Configuring a Layer 7 HTTP Deep Inspection Policy
Configuring a Layer 7 HTTP Deep Inspection Policy
Note
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-38
This section describes how to create a Layer 7 class map and policy map to be
used for HTTP deep packet inspection by the ACE. The ACE performs a stateful
deep packet inspection of the HTTP protocol and permits or restricts traffic based
on the actions in your configured policy maps. The following security features are
included as part of HTTP deep packet inspection as performed by the ACE:
Regular expression matching on name in an HTTP header, URL name, or
•
content expressions in an HTTP entity-body
Content, URL, and HTTP header length checks
•
MIME-type message inspection
•
Transfer-encoding methods
•
Content type verification and filtering
•
Port 80 misuse by tunneling protocols
•
RFC compliance monitoring and RFC method filtering
•
You can associate a maximum of 1024 instances of the same type of regular
expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7
policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You
configure regexes in the following:
Match statements in Layer 7 class maps
•
Inline match statements in Layer 7 policy maps
•
Layer 7 hash predictors for server farms
•
Layer 7 sticky expressions in sticky groups
•
Header insertion and rewrite (including SSL URL rewrite) expressions in
•
Layer 7 action lists
This section contains the following topics:
Configuring a Layer 7 HTTP Deep Inspection Class Map
•
Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map
•
Chapter 3
Configuring Application Protocol Inspection
OL-16202-01