Cisco IOS configuration commands
Applies to: |
---|
|
These commands are used to configure the Cisco IOS router to send HTTP requests through Filtering Service for policy enforcement.
- ip inspect name <inspection-name> http urlfilter [java-list <access-list>] [alert {on|off}] [timeout <seconds>] [audit- trail {on|off}]
This global command turns on HTTP filtering. The urlfilter value associates URL filtering with HTTP inspection rules. You may configure two or more inspections in a router, but the URL filtering feature only works with those inspections in which the urlfilter field is enabled. This setup command is required.
- ip port-map http port <num>
Use this command to filter proxy traffic on port <num> through Filtering Service.
- ip urlfilter server vendor forcepoint <IP-address> [port <num>] [timeout <secs>] [retrans <num>]
This setup command is required to identify Filtering Service to the Cisco IOS router and configure additional values. When using this command, the Cisco IOS router checks for a primary Filtering Service—one that is active and being sent URL lookup requests. If a primary server is configured, the router marks the server being added as a secondary server.
Parameter Description port <num> The Filtering Service port (referred to as the integration communication port) you entered during product installation.
The default port number is 15868.
timeout <secs> The amount of time the Cisco IOS router waits for a response from Filtering Service.
The default timeout is 5 seconds.
retrans <secs> How many times the router retransmits an HTTP request when there is no response from Filtering Service.
The default value is 2.
- ip urlfilter alert
This optional setting controls system alerts. By default, system alerts are enabled. The following messages can be displayed when alerts are enabled:
- %URLF-3-SERVER_DOWN: Connection to the URL filter server <IP address> is down.
This level three LOG_ERR type message appears when a configured Filtering Service goes down. The router marks the offline server as a secondary server. It then attempts to use a defined secondary server as the primary server. If the router cannot find another Filtering Service, the URLF-3-ALLOW_MODE message is displayed.
- %URLF-3-ALLOW_MODE: Connection to all URL filter servers is down and ALLOW MODE is OFF.
This message appears when the router cannot find a defined Filtering Service. When the allowmode flag is set to off, all HTTP requests are blocked.
- %URLF-5-SERVER_UP: Connection to a URL filter server <IP address> is made. The system is returning from ALLOW MODE.
This LOG_NOTICE type message is displayed when a Filtering Service is detected as being up and the system returns from the ALLOW MODE.
- %URLF-4-URL_TO_LONG: URL too long (more than 3072 bytes), possibly a fake packet.
This LOG_WARNING message is displayed when the URL in a GET request is too long.
- %URLF-4-MAX_REQ: The number of pending requests has exceeded the maximum limit <num>.
This LOG_NOTICE message is displayed when the number of pending requests in the system exceeds the maximum limit defined. Subsequent requests are dropped.
- %URLF-3-SERVER_DOWN: Connection to the URL filter server <IP address> is down.
- ip urlfilter audit-trail
This command controls the logging of messages into the syslog server and is disabled by default. The messages logged are:
- %URLF-6-URL_ALLOWED: Access allowed for URL <site’s URL>; client <IP address:port> server <IP address:port>
This message is logged for each URL requested that is allowed by web protection policies. The message includes the allowed URL, the source IP address/port number, and the destination IP address/port number. Long URLs are truncated to 300 bytes and then logged.
- %URLF-6-URL_BLOCKED: Access denied URL <site’s URL>; client <IP address:port> server <IP address:port>
This message is logged for each URL requested that is blocked by web protection policies. The message includes the blocked URL, the source IP address/port number, and the destination IP address/port number. Long URLs are truncated to 300 bytes and then logged.
- %URLF-4-SITE-BLOCKED: Access denied for the site <site’s URL>; client <IP address:port> server <IP address:port>
This message is logged when a request finds a match against one of the blocked domains in the exclusive-domain list.
- %URLF-6-URL_ALLOWED: Access allowed for URL <site’s URL>; client <IP address:port> server <IP address:port>
- ip urlfilter urlf-server-log
This command is used to control the logging of system messages to Filtering Service and is disabled by default. To allow logging (and consequently reporting) of Internet activity on your system, you must enable this feature.
When logging is enabled, the Cisco IOS router sends a log request immediately after the URL lookup request. The log message contains information such as the URL, host name, source IP address, and destination IP address.
(Recent changes to Cisco software at version v15 have removed support for this command. This is under research.)
- ip urlfilter exclusive-domain {permit|deny} <domain-name>
This optional command is used to add a domain to, or remove a domain from, the exclusive domain list. Cisco IOS router URL filtering allows you to specify a list of domain names for which the router does not send lookup requests to Filtering Service.
The permit flag permits all traffic to <domain-name>. The deny flag blocks all traffic to <domain-name>.
For example, if www.yahoo.com is added to the exclusive domain list, all the HTTP traffic whose URLs are part of this domain (such as www.yahoo.com/ mail/index.html, www.yahoo.com/news, and www.yahoo.com/sports) are permitted without sending a lookup request to Filtering Service.
You may also specify a partial domain name. For example, you can enter .cisco.com instead of the complete domain name. All URLs with a domain name ending with this partial name (such as www.cisco.com/products, www.cisco.com/eng, people-india.cisco.com/index.html, and directory.cisco.com) are permitted or denied without having to send a lookup request to Filtering Service. When using partial domain names, always start the name with a dot (i.e., period).
For example:
ip urlfilter exclusive-domain permit .sdsu.edu
Use the no form of this command to undo permitting or blocking of a domain name. The permitting or blocking of a domain name stays in effect until the domain name is removed from the exclusive list. Using the no form of this command removes the specified domain name from the exclusive list. For example, to stop the automatic permitting of traffic (and send lookup requests to Filtering Service) to www.example.com:
no ip urlfilter exclusive-domain permit www.example.com
As another example, to stop the automatic blocking of traffic to the same domain name:
no ip urlfilter exclusive-domain deny www.example.com
ip urlfilter allowmode {on|off}
This command controls the default filtering policy if Filtering Service is down. If the allowmode flag is set to on, and the Cisco IOS router cannot find a Filtering Service, all HTTP requests are permitted.
If allowmode is set to off, all HTTP requests are blocked when Filtering Service becomes unavailable. The default for allowmode is off.
- ip urlfilter max-resp-pak <number>
Use this optional command to configure the maximum number of HTTP responses that the Cisco IOS router can store in its packet buffer.
The default value is 200 (this is also the maximum you can specify).
- ip urlfilter max-request <number>
Use this optional command to set the maximum number of outstanding requests that can exist at a given time. When this number is exceeded, subsequent requests are dropped. The allowmode flag is not considered in this case because it is only used when Filtering Service is down.
The default value is 1000.