Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
3
Replies

Disable http inspection in global_policy FWSM

roger perkin
Level 2
Level 2

‎04-30-2014 02:48 AM - edited ‎03-11-2019 09:08 PM

I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.

Looking into the config on the FWSM i see that under the global_policy we are inspecting http

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http

I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?

 

Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?

I don't really understand what the inspection engine does?

 

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎04-30-2014 03:35 AM

If you don't have any config that needs the enabled http-inspection, then it's very likely that your HTTP-inspection basically doesn't do anything. And based on your description I would assume that the problem should be somewhere outside the FWSM.

Do you see anything in the log regarding the problems?

If you really don't need the inspection (any "filter"-command on the FWSM?) then I would just remove the inspection:

policy-map global_policy
  class inspection_default
    no inspect http

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎05-01-2014 08:33 AM

I agree with Karsten.

Also verify that you don't have any http proxy or url-filter service configured. 

0 Helpful

roger perkin
Level 2
Level 2
In response to Marvin Rhoads

‎05-01-2014 08:33 AM

Well,

I removed the http inspection and it broke all inbound and outbound web services!

Then I discover this

url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5

filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
 

This web-sense server is down and no longer used.

But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?

I am unclear as to exactly how the inspection and the url-server / filter url commands interact.

 

Thanks

Roger

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card