I take my words back ... HTTP is not enabled by default in MPF... FTP, ESMTP and DNS are.... I guess morning coffee didnt work so far.
but I am certain that we need to enable to http in mPF for url filtering to work properly. FNK On Thu, Nov 10, 2011 at 6:16 AM, FNK <[email protected]> wrote: > Yes. Http needs to be enabled. Same goes for DNA doctoring where we we put > 'dns' keyword at the end of the traffic. We need to enable DNs mpf as well > > Http, esmtp and DNs are enabled by default > > FNK > Sent from an iPhone > > > On Nov 10, 2011, at 1:11 AM, Kingsley Charles <[email protected]> > wrote: > > Hi all > > As per the following snippet, http inspection is required for filtering. > > Snippet from > http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632 > > > Use the HTTP inspection engine to protect against specific attacks and > other threats that may be associated with HTTP traffic. HTTP inspection > performs several functions: > > •Enhanced HTTP inspection > > •URL screening through N2H2 or Websense > > •Java and ActiveX filtering > > The latter two features are configured in conjunction with the > *filter*command. > > I configured a dummy non existent url-server and configured the following > rule. Hence any http request will be dropped as there is no "allow" > configured along with the following rule. My http request > gets denied across the ASA but I didn't enable http inspection. > > filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 > > > My default, http inspection is not configured under policy-map > global_policy. > > If there is a task asked to configure for filtering, should we enable http > inspection or not? > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
