11-09-2011 12:37 PM - edited 03-11-2019 02:48 PM
Hi to all. I have ASA which is situated in the middle of LAN-clients and Squid. I have to inspect all http traffic looking for
malicious http-tunneling. I solved this by dropping all traffic with CONNECT request method. I must inspect traffic all traffic except https traffic with gmail.com and this is
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection log
match request args regex class DomainBlockList
drop-connection
class Tunneling
drop-connection log
class-map type inspect http match-all Tunneling
description -= Disabel http-tunneling =-
match request method connect
match not request args regex gmail
regex gmail ".gmail\.com"
Any suggestions how I can exclude a certain domain (for example gmail) from main inspection?
11-10-2011 03:14 AM
Nobody use http-inspection!?!?
11-10-2011 07:34 AM
Hi Igor,
The ASA's HTTP inspection will not inspect HTTPS traffic since the payload is encrypted. That being said, if you want to exclude a domain from inspection for HTTP traffic, you should use 'match not request header host regex gmail' instead of 'match not request args regex gmail'. The domain name will appear in the host field, rather than the args of the URL.
Hope that helps.
-Mike
11-11-2011 12:15 AM
Hi Mike,
Thanks for your help. Such solution realy works!!
Thanks again!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide