Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Disable http inspection in global_policy FWSM

I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.

Looking into the config on the FWSM i see that under the global_policy we are inspecting http

policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http

I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?

 

Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?

I don't really understand what the inspection engine does?

 

3 REPLIES
VIP Purple

If you don't have any config

If you don't have any config that needs the enabled http-inspection, then it's very likely that your HTTP-inspection basically doesn't do anything. And based on your description I would assume that the problem should be somewhere outside the FWSM.

Do you see anything in the log regarding the problems?

If you really don't need the inspection (any "filter"-command on the FWSM?) then I would just remove the inspection:

policy-map global_policy
  class inspection_default
    no inspect http

Hall of Fame Super Silver

I agree with Karsten.Also

I agree with Karsten.

Also verify that you don't have any http proxy or url-filter service configured. 

Community Member

Well,I removed the http

Well,

I removed the http inspection and it broke all inbound and outbound web services!

Then I discover this

url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5

filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow
 

This web-sense server is down and no longer used.

But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?

I am unclear as to exactly how the inspection and the url-server / filter url commands interact.

 

Thanks

Roger

148
Views
0
Helpful
3
Replies
CreatePlease to create content