topic Disable http inspection in global_policy FWSM in Network Security

Disable http inspection in global_policy FWSM

roger perkin — Tue, 12 Mar 2019 04:08:33 GMT

I am running 4.0(7) and we are experiencing some issues with downloads - specifically http downloads. Anything with an https link works fine.

Looking into the config on the FWSM i see that under the global_policy we are inspecting http

policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect http

I would like to remove inspect http as a test to see if this is causing our problems, but am unsure of the impact of doing this?

Also it is strange as this option has been there for a long time and our download issues have only recently started to happen, it does seem to be only for http links though?

I don't really understand what the inspection engine does?

If you don't have any config

Karsten Iwen — Wed, 30 Apr 2014 10:35:04 GMT

If you don't have any config that needs the enabled http-inspection, then it's very likely that your HTTP-inspection basically doesn't do anything. And based on your description I would assume that the problem should be somewhere outside the FWSM.

Do you see anything in the log regarding the problems?

If you really don't need the inspection (any "filter"-command on the FWSM?) then I would just remove the inspection:

policy-map global_policy class inspection_default no inspect http

I agree with Karsten.Also

Marvin Rhoads — Thu, 01 May 2014 15:33:37 GMT

I agree with Karsten.

Also verify that you don't have any http proxy or url-filter service configured.

Well,I removed the http

roger perkin — Thu, 01 May 2014 15:33:38 GMT

Well,

I removed the http inspection and it broke all inbound and outbound web services!

Then I discover this

url-server (WEB-Sense) vendor websense host 10.*.*.* timeout 30 protocol TCP version 1 connections 5

filter url except 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 allow

This web-sense server is down and no longer used.

But am I correct to assume that the prescense of this config caused a problem as all http was trying to go via the Websense but with the http inspection enabled it is able to go out direct?

I am unclear as to exactly how the inspection and the url-server / filter url commands interact.

Thanks

Roger