1-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1
URL Filtering
To implement application filtering, install the ASA FirePOWER module on the ASA and use application
filtering criteria in your ASA FirePOWER access rules. These policies apply to any traffic that you
redirect to the module.
Related Topics
• ASA FirePOWER Module, page 7-1
URL Filtering
URL filtering denies or allows traffic based on the URL of the destination site.
The purpose of URL filtering is primarily to completely block or allow access to a web site. Although
you can target individual pages, you typically specify a host name (such as www.example.com) or a URL
category, which defines a list of host names that provide a particular type of service (such as Gambling).
When trying to decide whether to use URL filtering or application filtering for HTTP/HTTPS traffic,
consider whether your intention is to create a policy that applies to all traffic directed at a web site. If
your intention is to treat all such traffic the same way (denying it or allowing it), use URL filtering. If
your intention is to selectively block or allow traffic to the site, use application filtering.
To implement URL filtering, do one of the following:
• Subscribe to the Cloud Web Security service, where you configure your filtering policies in
ScanCenter, and then configure the ASA to send traffic to your Cloud Web Security account.
• Install the ASA FirePOWER module on the ASA and use URL filtering criteria in your ASA
FirePOWER access rules. These policies apply to any traffic that you redirect to the module.
Related Topics
• ASA and Cisco Cloud Web Security, page 8-1
• ASA FirePOWER Module, page 7-1
Threat Protection
You can implement a number of measures to protect against scanning, denial of service (DoS), and other
attacks. A number of ASA features help protect against attacks by applying connection limits and
dropping abnormal TCP packets. Some features are automatic, others are configurable but have defaults
appropriate in most cases, while others are completely optional and you must configure them if you want
them.
Following are the threat protection services available with the ASA.
• IP packet fragmentation protection—The ASA performs full reassembly of all ICMP error messages
and virtual reassembly of the remaining IP fragments that are routed through the ASA, and drops
fragments that fail the security check. No configuration is necessary.
• Connection limits, TCP normalization, and other connection-related features—Configure
connection-related services such as TCP and UDP connection limits and timeouts, TCP sequence
number randomization, TCP normalization, and TCP state bypass. TCP normalization is designed
to drop packets that do not appear normal.
To Next Page
Loading...
Need help?
General
