To be able to configure an ISR for content-scan so HTTP and HTTPS requests will be sent out to the scansafe towers and depending on the response received, users will either be allowed or denied loading the sites.
ISR should be running a minimum code version 15.2(1)T1 or above.
Available in IOS (universal) images with security feature set (SEC) license.
800, 1900, 2900 and 3900 series ISRs
Platforms NOT Supported:
G1's 18xx, 28xx, 38xx
The maximum number of sessions that can be handled is 32K, irrespective of platform.
Step by Step:
Configure the parameter-map (required):
parameter-map type content-scan global
server scansafe primary ipv4 18.104.22.168 port http 8080 https 8080
server scansafe secondary ipv4 22.214.171.124 port http 8080 https 8080 license 0 <license key> user-group ciscogroup username ciscouser source interface g0/0
The license key here is actually called an authentication key that you get for your site (one per company) from scan safe. Depending on the geographical location of the sites, scansafe provides the tower IP addresses. One is the primary and the other is the secondary tower. When one goes down the other one automatically takes over.
In this case the router when proxying the HTTP and HTTPS requests to scansafe towers, it will use the g0/0 interface IP for the source of those packets.
If the router has multiple internet facing interfaces or route tracking enabled, either of the interfaces may be the active interface. In that case, it is may be a good idea to source the traffic from a loopback interface or from the inside interface for which either this router or another device should provide translation if the ip address used is an RFC 1918 address space.
User-group is optional. Based on the policies setup on the tower, end users will be filtered and scanned for content.
Apply content-scan to the egress interface (required):
interface g0/2 content-scan out
One could use ACL, parameter-map type regex for whitelisting purpose
parameter-map type regex allowed-pattern pattern cisco pattern aol
You can exempt traffic from this internal subnet from being sent out to the towers. These IPs can browse freely without any restrictions.
ip access-list extended inside-nw permit ip 192.168.10.0 0.0.0.255 anycontent-scan whitelisting
whitelist header host regex allowed-pattern whitelist acl inside-nw
I have a pair of ASA 5525-X that I want to convert to FTD image. I built a new FMCv 6.6 to manage them.I converted the ASA firepower classic licenses to the smart license already. I also registered the new FMC to the license portal...But the license quant...