13-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
HTTP Inspection
Configure an HTTP Inspection Policy Map
To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can
then apply the inspection policy map when you enable HTTP inspection.
Before You Begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one
of those techniques, first create the regular expression or regular expression class map.
Procedure
Step 1
(Optional) Create an HTTP inspection class map by performing the following steps.
A class map groups multiple traffic matches.You can alternatively identify
match
commands directly in
the policy map. The difference between creating a class map and defining the traffic match directly in
the inspection policy map is that the class map lets you create more complex match criteria, and you can
reuse class maps.
To specify traffic that should not match the class map, use the
match not
command. For example, if the
match not
command specifies the string “example.com,” then any traffic that includes “example.com”
does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the
inspection policy map.
If you want to perform different actions for each
match
command, you should identify the traffic directly
in the policy map.
a.
Create the class map by entering the following command:
hostname(config)#
class-map type
inspect http
[
match-all
|
match-any
]
class_map_name
hostname(config-cmap)#
Where the
class_map_name
is the name of the class map. The
match-all
keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword
specifies that the traffic matches the class map if it matches at least one
match
statement. The CLI
enters class-map configuration mode, where you can enter one or more
match
commands.
b.
(Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)#
description
string
Where
string
is the description of the class map (up to 200 characters).
c.
Specify the traffic on which you want to perform actions using one of the following
match
commands. If you use a
match not
command, then any traffic that does not match the criterion in
the
match not
command has the action applied.
•
match
[
not
]
req-resp content-type mismatch
—Matches traffic with a content-type field in the
HTTP response that does not match the accept field in the corresponding HTTP request
message.
•
match
[
not
]
request args regex
{
regex_name
|
class
class_name
}—Matches text found in the
HTTP request message arguments against the specified regular expression or regular expression
class.
•
match
[
not
]
request body
{
regex
{
regex_name
|
class
class_name
} |
length gt
bytes
}—Matches text found in the HTTP request message body against the specified regular
expression or regular expression class, or messages where the request body is greater than the
specified length.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...