13-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
HTTP Inspection
HTTP Inspection Overview
Tip You can install a service module that performs application and URL filtering, which includes HTTP
inspection, such as ASA CX or ASA FirePOWER. The HTTP inspection running on the ASA is not
compatible with these modules. Note that it is far easier to configure application filtering using a
purpose-built module rather than trying to manually configure it on the ASA using an HTTP inspection
policy map.
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic.
HTTP application inspection scans HTTP headers and body, and performs various checks on the data.
These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols
from traversing the security appliance.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP inspection policy map, can help prevent attackers from using HTTP
messages for circumventing network security policy.
HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP
requests and responses, preventing malicious content from reaching the web server. Size limiting of
various elements in HTTP request and response headers, URL blocking, and HTTP server header type
spoofing are also supported.
Enhanced HTTP inspection verifies the following for all HTTP messages:
• Conformance to RFC 2616
• Use of RFC-defined methods only.
• Compliance with the additional criteria.
Configure HTTP Inspection
HTTP inspection is not enabled by default. If you are not using a purpose-built module for HTTP
inspection and application filtering, such as ASA CX or ASA FirePOWER, you can manually configure
HTTP inspection on the ASA using the following process.
Tip Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not
compatible.
Procedure
Step 1 Configure an HTTP Inspection Policy Map, page 13-16.
Step 2 Configure the HTTP Inspection Service Policy, page 13-19.
To Next Page
Loading...
Need help?
General
