Disable http inspection in global_policy FWSM

Unanswered Question
Apr 30th, 2014
User Badges:

I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.

Looking into the config on the FWSM i see that under the global_policy we are inspecting http

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http

I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?

 

Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?

I don't really understand what the inspection engine does?

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Wed, 04/30/2014 - 03:35
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

If you don't have any config that needs the enabled http-inspection, then it's very likely that your HTTP-inspection basically doesn't do anything. And based on your description I would assume that the problem should be somewhere outside the FWSM.

Do you see anything in the log regarding the problems?

If you really don't need the inspection (any "filter"-command on the FWSM?) then I would just remove the inspection:

policy-map global_policy
  class inspection_default
    no inspect http

Marvin Rhoads Thu, 05/01/2014 - 10:14
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

I agree with Karsten.

Also verify that you don't have any http proxy or url-filter service configured. 

roger perkin Thu, 05/01/2014 - 08:33
User Badges:

Well,

I removed the http inspection and it broke all inbound and outbound web services!

Then I discover this

url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5

filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
 

This web-sense server is down and no longer used.

But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?

I am unclear as to exactly how the inspection and the url-server / filter url commands interact.

 

Thanks

Roger

Actions

This Discussion