04-08-2015 10:27 AM - edited 03-11-2019 10:44 PM
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?
04-08-2015 11:00 AM
Hi,
Is it a ASA or any other device? Here is the link that can be helpful:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100535-asa-8x-regex-config.html
04-08-2015 11:17 AM
ASA
and
also would like to know whether general router has this function and how to do?
actually i mean not only web site, for example, in window , share drive, net drive, in linux, you can get file with ftp , or get software, or other kind of methods.
i just afraid hackers can get word file, movie file, or photo if they succeed to pass firewall
04-08-2015 11:20 AM
You can use zone based firewall feature of URI inspection:-
Please see in detail at below link:-
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html
04-08-2015 11:51 AM
zone based web do not have file extension to choose, how do it know the extension of file? or type of file?
can hacker bypass the file name extension filter of firewall?
i see that ASA has policy , do ASA have zone based?
04-08-2015 02:26 PM
Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks
04-08-2015 05:29 PM
if application is unknown, how to set?
04-08-2015 06:18 PM
well there are some limitations with asa and cisco routers as they don't primarily designed for all application. In that case you will need to use other devices.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide