Filtering URLs and FTP Requests with an External Server
Replace memory_pool_size with a value from 2 to 10240 for a URL buffer memory pool size of 2 KB to
10,240 KB.
Truncating Long HTTP URLs
By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this, you can set
the FWSM to truncate a long URL by entering the following command:
hostname(config)# filter url [longurl-truncate | longurl-deny | cgi-truncate]
The longurl-truncate option causes the FWSM to send only the hostname or IP address portion of the
URL for evaluation to the filtering server when the URL is longer than the maximum length permitted.
Use the longurl-deny option to deny outbound URL traffic if the URL is longer than the maximum
permitted.
Use the cgi-truncate option to truncate CGI URLs to include only the CGI script location and the script
name without any parameters. Many long HTTP requests are CGI requests. If the parameters list is very
long, waiting and sending the complete CGI request including the parameter list can use up memory
resources and affect firewall performance.
Exempting Traffic from Filtering
To exempt specific traffic from filtering, enter the following command:
hostname(config)# filter url except source_ip source_mask dest_ip dest_mask
For example, the following commands cause all HTTP requests to be forwarded to the filtering server
except for those from 10.0.2.54.
hostname(config)# filter url http 0 0 0 0
hostname(config)# filter url except 10.0.2.54 255.255.255.255 0 0
Note
If you have the filter java except command configured and the filter activex command configured for
the same source destination pair, then no filtering will occur on port 80 for this source destination pair.
Filtering HTTPS URLs
You must identify and enable the URL filtering server before enabling HTTPS filtering.
Because HTTPS content is encrypted, the FWSM sends the URL lookup without directory and filename
information. When the filtering server approves an HTTPS connection request, the FWSM allows the
completion of SSL connection negotiation and allows the reply from the web server to reach the
originating client. If the filtering server denies the request, the FWSM prevents the completion of SSL
connection negotiation. The browser displays an error message such as "The Page or the content cannot
be displayed."
The FWSM does not provide an authentication prompt for HTTPS, so a user must authenticate with the
Note
FWSM using HTTP or FTP before accessing HTTPS servers.
To enable HTTPS filtering, enter the following command:
hostname(config)# filter https port localIP local_mask foreign_IP foreign_mask [allow]
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
18-8
Chapter 18
Applying Filtering Services
OL-20748-01