I have Zone Based Firewall running on a 2821 router and would like to configure Url Filtering with Websence . IOS running on that device is
c2800nm-adverterprisek9-mz.150-1.M7.bin . Once you have ZBF config you cant configure url-filtering using classic way ( ip inspect ) and this has to be done using class , policy maps .
For this to to happen it is required to have match protocol http command under the class map , it wont work using the match access-group command . Following is what I configured
ip access-list extended NAT
permit ip 172.20.0.0 0.0.255.255 any
class-map type inspect match-all Inside_to_Restrict
match access-group name NAT
match protocol http
Once I put match protocol http command browsing becomes dead slow , also without using match protocol command I cant continue to configure Url Filtering . Is this a problem related to IOS where match protocol command isnt working fine . I have checked CPU utlization of Router and it was roughly near 7 percent .
I could see debug messages on which means URL filtering was working but from user end it HTTP was almost dead and website was not opening up .
After doing a lot of troubleshooting I found out that it was a problem related to match protocol http command , when ever I put this command under the class-map HTTP sessions become dead slow . We had communication with someone working with web sense devices and got to know that one more customer had to scrap ZBF for web sense to work .
I cannot apply classic url filtering ( web sense ) which requires ip inspect as router's interfaces are already configured for Zones .
We have the same problem: for some websites HTTP response is very slow when using ZBF and Websense urlfilter (6-7 minutes for JPG of ~38Kbytes). If we remove the urlfilter config then the same website loads correctly at good speed.
When using the ip inspect firewall config and urlfilter we had the same problem until we added
access-list 1 permit any
ip inspect name test http java-list 1
With that piece of config on ip inspect the inspect http and URL filter works just fine but there does not seem to be an equivalent for ZBF.
Did you find a solution to use ZBF and not have that issue without rolling back to the IP inspect config ?
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi...
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use...
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.
The method used for Guest Access is the Self-Registration.
Healt Monitor using HTTP...
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the...
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea...