i think i did url filtering without putting inspect http in that MPF .
Date: Thu, 10 Nov 2011 17:39:36 +0530 From: [email protected] To: [email protected] CC: [email protected] Subject: Re: [OSL | CCIE_Security] Is http inspection required for filter But I have never come across any samples or cisco docs claiming that it is required. With regards Kings On Thu, Nov 10, 2011 at 5:30 PM, Fawad Khan <[email protected]> wrote: I take my words back ... HTTP is not enabled by default in MPF... FTP, ESMTP and DNS are.... I guess morning coffee didnt work so far. but I am certain that we need to enable to http in mPF for url filtering to work properly. FNK On Thu, Nov 10, 2011 at 6:16 AM, FNK <[email protected]> wrote: Yes. Http needs to be enabled. Same goes for DNA doctoring where we we put 'dns' keyword at the end of the traffic. We need to enable DNs mpf as well Http, esmtp and DNs are enabled by default FNKSent from an iPhone On Nov 10, 2011, at 1:11 AM, Kingsley Charles <[email protected]> wrote: Hi all As per the following snippet, http inspection is required for filtering. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/inspect.html#wp1335632 Use the HTTP inspection engine to protect against specific attacks and other threats that may be associated with HTTP traffic. HTTP inspection performs several functions: •Enhanced HTTP inspection •URL screening through N2H2 or Websense •Java and ActiveX filtering The latter two features are configured in conjunction with the filter command. I configured a dummy non existent url-server and configured the following rule. Hence any http request will be dropped as there is no "allow" configured along with the following rule. My http request gets denied across the ASA but I didn't enable http inspection. filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 My default, http inspection is not configured under policy-map global_policy. If there is a task asked to configure for filtering, should we enable http inspection or not? With regards Kings _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
