13-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
HTTP Inspection
Configure an HTTP Inspection Policy Map
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can
then apply the inspection policy map when you enable HTTP inspection.
Before You Begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one
of those techniques, first create the regular expression or regular expression class map.
Procedure
Step 1
(Optional) Create an HTTP inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify
match
commands directly in
the policy map. The difference between creating a class map and defining the traffic match directly in
the inspection policy map is that the class map lets you create more complex match criteria, and you can
reuse class maps.
To specify traffic that should not match the class map, use the
match not
command. For example, if the
match not
command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the
inspection policy map.
If you want to perform different actions for each
match
command, you should identify the traffic directly
in the policy map.
a.
Create the class map by entering the following command:
hostname(config)#
class-map type
inspect http
[
match-all
|
match-any
]
class_map_name
hostname(config-cmap)#
Where the
class_map_name
is the name of the class map. The
match-all
keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword
specifies that the traffic matches the class map if it matches at least one
match
statement. The CLI
enters class-map configuration mode, where you can enter one or more
match
commands.
b.
(Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)#
description
string
Where
string
is the description of the class map (up to 200 characters).
c.
Specify the traffic on which you want to perform actions using one of the following
match
commands. If you use a
match not
command, then any traffic that does not match the criterion in
the
match not
command has the action applied.
•
match
[
not
]
req-resp content-type mismatch
—Matches traffic with a content-type field in the
HTTP response that does not match the accept field in the corresponding HTTP request
message.
•
match
[
not
]
request args regex
{
regex_name
|
class
class_name
}—Matches text found in the
HTTP request message arguments against the specified regular expression or regular expression
class.
•
match
[
not
]
request body
{
regex
{
regex_name
|
class
class_name
} |
length gt
bytes
}—Matches text found in the HTTP request message body against the specified regular
expression or regular expression class, or messages where the request body is greater than the
specified length.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......