Cisco integration configuration procedure

Applies to:
  • Forcepoint URL Filtering, v8.5.x

Configuration procedure

To configure your security appliance to send Internet requests to Filtering Service for policy enforcement:

  1. Access the security appliance from a console or from a remote terminal using telnet for access
  2. Enter your password.
  3. Enter enable, followed by the enable password to put the security appliance into privileged EXEC mode.
  4. Enter configure terminal to activate configure mode.
    Note: For help with individual commands, enter help followed by the command. For example, help filter shows the complete syntax for the filter command and explains each option.
  5. Use the url-server command to enable URL management by your web protection software.

    url-server (<if_name>) vendor websense host <ip_address> [timeout <seconds>] [protocol {TCP | UDP} version {1 | 4} [connections <num_conns>]]

    The url-server command takes the following parameters:

    Parameter Definition
    (<if_name>)

    (required) The network interface to use for Filtering Service communication.

    You must type the parentheses ( ) when you enter a value for this parameter.
    vendor websense Indicates the URL management vendor.
    <ip_address> IP address of the machine running Filtering Service.
    timeout <seconds>

    The amount of time, in seconds, that the security appliance waits for a response before switching to the next Filtering Service that you defined as a url-server, or, if specified, going into allow mode and permitting all requests.

    If a timeout interval is not specified, this parameter defaults to 30 seconds.

    Range: 10 - 120; Default: 30
    protocol {TCP | UDP} version {1 | 4}

    Defines whether the Cisco security appliance should use TCP or UDP protocol to communicate with Filtering Service, and which version of the protocol to use.

    TCP is the recommended and default setting. The recommended protocol version is 4. The default is 1.

    Note:To send authenticated user information to Filtering Service, TCP version 4 must be selected.)

    connections

    <num_conns>

    Limits the maximum number of TCP connections permitted between the Cisco security appliance and Filtering Service.

    If this parameter is not specified, it defaults to 5, which is the recommended setting.

    If you select the UDP protocol, this option is not available.

    Range: 1 - 100; Default: 5.

    Example:

    url-server (inside) vendor websense host 10.255.40.164 timeout 30 protocol TCP version 4 connections 5

    The url-server command communicates the location of Filtering Service to the Cisco security appliance. More than one url-server command can be entered. Multiple commands allow redirection to another Filtering Service after the specified timeout period, if the first server becomes unavailable.

  6. Configure the security appliance to filter HTTP requests with the filter url command.
    • To review the current URL server rules, enter show running-config url- server.
    • To review all the filter rules, enter show running-config filter.

    To configure HTTP request management, use the following command:

    filter url http <port>[-<port>] <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]

    For an explanation of the filter url parameters, see Parameters for the filter commands.

    Examples:

    Command example Action
    filter url http 0 0 0 0

    Manages every HTTP request to all destinations.

    Applied to traffic on port 80.
    filter url http 10.5.0.0 255.255.0.0 0 0

    Manages the 10.5.x.x network going to any destination.

    Applied to traffic on port 80.
    filter url http 10.5.0.69

    255.255.255.255

    132.239.29.189

    255.255.255.255

    		 Manages the 10.5.0.69 host going to the 132.239.29.189 destination.

    Applied to traffic on port 80.

    Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows the specified local IP address to request all websites, governed by web protection policies.

    You can enter multiple filter url commands to set up different portions of the network for policy enforcement. Set up the smaller groups first, followed by the larger groups, to assure that all groups receive the correct policies. Use a general filter url command for all computers to be managed, and then use the Forcepoint Security Manager to apply policies to individual clients (by IP address, user name, group, or OU).

    See the Administrator Help for information about creating and applying policies.

  7. Configure the security appliance to filter HTTPS requests with the filter https command.
    • To review the current URL server rules, enter show run url-server.
    • To review all the filter rules, enter show run filter.
    • Enter exit to go up a level to run the show command.

    To configure HTTPS request management, use the following command:

    filter https <port> <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow]

    For an explanation of the filter https parameters, see Parameters for the filter commands.

    Examples:

    Command example Action
    filter https 443 0 0 0 0 Manages all HTTPS requests to all destinations.

    Applied to traffic on port 443.
    filter https 443 10.5.0.0 255.255.0.0 0 0

    Manages the 10.5.x.x network going to any destination.

    Applied to traffic on port 443.
    filter https 443 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255 Manages the 10.5.0.69 host going to the 132.239.29.189 destination.

    Applied to traffic on port 443.

    Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows the specified local IP address to request all websites, governed by web protection policies.

    You can enter multiple filter https commands to set up different portions of the network for policy enforcement. Organize the commands as described above for filter url.

  8. Configure the Cisco security appliance to filter FTP requests with the filter ftp command.
    • To review the current URL server rules, enter show run url-server.
    • To review all the filter rules, enter show run filter.
    • Enter exit to go up a level to run the show command.

    To configure FTP request management, use the following command:

    filter ftp <port> <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [interact-block]

    For an explanation of the filter ftp parameters, see Parameters for the filter commands.

    Examples:

    Command example Action
    filter ftp 21 0 0 0 0 Manages every FTP request to all destinations.

    Applied to traffic on port 21.

    filter ftp 21 10.5.0.0 255.255.0.0 0 0

    		 Manages the 10.5.x.x network going to any destination.

    Applied to traffic on port 21.
    filter ftp 21 10.5.0.69

    255.255.255.255 132.239.29.189

    255.255.255.255

    		 Manages the 10.5.0.69 host going to the 132.239.29.189 destination.

    Applied to traffic on port 21.

    Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows access via web protection software from the specified local IP address to all websites.

    You can enter multiple filter ftp commands to set up different portions of the network for filtering. Organize the commands as described above for filter url.

  9. After entering commands to define filtering for HTTP, HTTPS, and FTP requests, you can define any required exceptions to these filtering rules by adding the except parameter to the filter command:

    filter {url | https | ftp} except <local_ip> <local_mask> <foreign_ip> <foreign_mask>

    This command allows you to bypass web protection software for traffic coming from, or going to a specified IP address or addresses.

    For example, suppose that the following filter command was entered to cause all HTTP requests to be forwarded to Filtering Service:

    filter url http 0 0 0 0

    You could then enter:

    filter url except 10.1.1.1 255.255.255.255 0 0

    This would allow any outbound HTTP traffic from the IP address 10.1.1.1 to go unfiltered.

  10. Configure the security appliance to handle long URLs using the url-block url- mempool and url-block url-size commands:
    1. Increase the size of the security appliance’s internal buffer to handle long URL strings. If the URL buffer size is set too low, some web pages may not display.

      To specify the amount of memory assigned to the URL buffer, enter:

      url-block url-mempool <memory_pool_size>

      Here, <memory_pool_size> is the size of the buffer in KB. You can enter a value from 2 to 10240. The recommended value is 1500.

    2. Increase the maximum permitted size of a single URL by adding the following line to the configuration:

      url-block url-size <long_url_size>

      Here, <long_url_size> is the maximum URL size in KB. You can enter a value from 2 to 4. The recommended value is 4.

  11. Configure the URL response block buffer using the url-block block command to prevent replies from the web server from being dropped in high-traffic situations.

    On busy networks, the lookup response from Filtering Service may not reach the security appliance before the response arrives from the web server.

    The HTTP response buffer in the security appliance must be large enough to store web server responses while waiting for Filtering Service.

    To configure the block buffer limit, use the following command:

    url-block block <block_buffer_limit>

    Here, <block_buffer_limit> is the number of 1550-byte blocks to be buffered. You can enter a value from 1 to 128.

    • To view the current configuration for all 3 url-block commands, enter show running-config url-block.
    • Enter show url-block block statistics to see how the current buffer configuration is functioning. The statistics include the number of pending packets held and the number dropped. The clear url-block block statistics command clears the statistics.
  12. If you need to discontinue filtering, enter the exact parameters in the original filter command, preceded by the word no.

    For example, if you entered the following to enable filtering:

    filter url http 10.0.0.0 255.0.0.0 0 0

    Enter the following to disable filtering:

    no filter url http 10.0.0.0 255.0.0.0 0 0

    Repeat for each filter command issued, as appropriate.

  13. Save your changes in one of the following ways:
    • Either enter the command:

      copy run start

    • Or enter the commands:

      exit

      write memory

    Filtering Service is ready to manage Internet requests after the Master Database is downloaded and the software is activated within the Cisco security appliance. See the Administrator Help for information about configuring your web protection software and downloading the Master Database.

Parameters for the filter commands

The parameters used by the filter http, filter https, and filter ftp commands include the following. Note that some of the parameters listed do not apply to all 3 commands.

Parameter Applies to Definition
http <port>[-<port>] filter http Defines which port number, or range of port numbers, the security appliance watches for HTTP requests. If you do not specify a port number, port 80 is used by default.
<port> filter https filter ftp

Defines the port number the security appliance watches for https or ftp requests.

The standard HTTPS port is 443. The standard FTP port is 21.
<local_ip> filter http filter https filter ftp

IP address requesting access.

You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all internal clients. This address is the source for all connections to be filtered.
<local_mask> filter http filter https filter ftp

Network mask of the local_ip address (the IP address requesting access).

You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the local network.
<foreign_ip> filter http filter https filter ftp

IP address to which access is requested.

You can use 0.0.0.0 (or in shortened form, 0) to specify all external destinations.
<foreign_mask> filter http filter https filter ftp

Network mask of the foreign_ip address (the IP address to which access is requested).

Always specify a mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the external network.
[allow] filter http filter https filter ftp

Lets outbound connections pass through the security appliance without filtering when Filtering Service is unavailable.

If you omit this option, and Filtering Service becomes unavailable, the security appliance stops all outbound HTTP, HTTPS, or FTP traffic until Filtering Service is available again.
[cgi-truncate] filter http Sends CGI scripts to Filtering Service as regular URLs. When a URL has a parameter list starting with a question mark (?), such as a CGI script, the URL is truncated. All characters after, and including the question mark, are removed before sending the URL to Filtering Service.
[interact-block] filter ftp

Prevents users from connecting to the FTP server through an interactive FTP client.

An interactive FTP client allows users to change directories without entering the complete directory path, so Filtering Service cannot tell if the user is requesting something that should be blocked.
[longurl- truncate | longurl-deny] filter http

Specify how to handle URLs that are longer than the URL buffer size limit.

  • Enter longurl-truncate to send only the host name or IP address to Filtering Service.
  • Enter longurl-deny to deny the request without sending it to Filtering Service.
[proxy-block] filter http Enter this parameter to prevent users from connecting to an HTTP proxy server.