Potential Impact of Disabling Default HTTP Inspection Policy

Jeffrey Pouzar · ‎03-02-2015

I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map. The software for this firewall is recent 8.2(x).

Some questions:

1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration. All such traffic is inspected by the appliance. Am I correct in this understanding?

2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?

3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting? Would I see any noticeable impact to HTTP traffic by doing this?

Thank you for your responses in advance.

Jeff

Vibhor Amrodia · ‎03-03-2015

Hi,

These are the response to your queries:-

1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.

2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do some extra processing.
3) No , I think you would reduce the processing for the ASA after disabling this inspection.

This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.

Also , check this:-

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html

Thanks and Regards,

Vibhor Amrodia