17-50
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices
Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM
3.x, and IOS devices.
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that
HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other
criteria. This can help prevent attackers from using HTTP messages for circumventing network security
policy.
When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and
log is enabled by default. You can change the actions performed in response to inspection failure, but
you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses
the http-map command to configure the map on the device.
Navigation Path
Select Manage > Policy Objects, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.1.x/PIX
7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then select New
Object or right-click a row and select Edit Object.
Related Topics
Understanding Map Objects, page 6-72
Configuring Protocols and Maps for Inspection, page 17-21
Field Reference
Table17-28 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is
allowed.
General tab Defines the action taken when non-compliant HTTP requests are
received and to enable verification of content type. For a description of
the options, see HTTP Map General Tab, page 17-51.
Entity Length tab Defines the action taken if the length of the HTTP content falls outside
of configured targets. For a description of the options, see HTTP Map
Entity Length Tab, page17-52.
RFC Request Method tab Defines the action that the security appliance should take when specific
RFC request methods are used in the HTTP request. For a description
of the options, see HTTP Map RFC Request Method Tab, page17-54.
Extension Request Method
tab
Defines the action taken when specific extension request methods are
used in the HTTP request. For a description of the options, see HTTP
Map Extension Request Method Tab, page 17-55.
Port Misuse tab Defines the action taken when specific undesirable applications are
encountered. For a description of the options, see HTTP Map Port
Misuse Tab, page 17-56.
Transfer Encoding tab Defines the action taken when specific transfer encoding types are used
in the HTTP request. For a description of the options, see HTTP Map
Transfer Encoding Tab, page17-57.