18-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter18 Managing Firewall Web Filter Rules
Configuring Web Filter Rules for ASA, PIX, and FWSM Devices
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Configure the rule. Following are the highlights of what you typically need to decide. For specific
information on configuring the fields, see Add and Edit PIX/ASA/FWSM Web Filter Rule Dialog Boxes,
page 18-5.
Filtering and Type—Whether you are creating a rule that identifies traffic to be filtered (Filter) or
exempted from an existing filter rule (Filter Except), and the type of filtering to be done:
URL—To filter traffic based on web address.
HTTPS—To filter web traffic to secure sites. This does not include SSL VPN traffic.
FTP—To filter FTP traffic.
ActiveX or Java—To remove ActiveX or Java applets. These options delete all entities within
applet or object tags, so you might remove more than just ActiveX or Java applets.
Source and Destination addresses—If the rule should apply no matter which addresses generated the
traffic or their destinations, use “any” as the source or destination. If the rule is specific to a host or
network, enter the addresses or network/host objects. For information on the accepted address
formats, see Specifying IP Addresses During Policy Definition, page 6-81.
Service—Primarily defines the port that should be monitored. You must specify some type of TCP
service. Typically, you would use the pre-defined services HTTP, HTTPS, or FTP, which should be
the same as the type of filtering you are performing, but you can specify any TCP port on your
network that might contain the traffic to be filtered.
Options—The options you want to include, if any. The main options of interest are whether you want
to allow traffic if the filtering servers are unavailable, and whether you want to truncate long URLs
or URLs that have parameters. Truncating URLs that have parameters is typically a good idea,
because if you are going to drop a URL, it is not normally because of a parameter value.
Click OK when you are finished defining your rule.
Step 4 If you did not select the desired row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. Order is not as important for web filtering rules,
however, because filter except rules always create exceptions to the related filter rule, whether they come
before or after the filter rule. For more information, see Moving Rules and the Importance of Rule Order,
page 12-19.
Web Filter Rules Page (ASA/PIX/FWSM)
Use the Web Filter Rules page for ASA, PIX, and FWSM devices to configure web, or URL, filtering
rules. Web filtering is a type of HTTP inspection. If your access rules allow HTTP traffic, you can
configure rules to apply server-based web filtering to prevent users from accessing undesirable web
servers.
When you configure web filter rules, also configure web filter settings in the Firewall > Settings > Web
Filter policy. The settings identify the web filtering server and contain other settings that control the
overall functioning of the policy. You must configure a web filtering server for your URL, FTP, or
HTTPS filter rules to be deployed. For more information, see Web Filter Settings Page, page 18-16.