Filtering https urls – Cisco ASA 5505 User Manual
Page 809
39-13
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 39 Configuring Filtering Services
Filtering URLs and FTP Requests with an External Server
Truncating Long HTTP URLs
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this occurrence,
truncate a long URL by entering the following command:
Exempting Traffic from Filtering
To exempt traffic from filtering, enter following command:
Filtering HTTPS URLs
You must identify and enable the URL filtering server before enabling HTTPS filtering.
Note
Websense and Secure Computing Smartfilter currently support HTTPS; older versions of the Secure
Computing SmartFilter (formerly N2H2) do not support HTTPS filtering.
Because HTTPS content is encrypted, the ASA sends the URL lookup without directory and filename
information. When the filtering server approves an HTTPS connection request, the ASA allows the
completion of SSL connection negotiation and allows the reply from the web server to reach the
originating client. If the filtering server denies the request, the ASA prevents the completion of SSL
connection negotiation. The browser displays an error message, such as “The Page or the content cannot
be displayed.”
Note
The ASA does not provide an authentication prompt for HTTPS, so you must authenticate with the ASA
using HTTP or FTP before accessing HTTPS servers.
Command
Purpose
filter url
[longurl-truncate |
longurl-deny
| cgi-truncate]
Example:
hostname# filter url longurl-truncate
The longurl-truncate option causes the ASA to send only the hostname or
IP address portion of the URL for evaluation to the filtering server when
the URL is longer than the maximum length permitted. Use the
longurl-deny option to deny outbound URL traffic if the URL is longer
than the maximum permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI
script location and the script name without any parameters. Many long
HTTP requests are CGI requests. If the parameters list is very long, waiting
and sending the complete CGI request, including the parameter list, can use
up memory resources and affect ASA performance.
Command
Purpose
filter url except
source_ip source_mask
dest_ip dest_mask
Example:
hostname(config)# filter url http 0 0 0 0
hostname(config)# filter url except
10.0.2.54 255.255.255.255 0 0
Exempts specific traffic from filtering.
The example shows how to cause all HTTP requests to be forwarded to the
filtering server, except for those from 10.0.2.54.