cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
0
Helpful
4
Replies

SR520-Integrate Business Hours with Trend Micro

markher182
Level 1
Level 1

I have an SR520 that is using Trend Micro Content Filtering and I got an unusual request from a client.  Is it possible to have Trend Micro only filter websites during business hours.  I have looked through a lot of documentation regarding the SR520 and Trend Micro but I haven't seen anything about this.

Any help is much appreciated.

1 Accepted Solution

Accepted Solutions

Panos Kampanakis
Cisco Employee
Cisco Employee

Hmmm, you can use time based ACLs to match traffic that will be filtered. The rest of the time the ACL will not be matched and thus the traffic will not be hitting the Trend policy.


For example look at https://supportforums.cisco.com/docs/DOC-8028#_Filtered_Hosts_ClassMap_

class-map type inspect match-all filtered-hosts

 match protocol http
match access-group 123

access-list 123 is the one that matches the hosts to be filtered according to the Trend policy. If that ACL matches based on time (time based ACL) then you can filter these hosts only during the time the ACL says.

I haven't tested it but it should work.

Please let us know if it solved the issue for future reference.

I hope it helps.

PK

View solution in original post

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

Hmmm, you can use time based ACLs to match traffic that will be filtered. The rest of the time the ACL will not be matched and thus the traffic will not be hitting the Trend policy.


For example look at https://supportforums.cisco.com/docs/DOC-8028#_Filtered_Hosts_ClassMap_

class-map type inspect match-all filtered-hosts

 match protocol http
match access-group 123

access-list 123 is the one that matches the hosts to be filtered according to the Trend policy. If that ACL matches based on time (time based ACL) then you can filter these hosts only during the time the ACL says.

I haven't tested it but it should work.

Please let us know if it solved the issue for future reference.

I hope it helps.

PK

I have tried the configuration you suggested with success.  I tried to post it on the forum but I don't see it anymore.  Was this removed?

Panos Kampanakis
Cisco Employee
Cisco Employee

I am not sure if it was removed..

Please mark the question as answered if you want  so that others can benefit in the future.

Also you might want to avoid posting your address and phone number in forums, for your privacy.

PK

My apologies.  I was looking for something else.   Your recommendation did work. Essentially just implemented a time based access list like you suggested.   Here is a sample config that I used to make it work.  Thanks again!

class-map type inspect match-all HTTP

match protocol http

match access-group 160

Extended IP access list 160
    10 permit ip any any time-range business-hours (active) (2643 matches)
time-range entry: business-hours (active)
   periodic weekdays 7:00 to 17:00
   used in: IP ACL entry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: