ASA http inspection, how exclude a certain domain

Igor Mordiuk · ‎11-09-2011

Hi to all. I have ASA which is situated in the middle of LAN-clients and Squid. I have to inspect all http traffic looking for

malicious http-tunneling. I solved this by dropping all traffic with CONNECT request method. I must inspect traffic all traffic except https traffic with gmail.com and this is

policy-map type inspect http http_inspection_policy

parameters

protocol-violation action drop-connection log

match request args regex class DomainBlockList

drop-connection

class Tunneling

drop-connection log

class-map type inspect http match-all Tunneling

description -= Disabel http-tunneling =-

match request method connect

match not request args regex gmail

regex gmail ".gmail\.com"

Any suggestions how I can exclude a certain domain (for example gmail) from main inspection?

Igor Mordiuk · ‎11-10-2011

Nobody use http-inspection!?!?

mirober2 · ‎11-10-2011

Hi Igor,

The ASA's HTTP inspection will not inspect HTTPS traffic since the payload is encrypted. That being said, if you want to exclude a domain from inspection for HTTP traffic, you should use 'match not request header host regex gmail' instead of 'match not request args regex gmail'. The domain name will appear in the host field, rather than the args of the URL.

Hope that helps.

-Mike

Igor Mordiuk · ‎11-11-2011

Hi Mike,

Thanks for your help. Such solution realy works!!

Thanks again!!!