URL Filtering

Unanswered Question
Aug 1st, 2008

I am a little lost and have burned a lot of time on URL filtering.

Setup 1812 router, IOS 12.4(15) T3, SDM 2.4

In Additional Tasks I have the URL list setup. The Allow Mode is on.

For my zone pair (in-zone to out-zone) I have this URL filter being applied.

The problem is I do not have external websense servers; I want to use URL lists.

Now it seemst that you have to check

Enable URL Filtering on Application Security Tab, but that tab is not visible on my Configure-->Firewall and ACL screen.

It seems to me that this tab comes up when you set up firewall initially using Basic Firewall Wizard.

Rest of my configuration is working fine and so I do not want to muck around with it because if I run wizard again it will wipe out the current setup.

Can someone please tell me how to enable the URL filtering for Application Security using command line interface, or instead suggest how to make the APplication Security tab visible without rerunning Firewall setup.

If I am missing something else, please let me know. I hope CISCO fixes this section of the documentation because it does not mention why the APplication Security tab is not coming up.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ciscopotion Tue, 08/12/2008 - 12:24

I am the original poster and I have not yet received a response even though I have tried other channels. I am still stuck and have not found anything with many hours of googling.

Will really appreciate a response, and it seems that I am not alone facing this issue.

I actually think there is a workaround to not having a server;

can you look into the sample config from the first link i sent, specifically the sample config from this section;

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftwebsen.html#wp1027265

I think if simply want to permit/deny specific domains you can do so with this command

ip urlfilter exclusive-domain permit .weapons.com

ip urlfilter exclusive-domain deny .nbc.com

ip urlfilter exclusive-domain permit www.cisco.com

Could you lab this up and post back to the group?

thanks,

Joe

Thanks for the barrage of replies (Can only help).

For my part, I have looked at the docs for doing this from within SDM v2.5 and from CLI. The SDM docs do specify that there should be an 'Application Security' tab, but this does not seem to exist in v 2.5 with the Zone-based firewall policy configuration that I am using.

So, I looked at he configuration that needs to be made from IOS and have applied that to my config (still no joy).

I also tuned on debugs and tried to visit both URLs that should have been filtered and URLs which should not have been filtered. The debugs showed nothing and no filtering was done.

My config has the following sections:

...

parameter-map type urlfilter BL_ProjectOffice

audit-trail on

allow-mode on

exclusive-domain deny .danger.com

...

class-map type inspect match-all sdm-protocol-http

match protocol http

...

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-protocol-imap

inspect

service-policy imap sdm-action-imap

class type inspect sdm-protocol-pop3

inspect

service-policy pop3 sdm-action-pop3

class type inspect sdm-protocol-p2p

inspect

service-policy p2p sdm-action-app-p2p

class type inspect sdm-protocol-im

inspect

service-policy im sdm-action-app-im

class type inspect sdm-insp-traffic

inspect

class type inspect SDM-Voice-permit

inspect

class type inspect sdm-protocol-http

inspect

service-policy http sdm-action-app-http

urlfilter BL_ProjectOffice

class class-default

pass

...

This configuration follows the guidelines laid out in the Zone-based Firewall Design guide at (http://www.cisco.com/application/pdf/paws/98628/zone-design-guide.pdf) on pages 38 & 39.

So, I am stumped.

Any ideas?

Marwan ALshawi Tue, 08/12/2008 - 21:31

first if u wanna block spesific web sites(domain name , URL)

u need to make a regular expretion

know as regex

in the link u have put just read how to implimit and match against regex

according to cisco ASA regex

if u wanna match website do the following

regex domainlist1 "\.yahoo\.com"

regex domainlist2 "\.myspace\.com"

regex domainlist3 "\.youtube\.com"

just fine out it its the same with IOS firewall

but the idea 100% the same

so the follwoing link although for ASA firewall but the idea the same so i will inculded for u here to get the idea

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

and just be careful with ur matching

1 right regex

2 right class map matching

3 right inspection header rquest or respons

and if u want any more assistance just post here

good luck

Please, if helpful Rate

Marwan ALshawi Tue, 08/12/2008 - 21:43

ur config should be somthing like:

parameter-map type regex url1

pattern [\.yahoo\.com]

class-map type inspect http urlclass1

match req-resp header regex url1

policy-map type inspect http policy1

class type inspect http urlclass1

reset

then apply the policy

above only example

u have more flexibality and i am not sure 100% from the regex pattren avove but should be like that to some extend

good luck

ciscopotion Wed, 08/13/2008 - 04:48

Thank you all for the replies and your patience.

I can use the SDM but do not have much proficiency with the command line policy setups. I tried the command line options and feel that it is beyond my capabilities. If there is no solution through the SDM then I would probably have to reconfigure the entire thing from scratch. The SDM is what made this router an easy choice for us. We are a small business and are using this router as an alternative to the common home office router in which URL blocking is fairly easy to do.

I think that the Application Security tab if enabled in the SDM will make all this functional. I wonder if there is someone from CISCO's product support team who can suggest if App Sec tab can be enabled inside the SDM interface once the firewall has been already configured.

I would suggest that someone(if someone at Cisco is browsing this) to make a note of this issue, because the fact that the application security tab only shows up through the wizard configuration process is something that is not mentioned anywhere and completely throws you off (as in my case where I was trying to mimic the previous router's settings to this zone policy environment and hence did not go through the wizard.)

Actions

This Discussion