Tuesday, March 6, 2012

How to Configure URL Filtering - Websense on a Cisco ASA

This is the standard configuration I use to bring up websense on the firewall. There are other options available you can check those out in the Cisco Links

url-server (inside) vendor websense host timeout 15 protocol TCP version 4  
url-block url-mempool 1500
url-block url-size 4
url-block block 128

filter url http longurl-truncate allow
filter https 443 longurl-truncate allow
filter ftp 21 allow


Note if you wanted to filter any ip going anywhere for http, https, and ftp use the following:

filter url http 0 0 0 0 longurl-truncate allow

filter https 443 0 0 0 0 longurl-truncate allow
filter ftp 21 0 0 0 0 allow

**Side Note: The Allow command in the filter allows the websense to fail-open, without the allow command it will fail-close if the ASA detects the websense is down it will just start blocking all traffic that needs filtered by websense, since the websense is down.**

Cisco How to Document:

More options:
I have included the link to the command line reference which can be found here:

Websense How to document, starts on page 9:

If you want to check the status if your Websense is up do the following:

CiscoASA#show url-server statistics

Global Statistics:
URLs total/allowed/denied         73/33/40
URLs allowed by cache/server      0/4
URLs denied by cache/server       0/15
HTTPSs total/allowed/denied       145/140/5
HTTPSs allowed by cache/server    0/18
HTTPSs denied by cache/server     0/1
FTPs total/allowed/denied         0/0/0
FTPs allowed by cache/server      0/0
FTPs denied by cache/server       0/0
Requests dropped                  0
Server timeouts/retries           0/0
Processed rate average 60s/300s   0/0 requests/second
Denied rate average 60s/300s      0/0 requests/second
Dropped rate average 60s/300s     0/0 requests/second

Server Statistics:
--------------------                       UP
  Vendor                          websense
  Port                            15868
  Requests total/allowed/denied   145/140/5
  Server timeouts/retries         0/0
  Responses received              145
  Response time average 60s/300s  0/0

URL Packets Sent and Received Stats:
Message                 Sent    Received
STATUS_REQUEST          1789    1701
LOOKUP_REQUEST          1456    1566
LOG_REQUEST             0       NA

RFC noncompliant GET method     0
URL buffer update failure       0

No comments:

Post a Comment