topic URL-Filtering Smartfilter and HTTPS in Network Security https://community.cisco.com/t5/network-security/url-filtering-smartfilter-and-https/m-p/1386235#M776997 <P>Ok....hopefully someone out there can assist me. </P><P></P><P>I have an dual failover two ASA 5520 scenario that we are using for firewall purposes.&nbsp; I have the URL filtering setup on these ASA's which are currently filtering http traffic without any problems.&nbsp; However, when it comes to HTTPS....that's a whole other story.&nbsp;&nbsp; For some reason I can't get the ASA to send HTTPS traffic to the smartfilter server.&nbsp; </P><P></P><P>ASA version = 8.2(1)</P><P>Smartfilter version = 4.1.1</P><P></P><P>Initially before starting this endeavor, we were on a cisco pix failover scenario using version 7.1.&nbsp;&nbsp; I had contacted TAC and they explained that we had to upgrade in order to resolve this problem.&nbsp;&nbsp; Therefore, I removed the pix's completely and put in the ASA's with 8.2(1) on them thinking this would fix the problem.&nbsp;&nbsp; Nope!</P><P></P><P>I also contacted Mcafee, new owner of Secure Computing which owns Smartfilter, and they advised that version 4.1.1 supports https filtering and it has to be something with the firewall. </P><P></P><P>Upon further investigation I did a 'show url-server stat' and noticed that i'm not sending any https requests to the filter</P><P></P><P>*******************************************************************************</P><P>Global Statistics:<BR />--------------------<BR />URLs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 968201/904693/63508<BR />URLs allowed by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/904693<BR />URLs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/63508<BR />HTTPSs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0/0<BR />HTTPSs allowed by cache/server&nbsp;&nbsp;&nbsp; 0/0<BR />HTTPSs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />FTPs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0/0<BR />FTPs allowed by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />FTPs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />Requests dropped&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Server timeouts/retries&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/37<BR />Processed rate average 60s/300s&nbsp;&nbsp; 36/31 requests/second<BR />Denied rate average 60s/300s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2/2 requests/second</P><P>**********************************************************************************</P><P></P><P>Here are the commands i have in my config that relate to the URL filtering setup.</P><P></P><P><STRONG>url-server (inside) vendor smartfilter host xx.xxx.xxx.xxx port 4005 timeout 30 protocol UDP</STRONG></P><P></P><P><STRONG>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow<BR />filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow</STRONG></P><P></P><P>It just doesnt seem as if my https traffic is making it to my smartfiliter.&nbsp;&nbsp; If anyone has any ideas, your help will be very VERY much appreciated.&nbsp; </P><P></P><P>Thanks in advance.</P> Mon, 11 Mar 2019 16:48:31 GMT jonesl1 2019-03-11T16:48:31Z URL-Filtering Smartfilter and HTTPS https://community.cisco.com/t5/network-security/url-filtering-smartfilter-and-https/m-p/1386235#M776997 <P>Ok....hopefully someone out there can assist me. </P><P></P><P>I have an dual failover two ASA 5520 scenario that we are using for firewall purposes.&nbsp; I have the URL filtering setup on these ASA's which are currently filtering http traffic without any problems.&nbsp; However, when it comes to HTTPS....that's a whole other story.&nbsp;&nbsp; For some reason I can't get the ASA to send HTTPS traffic to the smartfilter server.&nbsp; </P><P></P><P>ASA version = 8.2(1)</P><P>Smartfilter version = 4.1.1</P><P></P><P>Initially before starting this endeavor, we were on a cisco pix failover scenario using version 7.1.&nbsp;&nbsp; I had contacted TAC and they explained that we had to upgrade in order to resolve this problem.&nbsp;&nbsp; Therefore, I removed the pix's completely and put in the ASA's with 8.2(1) on them thinking this would fix the problem.&nbsp;&nbsp; Nope!</P><P></P><P>I also contacted Mcafee, new owner of Secure Computing which owns Smartfilter, and they advised that version 4.1.1 supports https filtering and it has to be something with the firewall. </P><P></P><P>Upon further investigation I did a 'show url-server stat' and noticed that i'm not sending any https requests to the filter</P><P></P><P>*******************************************************************************</P><P>Global Statistics:<BR />--------------------<BR />URLs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 968201/904693/63508<BR />URLs allowed by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/904693<BR />URLs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/63508<BR />HTTPSs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0/0<BR />HTTPSs allowed by cache/server&nbsp;&nbsp;&nbsp; 0/0<BR />HTTPSs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />FTPs total/allowed/denied&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0/0<BR />FTPs allowed by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />FTPs denied by cache/server&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/0<BR />Requests dropped&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Server timeouts/retries&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0/37<BR />Processed rate average 60s/300s&nbsp;&nbsp; 36/31 requests/second<BR />Denied rate average 60s/300s&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2/2 requests/second</P><P>**********************************************************************************</P><P></P><P>Here are the commands i have in my config that relate to the URL filtering setup.</P><P></P><P><STRONG>url-server (inside) vendor smartfilter host xx.xxx.xxx.xxx port 4005 timeout 30 protocol UDP</STRONG></P><P></P><P><STRONG>filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow<BR />filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow</STRONG></P><P></P><P>It just doesnt seem as if my https traffic is making it to my smartfiliter.&nbsp;&nbsp; If anyone has any ideas, your help will be very VERY much appreciated.&nbsp; </P><P></P><P>Thanks in advance.</P> Mon, 11 Mar 2019 16:48:31 GMT https://community.cisco.com/t5/network-security/url-filtering-smartfilter-and-https/m-p/1386235#M776997 jonesl1 2019-03-11T16:48:31Z Re: URL-Filtering Smartfilter and HTTPS https://community.cisco.com/t5/network-security/url-filtering-smartfilter-and-https/m-p/1386236#M776998 <HTML><HEAD></HEAD><BODY><P>Pls. follow this link:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1970383">http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1970383</A></P><P></P><P>Try this command below instead of what you have.</P><P></P><P><STRONG>filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow</STRONG></P><P></P><P>-KS</P></BODY></HTML> Mon, 14 Dec 2009 18:43:24 GMT https://community.cisco.com/t5/network-security/url-filtering-smartfilter-and-https/m-p/1386236#M776998 Kureli Sankar 2009-12-14T18:43:24Z