FYI: IOS APPFW / Zone-based Policy FW - results of testing

Unanswered Question
Jul 11th, 2007
User Badges:
  • Bronze, 100 points or more

If Deep Packet Inspection for HTTP is enabled as follows:

R2811#sh class-map type inspect http

Class Map type inspect http match-any HTTP-DPI (id 16)

Match req-resp protocol-violation

Match request port-misuse any

Match response body java-applet

Match req-resp header content-type mismatch

Match req-resp header content-type unknown

Match req-resp header content-type violation

R2811#sh policy-map type inspect http

Policy Map type inspect http HTTP-DPI




Class class-default

the following results are observed:

1. never opens (note that policy doesn't deny anything, the action is "allow" and "log"). The diagnostics is %APPFW-4-HTTP_PROTOCOL_VIOLATION.

2. opens with the diag: %APPFW-4-HTTP_DEOBFUSCATION

3. (this site) opens with the diag: %APPFW-4-HTTP_CONT_TYPE_UNKNOWN,%APPFW-4-HTTP_DEOBFUSCATION, %APPFW-4-HTTP_CONT_TYPE_VIOLATION, %APPFW-3-HTTP_MAX_REQ_EXCEEDED: Number of unanswered HTTP requests exceeded the limit 10 - resetting session.

The last one is the most interesting. Extra sessions are reset. The performance is... It seems there is no way to increase the number of concurrent HTTP sessions in appfw / zone-based firewall. Does anybody know?

IOS 12.4(15)T

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion