Cisco ASA Series Configuration Manual page 289
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 13
Inspection of Basic Internet Protocols
HTTP Inspection Overview
You can install a service module that performs application and URL filtering, which includes HTTP
Tip
inspection, such as ASA CX or ASA FirePOWER. The HTTP inspection running on the ASA is not
compatible with these modules. Note that it is far easier to configure application filtering using a
purpose-built module rather than trying to manually configure it on the ASA using an HTTP inspection
policy map.
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic.
HTTP application inspection scans HTTP headers and body, and performs various checks on the data.
These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols
from traversing the security appliance.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP inspection policy map, can help prevent attackers from using HTTP
messages for circumventing network security policy.
HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP
requests and responses, preventing malicious content from reaching the web server. Size limiting of
various elements in HTTP request and response headers, URL blocking, and HTTP server header type
spoofing are also supported.
Enhanced HTTP inspection verifies the following for all HTTP messages:
•
•
•
Configure HTTP Inspection
HTTP inspection is not enabled by default. If you are not using a purpose-built module for HTTP
inspection and application filtering, such as ASA CX or ASA FirePOWER, you can manually configure
HTTP inspection on the ASA using the following process.
Do not configure HTTP inspection in both a service module and on the ASA, as the inspections are not
Tip
compatible.
Procedure
Configure an HTTP Inspection Policy Map, page
Step 1
Configure the HTTP Inspection Service Policy, page
Step 2
Conformance to RFC 2616
Use of RFC-defined methods only.
Compliance with the additional criteria.
13-16.
13-19.
Cisco ASA Series Firewall CLI Configuration Guide
HTTP Inspection
13-15
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
