11-12-2008 02:33 PM - edited 02-21-2020 03:05 AM
I have two pairs of firewalls that are both running 7.2(4). One platform is a pair of PIX 515E and the other is a pair of ASA 5520s.
We are using Web Sense to filter a subset of addresses.
The 5520s generate a log message (ASA-5-304001) whenever a host identified by the "filter URL " command accesses a web page. It only generates this message for filtered hosts.
Now, my PIX 515E with 7.2(4) is generating the same message (PIX-5-304001
), but there are no Filter commands implemented on this firewall. We used to filter traffic through it via Web Sense, but stopped maybe 9-10 months ago. The firewalls have been restarted since then.
I verified that there are no filter statments in the config and even removed the url-server definition. Still, the firewall generates a message whenever anyone accesses a web page. Any ideas why?
Relevant ASA config:
filter url http 10.220.34.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
filter url http 10.20.25.92 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.49.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.50.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.51.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.52.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.53.109 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.54.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.58.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.59.102 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.60.10 255.255.255.255 0.0.0.0 0.0.0.0 allow
filter url http 10.20.63.90 255.255.255.255 0.0.0.0 0.0.0.0 allow
url-server (inside) vendor websense host 10.1.1.35 timeout 10 protocol UDP version 4
logging enable
logging timestamp
logging buffered alerts
logging trap notifications
logging history notifications
logging asdm errors
logging facility 18
logging host inside 10.1.1.55
logging host inside 10.1.1.74
Relevant PIX Config:
host# sh run filter
host# sh run url-server
host# sh run logging
logging enable
logging timestamp
logging buffered alerts
logging trap notifications
logging history notifications
logging asdm errors
logging facility 19
logging host inside 10.1.1.55
logging host inside 10.1.1.74
no logging message 106007
no logging message 210005
logging message 111008 level warnings
I have a reboot scheduled of the PIXs tonight to see if it clears it up. Does anyone have any other inside as to why the PIX is creating all of these extra log messages? Thanks!
11-18-2008 07:26 AM
Enable or disable outbound URL filtering for use with WebSENSE servers. (Configuration mode.)
filter url http|except local_ip local_mask foreign_ip foreign_mask [allow]
no filter url http|except [local_ip local_mask foreign_ip foreign_mask]
show filter
Syntax Description
url Filter URLs (Universal Resource Locators) from data moving through the PIX Firewall.
http Filter HTTP (World Wide Web) URLs.
except Create an exception to a previous filter condition.
local_ip The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.
local_mask Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_ip The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
foreign_mask Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.
allow When the server is unavailable, let outbound connections pass through PIX Firewall without filtering. If you omit this option, and if the WebSENSE server goes offline, PIX Firewall stops outbound port 80 (Web) traffic until the WebSENSE server is back online.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide