7-14
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
HTTP Inspection
•
ftp_policy_map
is the optional FTP inspection policy map. You need a map only if you want
non-default inspection processing. For information on creating the FTP inspection policy map, see
Configure an FTP Inspection Policy Map, page 7-10
.
Example:
hostname(config-class)# no inspect ftp
hostname(config-class)# inspect ftp strict ftp-map
Note
If you are editing the default global policy (or any in-use policy) to use a different FTP
inspection policy map, you must remove the FTP inspection with the
no inspect ftp
command,
and then re-add it with the new FTP inspection policy map name.
Step 5
If you are editing an existing service policy (such as the default global policy called global_policy), you
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy
policymap_name
{
global
|
interface
interface_name
}
Example:
hostname(config)# service-policy global_policy global
The
global
keyword applies the policy map to all interfaces, and
interface
applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
Verifying and Monitoring FTP Inspection
FTP application inspection generates the following log messages:
•
An Audit record 303002 is generated for each file that is retrieved or uploaded.
•
The FTP command is checked to see if it is RETR or STOR and the retrieve and store commands
are logged.
•
The username is obtained by looking up a table providing the IP address.
•
The username, source IP address, destination IP address, NAT address, and the file operation are
logged.
•
Audit record 201005 is generated if the secondary dynamic channel preparation failed due to
memory shortage.
In conjunction with NAT, the FTP application inspection translates the IP address within the application
payload. This is described in detail in RFC 959.
HTTP Inspection
The following sections describe the HTTP inspection engine.
•
HTTP Inspection Overview, page 7-15
•
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......