ASA HTTP URL Filter Functionality with Regex

Available Languages

Updated:March 20, 2013
Document ID:115998

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the configuration of URL filters on an Adaptive Security Appliance (ASA) with the HTTP inspection engine. This is completed when parts of the HTTP request are matched with the use of a list of regex patterns. You can either block specific URLs or block all URLs except for a select few. 

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Configuration Steps

These are the general configuration steps:

  1. Identify a short list of domains that should be blocked or allowed

  2. Create a regex class map that matches all of the domains in question

  3. Build an HTTP Inspection Policy Map that drops or permits traffic that matches these domains

  4. Apply this HTTP Inspection Policy Map to an HTTP Inspection in Modular Policy Framework

Regardless of whether or not you try to block some domains and permit all others, or block all domains and permit only a few, the steps are identical except for the creation of the HTTP Inspection Policy Map.

Identify a short list of domains that should be blocked or allowed

For this configuration example, these domains are either blocked or permitted:

  • cisco1.com

  • cisco2.com

  • cisco3.com

Configure the regex patterns for these domains:

regex cisco1.com "cisco1.com"regex cisco2.com "cisco2.com"regex cisco3.com "cisco3.com"

Create a regex class map that matches all of the domains in question

Configure a regex class that matches the regex patterns:

class-map type regex match-any domain-regex-classmatch regex cisco1.commatch regex cisco2.commatch regex cisco3.com

Build an HTTP Inspection Policy Map that drops or permits traffic that matches these domains

In order to understand what this configuration would look like, choose the description that best fits the goal of this URL filter. The regex class built above will either be a list of domains that should be allowed or a list of domains that should be blocked.

  • Allow all domains except for the ones listed

    The key to this configuration is that a class map is created where an HTTP transaction that matches the domains listed is classified as "blocked-domain-class". The HTTP transaction that matches this class is reset and closed. Essentially, only the HTTP transaction that matches these domains is reset.

    class-map type inspect http match-all blocked-domain-class match request header host regex class domain-regex-class!policy-map type inspect http regex-filtering-policy parameters class blocked-domain-class  reset log
  • Block all domains except for the ones listed

    The key to this configuration is that a class map is created using the keyword "match not". This tells the firewall that any domains that do not match the list of domains should match the class titled "allowed-domain-class". HTTP transactions that match that class will be reset and closed. Essentially, all HTTP transactions will be reset unless they match the domains listed.

    class-map type inspect http match-all allowed-domain-class match not request header host regex class domain-regex-class!policy-map type inspect http regex-filtering-policy parameters class allowed-domain-class  reset log

Apply this HTTP Inspection Policy Map to an HTTP Inspection in Modular Policy Framework

Now that the HTTP Inspection Policy Map is configured as "regex-filtering-policy", apply this policy map to an HTTP inspection that exists or a new inspection in Modular Policy Framework. For example, this adds the inspection to the "inspection_default" class configured in the "global_policy".

policy-map global_policy class inspection_default  inspect http regex-filtering-policy

Common Issues

When the HTTP Inspection Policy Map and the HTTP class map are configured, ensure that match or match not is configured as it should be for the goal desired. This is a simple keyword to skip and results in unintended behavior. Also, this form of regex processing, just like any advanced packet processing, might cause the ASA CPU utilization to increase as well as throughput to drop. Use care when more and more regex patterns are added.

Revision History

Revision Publish Date Comments
1.0
20-Mar-2013
Initial Release
TAC Authored

Contributed by Cisco Engineers

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products