Tuesday, March 6, 2012

How to Configure URL Filtering - Websense on a Cisco ASA



This is the standard configuration I use to bring up websense on the firewall. There are other options available you can check those out in the Cisco Links

url-server (inside) vendor websense host 10.55.55.55 timeout 15 protocol TCP version 4  
url-block url-mempool 1500
url-block url-size 4
url-block block 128

filter url http 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate allow
filter https 443 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 longurl-truncate allow
filter ftp 21 10.40.40.0 255.255.255.0 0.0.0.0 0.0.0.0 allow

---------------------

Note if you wanted to filter any ip going anywhere for http, https, and ftp use the following:

filter url http 0 0 0 0 longurl-truncate allow

filter https 443 0 0 0 0 longurl-truncate allow
filter ftp 21 0 0 0 0 allow

**Side Note: The Allow command in the filter allows the websense to fail-open, without the allow command it will fail-close if the ASA detects the websense is down it will just start blocking all traffic that needs filtered by websense, since the websense is down.**


Cisco How to Document:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

More options:
I have included the link to the command line reference which can be found here:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1625866

Websense How to document, starts on page 9:
http://www.websense.com/content/support/library/web/v71/wws_pdfs/install_cisco.pdf



If you want to check the status if your Websense is up do the following:


CiscoASA#show url-server statistics

Global Statistics:
--------------------
URLs total/allowed/denied         73/33/40
URLs allowed by cache/server      0/4
URLs denied by cache/server       0/15
HTTPSs total/allowed/denied       145/140/5
HTTPSs allowed by cache/server    0/18
HTTPSs denied by cache/server     0/1
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  0
Server timeouts/retries           0/0
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------
10.55.55.55                       UP
  Vendor                          websense
  Port                            15868
  Requests total/allowed/denied   145/140/5
  Server timeouts/retries         0/0
  Responses received              145
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
------------------------------------
Message                 Sent    Received
STATUS_REQUEST          1789    1701
LOOKUP_REQUEST          1456    1566
LOG_REQUEST             0       NA

Errors:
-------
RFC noncompliant GET method     0
URL buffer update failure       0