Cisco 4700M Configuration Manual page 190

Configuring a Layer 7 HTTP Deep Inspection Policy
See the
details on the individual inline match commands.
The match content-type-verification and match strict-http commands are
available only as inline match commands under the Layer 7 policy-map type
inspect http command. Because these two Layer 7 HTTP deep inspection match
criteria cannot be combined with other match criteria, they appear as inline match
commands for a policy map.
These two match commands perform the following HTTP deep inspection
functions:
•
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-66
match name cookie secondary [name cookie_name | prefix prefix_name]
value expression
match name header {header_name | header_field} header-value expression
match name header length {request | response} {eq bytes | gt bytes | lt bytes
| range bytes1 bytes 2}
match name header mime-type mime_type
match name port-misuse application_category
match name request-method {ext method | rfc method}
match name strict-http
match name transfer-encoding coding_types
match name url expression
match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}
"Configuring a Layer 7 HTTP Deep Inspection Class Map"
match content-type-verification—Verifies the content MIME-type
messages with the header MIME-type. This inline match command limits the
MIME-types in HTTP messages allowed through the ACE. It verifies that the
header MIME-type value is in the internal list of supported MIME-types, and
the header MIME-type matches the actual content in the data or entity-body
portion of the message. If they do not match, the ACE performs one of the
specified Layer 7 policy map actions: permit or reset.
The MIME-type HTTP inspection process requires a search up to the
Note
configured maximum content parse length of the HTTP message,
which may degrade performance of the ACE.
Chapter 3 Configuring Application Protocol Inspection
section for
OL-16202-01