Book Excerpt: Cisco Secure Internet Security Solutions - part 4 - Page 5
You added URL filtering for monitoring, reporting, and restricting URL access. Cisco Systems and Websense, Inc. have formed a partnership for joint marketing and coordination of technical information on a product called Websense, which is used to control the sites that users are allowed to access. For example, web sites classified as employment or violent can be blocked. Instructions on ordering Websense are included in the documentation of every PIX Firewall.
The PIX Firewall configuration for enabling URL filtering is very simple. The following
three lines show the configuration. The first line tells the PIX to allow or block URL access
based on the information received from the Websense server on the inside interface at the
10.1.1.51 IP address. Should a response to a request not be received within the timeout
parameter of 30 seconds shown on this line, the next Websense server will be queried. The
default timeout is 5 seconds. The second line shows the failover Websense server, which is
also the Web server on the public interface. The third line defines that all HTTP requests
will be watched. Multiple filter commands can be combined to refine what is monitored.
The full syntax of the filter command will be shown after the command lines.
url-server (inside) host 10.1.1.51 timeout 30 url-server (public) host 192.168.2.30 filter url http 0 0 0 0The full syntax of the filter command is as follows:
filter [activex http url] | except local_ip local_mask foreign_ip foreign_mask [allow]The definitions of the parameters can be found in Table 4-1.
|activex||Blocks outbound ActiveX, Java applets, and other HTML object tags from outbound packets.|
|url||Filters URL data from moving through the PIX.|
|http||Filters HTTP URLs.|
|except||Creates an exception to a previously stated filter condition.|
|local_ip||The IP address before NAT (if any) is applied. Use 0 for all IP addresses.|
|local_mask||The subnet mask of the local IP. Use 0 if 0 is used for the IP address.|
|foreign_ip||The IP address of the lower security level host or network. Use 0 for all foreign IP addresses.|
|foreign_mask||The subnet mask of the foreign IP. Use 0 if the foreign IP is 0.|
|allow||When a server is unavailable, this lets outbound connections pass through the PIX without filtering.|