11-20-2013 07:52 AM - edited 03-11-2019 08:07 PM
Hi Everyone,
Our ASA has below config here
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0
filter url http 172.16.0.0 255.240.0.0 0.0.0.0 0.0.0.0 longurl-truncate
filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate
We have websense configured that has connection to ASA to block some http and https traffic.
Need to understand what does above config do on the ASA?
Regards
MAhesh
Solved! Go to Solution.
11-20-2013 10:28 AM
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0
This command will send all http traffic to websense for evaluation.
filter url http 172.16.0.0 255.240.0.0 0.0.0.0 0.0.0.0 longurl-truncate
filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate
These commands also send http traffic to websense for evaluation, but when dealing with a longer than permitted URL it will only send the IP address portion of the URL or the hostname for evaluation.
11-20-2013 11:59 PM
Does the above config means to bypass the websense and directly go to internet if source is from 172.31.128.x?
You are correct, a filter with the exept keyword will exempt all traffic that is defined in that filter from being sent to the filter server.
Does this mean that if rule 1 is matched first just like ACL it will allow the http traffic from 172.31.128?
Yes, the match is based on a first match logic as with ACLs.
Another thing to ask is if the browser has no proxy config then traffic will come to firewall first and depending on the
config there it will forward the traffic first to the websense or internet?
Again correct.
--
Please rate all helpful posts
11-20-2013 10:28 AM
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0
This command will send all http traffic to websense for evaluation.
filter url http 172.16.0.0 255.240.0.0 0.0.0.0 0.0.0.0 longurl-truncate
filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate
These commands also send http traffic to websense for evaluation, but when dealing with a longer than permitted URL it will only send the IP address portion of the URL or the hostname for evaluation.
11-20-2013 07:49 PM
Hi Marius,
ASA has this config lines
filter url except 172.31.128.0 255.255.192.0 0.0.0.0 0.0.0.0
filter https except 172.31.128.0 255.255.192.0 0.0.0.0 0.0.0.0
Does the above config means to bypass the websense and directly go to internet if source is from 172.31.128.x?
and this includes http and https traffic?
if we have below config in following order
filter url except 172.31.128.0 255.255.192.0 0.0.0.0 0.0.0.0 rule 1
filter https except 172.31.128.0 255.255.192.0 0.0.0.0 0.0.0.0
filter url http 192.168.0.0 255.255.0.0 0.0.0.0 0.0.0.0
filter url http 172.16.0.0 255.240.0.0 0.0.0.0 0.0.0.0 longurl-truncate
filter url http 10.0.0.0 255.0.0.0 0.0.0.0 0.0.0.0 longurl-truncate
Does this mean that if rule 1 is matched first just like ACL it will allow the http traffic from 172.31.128?
Another thing to ask is if the browser has no proxy config then traffic will come to firewall first and depending on the
config there it will forward the traffic first to the websense or internet?
Regards
MAhesh
11-20-2013 11:59 PM
Does the above config means to bypass the websense and directly go to internet if source is from 172.31.128.x?
You are correct, a filter with the exept keyword will exempt all traffic that is defined in that filter from being sent to the filter server.
Does this mean that if rule 1 is matched first just like ACL it will allow the http traffic from 172.31.128?
Yes, the match is based on a first match logic as with ACLs.
Another thing to ask is if the browser has no proxy config then traffic will come to firewall first and depending on the
config there it will forward the traffic first to the websense or internet?
Again correct.
--
Please rate all helpful posts
11-21-2013 08:07 AM
Many thanks Marius.
Best regards
Mahesh
Message was edited by: mahesh parmar
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: