Chapter 18
Applying Filtering Services
Replace port with the port number if a different port than the default port for HTTPS (443) is used. The
filter exception rule works only when you use the default port.
Because both HTTPS and HTTP traffic have the same GET request, the HTTPS protocol inspector will
Note
also filter HTTP traffic on the port number that you specify.
Replace local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making
requests. Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or
subnetwork responding to requests.
The allow option causes the FWSM to forward HTTPS traffic without filtering when the primary
filtering server is unavailable.
Filtering FTP Requests
You must identify and enable the URL filtering server before enabling FTP filtering.
Secure Computing SmartFilter (formerly known as N2H2) does not support FTP filtering.
Note
When the filtering server approves an FTP connection request, the FWSM allows the successful FTP
return code to reach originating client. For example, a successful return code is "250: CWD command
successful." If the filtering server denies the request, alters the FTP return code to show that the
connection was denied. For example, the FWSM changes code 250 to "550 Requested file is prohibited
by URL filtering policy."
To enable FTP filtering, enter the following command:
hostname(config)# filter ftp {port[-port] | except} localIP local_mask foreign_IP
foreign_mask [allow] [interact-block]
Replace port with the port number if a different port than the default port for FTP (21) is used. Replace
local_ip and local_mask with the IP address and subnet mask of a user or subnetwork making requests.
Replace foreign_ip and foreign_mask with the IP address and subnet mask of a server or subnetwork
responding to requests.
To create an exception to a previous filter condition, specify the keyword except.
The filter exception rule works only when you use the default port.
Note
The allow option causes the FWSM to forward FTP traffic without filtering when the primary filtering
server is unavailable.
Use the interact-block option to prevent interactive FTP sessions that do not provide the entire directory
path. An interactive FTP client allows the user to change directories without typing the entire path. For
example, the user might enter cd ./files instead of cd /public/files.
Viewing Filtering Statistics and Configuration
This section describes how to monitor filtering statistics. This section includes the following topics:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Viewing Filtering Statistics and Configuration
18-9