topic Re: ASA Default HTTP inspection in Network Security

ASA Default HTTP inspection

jmprats — Mon, 11 Mar 2019 19:14:28 GMT

I have enabled default http inspection in a ASA Firewall

inspect http

Is it doing anything? or does it need an inspection map?

It inspects packets but doesn't drop anything

Result of the command: "sh service-poli global inspect http"

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: http, packet 729530, drop 0, reset-drop 0

I have tested with very large URL and strange caracters or telnet to port 80 ... But the drop count is 0

Any help to see one drop?

Thanks

Federico Coto Fajardo — Thu, 25 Nov 2010 14:29:05 GMT

Hi,

The default HTTP inspection protects against specific attacks or threats against HTTP traffic.

If you would like to customize the inspection for additional control you would have to create a Layer 7 Policy Map for HTTP.

Federico.

jmprats — Fri, 26 Nov 2010 08:59:29 GMT

OK, but how can I test it is working?

I can't see any drop yet, with sh service-policy inspect http

It seems to do nothing

jmprats — Fri, 03 Dec 2010 09:01:39 GMT

OK, I have to enable an Inspect-map, then there are packet drops. Like this:

policy-map type inspect http HTTP_Secure
parameters
protocol-violation action drop-connection

policy-map global_policy
class inspection_default

inspect http HTTP_Secure

....

service-policy global_policy global

But, now I have packets drops in websites that I need to allow. How can I allow some websites that they don't pass the protocol-violation test?

Any help?

Federico Coto Fajardo — Fri, 03 Dec 2010 13:09:48 GMT

You can use regex to block traffic for only some URLs (or not block some URLs).

Please take a look:

Federico.