Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ZBF and Url-Filtering ( Web-sense )

I have Zone Based Firewall running on a 2821 router and would like to configure Url Filtering with Websence . IOS running on that device is

c2800nm-adverterprisek9-mz.150-1.M7.bin . Once you have ZBF config you cant configure url-filtering using classic way ( ip inspect ) and this has to be done using class , policy maps .

For this to to happen it is required to have match protocol http command under the class map , it wont work using the match access-group command . Following is what I configured

ip access-list extended NAT

permit ip 172.20.0.0 0.0.255.255 any

class-map type inspect match-all Inside_to_Restrict

match access-group name NAT

match protocol http

Once I put match protocol http command browsing becomes dead slow , also without using match protocol command I cant continue to configure Url Filtering . Is this a problem related to IOS where match protocol command isnt working fine . I have checked CPU utlization of Router and it was roughly near 7 percent .

Everyone's tags (2)
3 REPLIES

ZBF and Url-Filtering ( Web-sense )

Hello,

Please use the followin link, if you still have problems then let us know

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml#url-filter

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: ZBF and Url-Filtering ( Web-sense )

Following was the configuration done

ip access-list extended NAT

permit ip 172.20.0.0 0.0.255.255 any

!

!

parameter-map type urlfpolicy websense websense-param-map

server 172.20.1.6 timeout 30

truncate script-parameters

cache-size maximum-entries 100

cache-entry-lifetime 1

!

!

class-map type inspect match-all Inside_to_Restrict

match access-group name NAT

match protocol http

!

policy-map type inspect Inside_to_Restrict

class type inspect Inside_to_Restrict

  inspect

  service-policy urlfilter websense-policy

class class-default

  drop

policy-map type inspect urlfilter websense-policy

parameter type urlfpolicy websense websense-param-map

class type urlfilter websense websense-class

  server-specified-action

  log

!

!

zone-pair security Inside_to_Restrict source Inside destination Restrict

service-policy type inspect Inside_to_Restrict

I could see debug messages on which means URL filtering was working but from user end it HTTP was almost dead and website was not opening up .

After doing a lot of troubleshooting I found out that it was a problem related to match protocol http command , when ever I put this command under the class-map HTTP sessions become dead slow . We had communication with someone working with web sense devices and got to know that one more customer had to scrap ZBF for web sense to work .

I cannot apply classic url filtering ( web sense ) which requires ip inspect as router's interfaces are already configured for Zones .

New Member

Hi, We have the same problem:

Hi,

 

We have the same problem: for some websites HTTP response is very slow when using ZBF and Websense urlfilter (6-7 minutes for JPG of ~38Kbytes). If we remove the urlfilter config then the same website loads correctly at good speed.

When using the ip inspect firewall config and urlfilter we had the same problem until we added

access-list 1 permit any

ip inspect name test http java-list 1

 

With that piece of config on ip inspect the inspect http and URL filter works just fine but there does not seem to be an equivalent for ZBF.

 

Did you find a solution to use ZBF and not have that issue without rolling back to the IP inspect config ?

 

Thanks.

1019
Views
0
Helpful
3
Replies