You can identify up to four filtering servers per context. The FWSM uses the servers in order until a
server responds. You can only configure one type of server (Websense or N2H2) in your configuration.
Note You must add the filtering server before you can configure filtering for HTTP or HTTPS with the filter
command. If you remove the filtering servers from the configuration, then all filter commands are also
removed.
To identify the filtering server(s), enter one of the following commands for each server you want to
identify. Only one type of server is allowed in your configuration.
• To identify a Websense Enterprise server, enter the following command:
FWSM/contexta(config)# url-server (
if_name
) vendor websense host
ip_address
[timeout
seconds
] [protocol tcp [version {1 | 4}] | udp]
See the following options:
–
(if_name)—The interface through which the FWSM communicates with the server.
–
ip_address—The Websense server IP address.
To Next Page
Loading...
Need help?
General