Filtering https urls – Cisco ASA 5505 User Manual

39-13

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 39 Configuring Filtering Services

Filtering URLs and FTP Requests with an External Server

Truncating Long HTTP URLs

By default, if a URL exceeds the maximum permitted size, then it is dropped. To avoid this occurrence,
truncate a long URL by entering the following command:

Exempting Traffic from Filtering

To exempt traffic from filtering, enter following command:

Filtering HTTPS URLs

You must identify and enable the URL filtering server before enabling HTTPS filtering.

Note

Websense and Secure Computing Smartfilter currently support HTTPS; older versions of the Secure
Computing SmartFilter (formerly N2H2) do not support HTTPS filtering.

Because HTTPS content is encrypted, the ASA sends the URL lookup without directory and filename
information. When the filtering server approves an HTTPS connection request, the ASA allows the
completion of SSL connection negotiation and allows the reply from the web server to reach the
originating client. If the filtering server denies the request, the ASA prevents the completion of SSL
connection negotiation. The browser displays an error message, such as “The Page or the content cannot
be displayed.”

Note

The ASA does not provide an authentication prompt for HTTPS, so you must authenticate with the ASA
using HTTP or FTP before accessing HTTPS servers.

Command

Purpose

filter url

[longurl-truncate |

longurl-deny

| cgi-truncate]

Example:

hostname# filter url longurl-truncate

The longurl-truncate option causes the ASA to send only the hostname or
IP address portion of the URL for evaluation to the filtering server when
the URL is longer than the maximum length permitted. Use the
longurl-deny option to deny outbound URL traffic if the URL is longer
than the maximum permitted.

Use the cgi-truncate option to truncate CGI URLs to include only the CGI
script location and the script name without any parameters. Many long
HTTP requests are CGI requests. If the parameters list is very long, waiting
and sending the complete CGI request, including the parameter list, can use
up memory resources and affect ASA performance.

Command

Purpose

filter url except

source_ip source_mask

dest_ip dest_mask

Example:

hostname(config)# filter url http 0 0 0 0

hostname(config)# filter url except

10.0.2.54 255.255.255.255 0 0

Exempts specific traffic from filtering.

The example shows how to cause all HTTP requests to be forwarded to the
filtering server, except for those from 10.0.2.54.