Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure URL filtering in the PIX Firewall

What is URL filtering?

Suppose you type the name of your favorite social networking site on the web browser and it displays a message like “The policy of this organization doesn’t allow you to browse that website” and does not let you access the site from office, there is a URL filter that has been put in place by your IT department. So, a URL filter is used to basically categorize the websites on the internet and either allow/block the access to them to the web users of the organization either by referring to an already categorized central database (maintained by URL filtering vendors) or by classifying the websites in real time. URL filtering can also be made applicable only during certain times of a day or days of a week, if required.

Why is URL Filtering required?

URL filtering is required to stop the users of an organization from accessing those websites during working hours that:

  • Drains their productivity
  • Lets them view objectionable content from work place
  • Is bandwidth intensive and hence creates a strain on resources


Core issue

Apply filtering in order to connection requests that originate from a more secure network to a less secure network. Although you can use ACLs in order to prevent outbound access to specific content servers, to manage usage this way is difficult because of the size and dynamic nature of the Internet. Use a separate server in order to simplify configuration and improve security appliance performance.

You can use any one of these Internet filtering products as a URL Filtering Server:

  • Websense Enterprise for filtering HTTP, HTTPS, and FTP

  • Sentian by N2H2 for filtering HTTP only. Although some versions of Sentian support HTTPS, the security appliance only supports filtering HTTP with Sentian.

Resolution

Complete these steps in order to filter URLs:

  1. Designate the URL filtering application server with the appropriate form of the vendor-specific url-server command.

  2. Enable URL filtering with the filter command.

  3. (Optional) Use the url-cache command in order to enable URL caching to improve perceived response time.

  4. (Optional) Use the url-block commands in order to enable long URL and HTTP buffering support.

  5. Use these commands in order to verify configurations:

       
    1. show url-server

    2. show url-server stats

    3. show url-block block stat

    4. show url-cache stats

    5. show filter
       

Refer to following example to filters all outbound HTTPS connections except those from the 10.0.2.54 host:

hostname(config)# url-server (perimeter) host 10.0.1.1
hostname(config)# filter https 443 0 0 0 0
hostname(config)# filter https except 10.0.2.54 255.255.255.255 0 0

The following example shows how to enable FTP filtering:

hostname(config)# url-server (perimeter) host 10.0.1.1
hostname(config)# filter ftp 21 0 0 0 0
hostname(config)# filter ftp except 10.0.2.54 255.255.255.255 0 0

Refer to these documents for more information:

Note: Refer to Applying Filtering Services for more information on PIX Firewall version 7.x and later.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 03:42 PM
Updated by:
 
Labels (1)
Comments
New Member

Hello,

I have recently come across to need to troubleshoot why https (port 443) traffic going to facebook.com is not being redirected to the Websense server as http (port 80) traffic is.  I have found this forum post and have configured a command similarly to filter https traffic but our testing reveals that https traffic doesn't seem to be redirected by the PIX firewall.  Below are the commands which I have configured.  Can someone take a look and let me know what else is needed or why it is still not working?

url-server (Inside) vendor websense host 172.16.1.10 timeout 30 protocol TCP version 4 connections 5

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate

filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow longurl-truncate

Thanks in advance,

Adil Nasser