Cisco 4700M Configuration Manual page 193

Chapter 3 Configuring Application Protocol Inspection
The Layer 7 HTTP deep packet inspection policy commands are as follows:
The keywords are as follows:
•
•
For example, to specify the actions in the Layer 7 HTTP deep packet inspection
policy map, enter:
host1/Admin(config)# policy-map type inspect http all-match
HTTP_DEEPINSPECT_L7POLICY
host1/Admin(config-pmap-ins-http)# class http_check
host1/Admin(config-pmap-ins-http-c)# permit
Because the default is to permit all HTTP packets, you must remove the class map
to disable this function. For example, enter:
host1/Admin(config-pmap-ins-http)# no class http_check
By default, HTTP inspection allows traffic that does not match any of the
configured Layer 7 HTTP deep packet inspection matches. You can modify this
behavior by including the class class-default command with the reset action to
deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches
configured in the Layer 7 HTTP deep packet inspection policy map are hit, the
class-default action will be taken by the ACE. For example, you can include a
class map to allow the HTTP GET method and use the class class-default
command to block all of the other requests.
By default, all matches are applied to both HTTP request and response messages,
Note
but the class class-default command is applied only to HTTP requests.
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
OL-16202-01
{permit | reset}
permit—Allows the specified HTTP traffic to be received by the ACE if it
passes the HTTP deep packet inspection match criteria specified in either the
class map or an inline match command.
reset—Denies the specified HTTP traffic by sending a TCP reset message to
the client or server to close the connection.
Configuring a Layer 7 HTTP Deep Inspection Policy
3-69