• Documentation
• Licensing
• Configuration
• Clock and DNS
• Certificates and Enrollment
• Register with Trend Micro
• Global parameter-map
• Local Parameter Map
• Configuration with Dynamic/Interactive Filtering
• Configuration with Static Filtering
• Combining the Local and Trend URL Filtering
• Completed configuration
• CCP interaction with IOS Content filter
• Troubleshooting, debugging
• Cisco IOS Content Filtering Certificate Change - August 17, 2012

Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

IOS 12.4T Config guides - Securing The Data Plane - IOS Content Filtering

Overview

The Subscription-based Cisco IOS Content Filtering feature interacts with the Trend Micro URL filtering service so that HTTP requests can be allowed or blocked, and logged, based on a content filtering policy. The content filtering policy specifies how to handle items such as web categories, reputations (or security ratings), trusted domains, untrusted domains, and keywords. URLs are cached on the router, so that subsequent requests for the same URL do not require a lookup request, thus improving performance.

Hardware

IOS Content filtering is supported on the following platforms:

• SR 520 (documentation doesn't explicitly state it but it is supported)
• 880 Series
• 870 Series
• 1800 Series (including 1810, 1840, 1860 series)
• 1900 Series (including 1921, 1941, 1942W series)
• 2800 Series (including 2800, 2810, 2820, 2050 series)
• 2900 Series
• 3800 Series (including 3820, 3845 series)
• 3900 Series

Licensing

All platforms require at least 12.4(15)XZ (first T train version that supports it is 12.4.(20)T) or later to run, except the SR520 which requires 12.4(15)XZ2 or later (12.4(24)T3 or later).

Advanced IP Services image is required on the 800 series and Advanced Security on the 1800, 1900, 2800 and 3800 series platforms. On the 800 series there is also a "Universal" image that requires a specific software license to enable the feature. You can check this with the output of "show licens". An example output follows

content-filter-881#sh license
Index 1 Feature: advipservices
        Period left: Life time
        License Type: Permanent
        License State: Active, In Use
        License Priority: Medium
Index 2 Feature: advsecurity
        Period left: Life time
        License Type: Permanent
        License State: Active, Not in Use
        License Priority: Medium

Users on all platforms are required to have a license to have access to the Trend Micro filtering database

There are different types of licenses

1. 30-day Demo license
2. 1 year license

Part numbers can be found here

Someone can request a 30 day demo license as explained here.

If someone have bought the subscription package he will receive a PAK number which needs to be registered here.

You need to make sure you use the correct S/N with PAK number otherwise the PAK gets associated with different S/N. In this case TRM registration will fail.

Configuration

Following we will present the required steps to configure IOS Content Filtering.

Clock and DNS

First check the system clock and make sure it is correct. It needs to be correct so that the router can accept and validate the certificate it will pull from the Trend server during registration.

show clock

If it's not, correct it by pointing it to an NTP source or manually setting it

clock set 16:00:00 SEPT 21 2009
 

Next, either configure a local domain to IP mapping for the Trend filtering server

ip host trps.trendmicro.com 216.104.8.100

Make sure to query trps.trendmicro.com via nslookup and use the current IP address. In this case 
216.104.8.100 and 150.70.74.51 seem to be valid.

nslookup trps.trendmicro.com
Server:          64.102.6.247
Address:     64.102.6.247#53

Non-authoritative answer:
Name:     trps.trendmicro.com
Address: 216.104.8.100  ===> This IP showed better RTT ~80ms
Name:     trps.trendmicro.com
Address: 150.70.74.51  ===> This may show an RTT of ~2.5 sec

or enable dns on the router DNS:

ip name-server 4.2.2.2
ip domain-lookup

Certificates and Enrollment

Next you must install the Trend Micro subordinate certificate for communication with the Trend servers. This can be done automatically or you can simply copy and paste the following into the router

crypto pki trustpoint trendmicro
enrollment terminal
revocation-check none
exit
crypto pki authen trendmicro
-----BEGIN CERTIFICATE-----

MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=

-----END CERTIFICATE-----
quit

Register with Trend Micro

Check the subscription status

show ip trm subscription status

If it isn't marked as active register the router

trm register

Global parameter-map

This parameter map defines the global Trend Micro urlfiltering parameters for the box. This is where you define the Trend server to use, as well as the filtering cache parameters. Much like the Highlander, there can be only one.

parameter-map type trend-global global-parameters
 server trps.trendmicro.com

Local Parameter Map

This is where you will define the block page message for that instance.  This defines the parameters for this trend url filtering instance. Multiple filtering instances can be defined, but they all use the same global parameters.

parameter-map type urlfpolicy trend dynamic-parameters
 allow-mode on
 block-page message "This page has been blocked by your network administrator"

The local parameters is where we define the fail open/close as well as the number of pending requests we permit and a few other options.

Configuration with Dynamic/Interactive Filtering

In order to configure the dynamic filtering (filtering based on page reputation and categories) you need to do the following

Url filtering Class-Map

Class map for blocked categories or reputations - This can be done either in one big class-map or in multiple class-maps. Prefer multiple class-maps in order to make configuration changes a bit more obvious.

class-map type urlfilter trend match-any trend-block-reputation
 match  url reputation ADWARE
 match  url reputation PHISHING
 match  url reputation SPYWARE
!
class-map type urlfilter trend match-any trend-block-categories
 match  url category Gambling
 match  url category Adult-Mature-Content

The type urlfilter allows us to match on either url categories or reputation.

Filtered Hosts Class-Map

This class map is where the traffic to be filtered is matched. It can be based on protocols and ip addresses defined in ACLs..

class-map type inspect match-all filtered-hosts
 match protocol http
 match access-group 123

Unfiltered Hosts Class-Map

This class macp can match traffic that should be allowed without filtering. The network administrators traffic for example.

class-map type inspect match-all  filtering-exempt-hosts
 match protocol http
 match access-group 124

Url filtering Policy-Map

This is where we apply the drop actions for blocked traffic. We do not define the per-host action here.

policy-map type inspect urlfilter urlfilter-actions
 parameter type urlfpolicy trend dynamic-parameters
 class type urlfilter trend trend-block-categories
  reset
  log
 class type urlfilter trend trend-block-reputation
  reset
  log

In the urlfilter policy-map we call the local parameters we defined. If you defined more than one set of local parameters you will have to define a second urlfilter policy-map.

Zone-based Policy-map

This is the policy-map for our zone-pair. You can add the urlfiltering service-policy to an existing configuration. This example assumes that the zone based firewall needs to inspect all outbound TCP and UDP traffic traversing from inside to outside. Here is where we define the hosts that will be filtered (and on what) and who will be exempt.

class-map type inspect match-any rest-traffic
 match protocol tcp
 match protocol udp

policy-map type inspect in->out
 class type inspect filtering-exempt-hosts
  inspect
 class type inspect filtered-hosts
  inspect
  service-policy urlfilter urlfilter-actions
 class type inspect rest-traffic
  inspect

ACLs Identifying Traffic

The ACLs that are used to match the traffic in the class maps.

access-list 123 remark Filtered Hosts
access-list 123 permit ip any any
access-list 124 remark Hosts exempt from webfiltering
access-list 124 deny ip any any

This is all that is necessary for basic URL filtering. Some might want a little more granular control. We can use local url filtering (see below) to white/blacklist sites and modify our class-maps to only filter or exclude specific hosts.

Configuration with Static Filtering

To configure our URL filter to use both Trend URL filtering as well as local, static URL filtering for white and blacklisting as well as URL keyword filtering. We only need to create a few extra classes and policy maps.

Local URL Whitelist

This is the glob (not regex) pattern to match. You can configure patterns like *.yahoo.com

parameter-map type urlf-glob url-whitelist
 pattern www.cisco.com

Local URL Blacklist

parameter-map type urlf-glob url-blacklist
 pattern *.myspace.com

Local Keyword Blacklist

parameter-map type urlf-glob keyword-blacklist
 pattern  hack

A URL keyword is a complete word that occurs after the domain name and that is between the forward slash (/) path delimiters. For example in the URL http://www.example.com/hack/123.html, only "hack" and "123.html" are treated as keywords. Anything in the host or domain name can be allowed or blocked using a domain name, and thus a URL keyword should be a word that comes after the domain name. The entire keyword in the URL must match the pattern. For example if you have pattern hack, the URL www.example.com/hacksite/123.html doesn't match the pattern. In order to match this URL, you must have hacksite.

Local URL Filter Class-map

The static filte class map.

class-map type urlfilter match-any blocked-sites
 match  server-domain urlf-glob url-blacklist
 match  url-keyword urlf-glob keyword-blacklist
class-map type urlfilter match-any permitted-sites
 match  server-domain urlf-glob url-whitelist

Here we create the class-maps to match the traffic we chose to white/blacklist above.

Combining the Local and Trend URL Filtering

Now we need to configure the policy-map using both local and Trend url filtering.  Please note that the following are modifications to the policy-maps defined above.

• First create the filtering actions.

policy-map type inspect urlfilter urlfilter-actions
 parameter type urlfpolicy trend dynamic-parameters
 class type urlfilter permitted-sites
   allow
 class type urlfilter blocked-sites
  reset
  log
 class type urlfilter trend trend-block-categories
  reset
  log
 class type urlfilter trend trend-block-reputation
  reset
  log

• Next apply them in the zone-based policy-map

policy-map type inspect in->out
 class type inspect filtering-exempt-hosts
  inspect
 class type inspect filtered-hosts
  inspect
  service-policy urlfilter urlfilter-actions
 class type inspect rest-traffic
  inspect

Completed Configuration with static and dynamic filtering

ip name-server 4.2.2.2
ip domain-lookup
!
crypto pki trustpoint trendmicro
enrollment terminal
exit
crypto pki authen trendmicro
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
quit
!
parameter-map type trend-global global-parameters
 server trps.trendmicro.com
parameter-map type urlfpolicy trend dynamic-parameters
 allow-mode on
 block-page message "This page has been blocked by your network administrator"
parameter-map type urlf-glob url-whitelist
 pattern www.cisco.com
parameter-map type urlf-glob url-blacklist
 pattern *.myspace.com
parameter-map type urlf-glob keyword-blacklist
 pattern  hack
!
class-map type urlfilter trend match-any trend-block-reputation
 match  url reputation ADWARE
 match  url reputation PHISHING
 match  url reputation SPYWARE
class-map type urlfilter trend match-any trend-block-categories
 match  url category Gambling
 match  url category Adult-Mature-Content
!
class-map type urlfilter match-any blocked-sites
 match server-domain urlf-glob url-blacklist
 match url-keyword urlf-glob keyword-blacklist
class-map type urlfilter match-any permitted-sites
 match server-domain urlf-glob url-whitelist
class-map type inspect match-all  filtering-exempt-hosts
 match protocol http
 match access-group 124
class-map type inspect match-all filtered-hosts
 match protocol http
 match access-group 123
class-map type inspect match-any rest-traffic
 match protocol tcp
 match protocol udp
!
policy-map type inspect urlfilter urlfilter-actions
 parameter type urlfpolicy trend dynamic-parameters
 class type urlfilter permitted-sites
   allow
 class type urlfilter blocked-sites
  reset
  log
 class type urlfilter trend trend-block-categories
  reset
  log
 class type urlfilter trend trend-block-reputation
  reset
  log
!
policy-map type inspect in->out
 class type inspect filtering-exempt-hosts
  inspect
 class type inspect filtered-hosts
  inspect
  service-policy urlfilter urlfilter-actions
 class type inspect rest-traffic
  inspect
!
zone security inside
zone security outside
!
zone-pair security in-to-out source inside destination outside
 service-policy type inspect in->out
!
access-list 123 remark Filtered Hosts
access-list 123 permit ip any any

access-list 124 remark Hosts exempt from webfiltering

Completed configuration

ip name-server 4.2.2.2
ip domain-lookup
!
crypto pki trustpoint trendmicro
enrollment terminal
exit
crypto pki authen trendmicro
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----
quit
!
parameter-map type trend-global global-parameters
 server trps.trendmicro.com
parameter-map type urlfpolicy trend dynamic-parameters
 allow-mode on
 block-page message "This page has been blocked by your network administrator."
parameter-map type urlf-glob url-whitelist
 pattern www.cisco.com
parameter-map type urlf-glob url-blacklist
 pattern *.myspace.com
parameter-map type urlf-glob keyword-blacklist
 pattern  hack
!
class-map type urlfilter trend match-any trend-block-reputation
 match  url reputation ADWARE
 match  url reputation PHISHING
 match  url reputation SPYWARE
class-map type urlfilter trend match-any trend-block-categories
 match  url category Gambling
 match  url category Adult-Mature-Content
!
class-map type inspect match-any blocked-sites
 match server-domain urlf-glob url-blacklist
 match server-domain urlf-glob keyword-blacklist
class-map type inspect match-any permitted-sites
 match server-domain urlf-glob url-whitelist
class-map type inspect match-all filtered-hosts
 match protocol http
 match access-group 123
class-map type inspect match-all  filtering-exempt-hosts
 match protocol http
 match access-group 124
class-map type inspect match-any rest-traffic
 match protocol tcp
 match protocol udp
!
policy-map type inspect urlfilter urlfilter-actions
 parameter type urlfpolicy trend dynamic-parameters
 class type urlfilter permitted-sites
   allow
 class type urlfilter blocked-sites
  reset
  log
 class type urlfilter trend trend-block-categories
  reset
  log
 class type urlfilter trend trend-block-reputation
  reset
  log
!
policy-map type inspect in->out
 class type inspect filtering-exempt-hosts
  inspect
 class type inspect filtered-hosts
  inspect
  service-policy urlfilter urlfilter-actions
 class type inspect rest-traffic
  inspect
!
zone security inside
zone security outside
!
zone-pair security in-to-out source inside destination outside
 service-policy type inspect in->out
!
access-list 123 remark Filtered Hosts
access-list 123 permit ip any any
access-list 124 remark Hosts exempt from webfiltering

CCP interaction with IOS Content filter

If you wants to use CCP to configure Trend Micro URL filtering we would suggest you paste this configuration into the router at the CLI and then manage it with CCP. CCP on its own might generate a configuration that is hard to read and hard to manage. But it can read a CLI configuration and it's straight forward from a CCP management standpoint.

If you still prefer to use CCP to configure the feature using CCP, then the Configuring Cisco IOS Content Filtering using CCP guide provides examples and sceenshots.

Troubleshooting, debugging

Useful debugs are the following:

1. show run
2. show ip trm subscription status
3. debug crypto pki validation
4. debug ip trm detail
5. debug ip urlfilter detail/events/function-trace
6. show policy-map type inspect zone-pair urlfilter
7. show policy-map type inspect zone-pair urlfilter cache
8. show policy-map type inspect zone-pair urlfilter cache detail.
9. show policy-map type inspection zone-pair urlfilter | b detail

Trend server : trps.trendmicro.com(port: 80)
        Current requests count: 6
        Current packet buffer count(in use): 11
        Maxever request count: 938
        Maxever packet buffer count: 1710
        Total cache hit count: 28927
        Total requests sent to URL Filter Server :36912
        Total responses received from URL Filter Server :23168
        Total error responses received from URL Filter Server :1
        Total requests allowed: 18412
        Total requests blocked: 133
        1min/5min Avg Round trip time to URLF Server: 5497/4612 millisecs
        1min/5min Minimum round trip time to URLF server: 280/80 millisecs
        1min/5min Maximum round trip time to URLF server: 17364/17364 millisecs
        Last req round trip time to URLF Server: 2492 millisecs

Keep in mind that debugs could add CPU load to the router depending on how much traffic is inspected.

Cisco IOS Content Filtering Certificate Change - August 17, 2012

Please note that the Trend Micro server's certificate was changed on August 17, 2012, and that a new CA certificate must be installed on the Cisco IOS device for the Content Filtering feature to continue working after August 17, 2012.  Please follow the instructions outlined in Cisco IOS Content Filtering (Trend Micro) Certificate Change - Aug 17, 2012 to complete the certificate installation process.