How to filter http, smtp in PIX-515E firewall?

sfanayei · ‎01-15-2010

Hi

I am using PIX-515E vers. 6.5 0firewall in my network. However I want to dynamically filter some URL such as malicious sites and redirect those Url to the syslogserver or another server. Is it possible? Many tanks in advance?

Bedst regards

Sfanayei

Kureli Sankar · ‎01-15-2010

This is not possible.

If you have a websense server and you configure that as a url-server then, you can run reporting off of that.

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/tz.html#wp1026449

or

If you enable fixup http then, it will automatically send a syslog to the syslog server when people access a website but, this is not possible for smtp.

Jan 15 2010 08:13:12: %ASA-5-304001: 192.168.2.2 Accessed URL 64.233.169.113:/generate_204

http://www.cisco.com/en/US/docs/security/pix/pix63/system/message/pixemsgs.html#wp1054385

-KS

vilaxmi · ‎01-17-2010

Hello,

Thats too much to ask form a PIX 515E (6.x).

What you can use is a websense 3rd party filtering device (smartfilter, websense etc..) or AIP/CSC SSM modules to do these advanced URL filtering and logging. ABout blocking SMTP , you can use ACLs on the inside ifc (inbound direction) to allow PORT 25 traffic only to/from your MAIL SERVER and block all other port 25 traffic. By using the keywork log at the end of the 2nd and 3rd ACEs, you are making sure that whenever any host OTHER THAN THE SMTP SERVER tries to send/receive emails , a log will be generated in your SYSLOG SERVER (assuming you have one setup).

Access-list SMTP_BLOCK extended permit tcp host x.x.x.x any eq 25

Access-list SMTP_BLOCK extended deny tcp any eq 25 any log

Access-list SMTP_BLOCK extended deny tcp eq 25 any any log

Access-list SMTP_BLOCK extended permit ip any any

access-group SMTP_BLOCK in interface inside

HTH

Vijaya