SR520-Integrate Business Hours with Trend Micro

Answered Question
Jul 15th, 2010

I have an SR520 that is using Trend Micro Content Filtering and I got an unusual request from a client.  Is it possible to have Trend Micro only filter websites during business hours.  I have looked through a lot of documentation regarding the SR520 and Trend Micro but I haven't seen anything about this.

Any help is much appreciated.

I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 4 months ago

Hmmm, you can use time based ACLs to match traffic that will be filtered. The rest of the time the ACL will not be matched and thus the traffic will not be hitting the Trend policy.


For example look at https://supportforums.cisco.com/docs/DOC-8028#_Filtered_Hosts_ClassMap_

class-map type inspect match-all filtered-hosts

 match protocol http
match access-group 123

access-list 123 is the one that matches the hosts to be filtered according to the Trend policy. If that ACL matches based on time (time based ACL) then you can filter these hosts only during the time the ACL says.

I haven't tested it but it should work.

Please let us know if it solved the issue for future reference.

I hope it helps.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Panos Kampanakis Thu, 07/15/2010 - 15:04

Hmmm, you can use time based ACLs to match traffic that will be filtered. The rest of the time the ACL will not be matched and thus the traffic will not be hitting the Trend policy.


For example look at https://supportforums.cisco.com/docs/DOC-8028#_Filtered_Hosts_ClassMap_

class-map type inspect match-all filtered-hosts

 match protocol http
match access-group 123

access-list 123 is the one that matches the hosts to be filtered according to the Trend policy. If that ACL matches based on time (time based ACL) then you can filter these hosts only during the time the ACL says.

I haven't tested it but it should work.

Please let us know if it solved the issue for future reference.

I hope it helps.

PK

markher182 Mon, 07/19/2010 - 17:55

I have tried the configuration you suggested with success.  I tried to post it on the forum but I don't see it anymore.  Was this removed?

Panos Kampanakis Tue, 07/20/2010 - 06:59

I am not sure if it was removed..

Please mark the question as answered if you want  so that others can benefit in the future.

Also you might want to avoid posting your address and phone number in forums, for your privacy.

PK

markher182 Tue, 07/20/2010 - 12:03

My apologies.  I was looking for something else.   Your recommendation did work. Essentially just implemented a time based access list like you suggested.   Here is a sample config that I used to make it work.  Thanks again!

class-map type inspect match-all HTTP

match protocol http

match access-group 160

Extended IP access list 160
    10 permit ip any any time-range business-hours (active) (2643 matches)
time-range entry: business-hours (active)
   periodic weekdays 7:00 to 17:00
   used in: IP ACL entry

Actions

This Discussion

Related Content