Cisco IOS startup configuration

Before you begin

Applies to:
  • Forcepoint URL Filtering, v8.5.x

Before Filtering Service can apply policies to Internet requests, the Cisco IOS router must be configured to use Filtering Service as a URL filter.

Steps

  1. Access the router’s software from a console, or from a remote terminal using telnet.
  2. Enter your password.
  3. Enter enable and the enable password to put the router into enabled mode.
  4. Enter configure terminal to activate configure mode.
  5. Enter the following command to identify the Filtering Service machine that will filter HTTP requests:

    ip urlfilter server vendor forcepoint <ip-address> [port <port-number>] [timeout <seconds>] [retransmit <number>]

    Variable Description
    <ip-address> The IP address of the machine running Filtering Service.
    <port-number> The Filtering Service port (also referred to as the integration communication port), default 15868.
    <seconds> The amount of time the Cisco IOS router waits for a response from Filtering Service.

    The default timeout is 5 seconds.

    <number> How many times the Cisco IOS router retransmits an HTTP request when there is no response from Filtering Service.

    The default is 2.

    An example of this command is:

    ip urlfilter server vendor forcepoint 12.203.9.116 timeout 8 retransmit 6

    To define an additional Filtering Service instance as a backup, repeat the command using the IP address of the second Filtering Service machine.

    The configuration settings you create in the following steps are always applied to the primary server.

    Only one Filtering Service instance (the primary server) is used at a time. If the primary server becomes unavailable, the system goes to the list of configured Filtering Service instances and attempts to activate the first one. If the first server is not available, the system attempts to activate the next one. This continues until an available server is found or the end of the list of configured servers is reached. If all servers are down, the router goes into allow mode.

  6. Enable the logging of system messages to Filtering Service by entering the following command:

    ip urlfilter urlf-server-log

    This setting is disabled by default. When logging is enabled, the Cisco IOS router sends a log request immediately after the URL lookup request.

    (Recent changes to Cisco software at version v15 have removed support for this command. This is under research.)

  7. Tell the Cisco IOS router how to filter URL requests by entering the following commands, in sequence:

    ip inspect name <inspection–name> http urlfilter

    interface <type> <slot/port>

    ip inspect <inspection-name> {in|out}

    Examples of these commands are:

    ip inspect name fw_url http urlfilter

    interface FastEthernet 0/0

    ip inspect fw_url in

    For this sequence to function properly, you must create an inspection rule called fw_url and apply that rule to the inbound interface of the router.

    See Cisco documentation for information about creating and applying inspection rules.

    To improve performance, Cisco suggests disabling the Java applet scanner. Java applet scanning increases CPU processing load. To disable the Java applet scanner, use the following commands, in sequence:

    access-list <num> permit any

    ip inspect name <inspection–name> http java-list <num> urlfilter

    See Cisco documentation for more information about these commands.

  8. To save your changes:
    1. Enter the exit command twice to leave the configure mode.
    2. Enter write memory.
    These commands store the configuration settings in the Cisco IOS router’s startup configuration so they are not lost if the router is shut down or loses power.
  9. Use the following commands to view various aspects of your installations:
    Command Action

    show ip inspect name <inspection-name>

    Displays a specific inspection rule.
    show ip inspect all Displays all available inspection information.
    show ip urlfilter config Displays all URL filtering information.
    <command-name> ? Displays help on individual commands.

    For example, ip inspect ? displays the complete syntax for the inspect command, and explains each argument.

  10. To stop sending requests to a Filtering Service instance, use the following command:

    no ip urlfilter server vendor forcepoint <ip-address>