Cisco Systems CL-28826-01 Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices

17-50

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 17 Managing Firewall Inspection Rules

Configuring Protocols and Maps for Inspection

Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices

Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM

3.x, and IOS devices.

The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that

HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other

criteria. This can help prevent attackers from using HTTP messages for circumventing network security

policy.

When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and

log is enabled by default. You can change the actions performed in response to inspection failure, but

you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses

the http-map command to configure the map on the device.

Navigation Path

Select Manage > Policy Objects, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.1.x/PIX

7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then select New

Object or right-click a row and select Edit Object.

Related Topics

•Understanding Map Objects, page 6-72

•Configuring Protocols and Maps for Inspection, page 17-21

Field Reference

Table17-28 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices

Element Description

Name The name of the policy object. A maximum of 40 characters is allowed.

Description A description of the policy object. A maximum of 200 characters is

allowed.

General tab Defines the action taken when non-compliant HTTP requests are

received and to enable verification of content type. For a description of

the options, see HTTP Map General Tab, page 17-51.

Entity Length tab Defines the action taken if the length of the HTTP content falls outside

of configured targets. For a description of the options, see HTTP Map

Entity Length Tab, page17-52.

RFC Request Method tab Defines the action that the security appliance should take when specific

RFC request methods are used in the HTTP request. For a description

of the options, see HTTP Map RFC Request Method Tab, page17-54.

Extension Request Method

tab

Defines the action taken when specific extension request methods are

used in the HTTP request. For a description of the options, see HTTP

Map Extension Request Method Tab, page 17-55.

Port Misuse tab Defines the action taken when specific undesirable applications are

encountered. For a description of the options, see HTTP Map Port

Misuse Tab, page 17-56.

Transfer Encoding tab Defines the action taken when specific transfer encoding types are used

in the HTTP request. For a description of the options, see HTTP Map

Transfer Encoding Tab, page17-57.