Configuring URL-Filtering Policy
You must identify and enable the URL-filtering server before you use the following filtering
commands. If all URL-filtering servers are removed, any associated filtering commands are
also removed. The filter url command enables you to prevent outbound users from accessing
URLs that you designate as inadmissible. The syntax for filtering URLs is as follows:
filter url port [except] local-ip local-mask foreign-ip foreign-mask [allow]
[proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
Example 16-1 Displaying the URL-Filtering Server Information
pixfw# show url-server
url-server (inside) vendor n2h2 host 10.10.10.13 port 4005 timeout 5 protocol TCP
Filtering URLs 505
With URL filtering enabled, the Cisco Security Appliance stops outbound HTTP, HTTPS,
and FTP traffic until a URL-filtering server permits the connection. If the primary URLfiltering
server and the secondary server do not respond, then outbound web traffic (port 80)
stops until the URL-filtering server comes back online. However, the allow option causes the
Cisco Security Appliance to forward HTTP traffic without filtering when the URL-filtering
server(s) is unavailable.
The following example filters all HTTP traffic:
filter url http 0 0
You can make an exception to URL-filtering policies by using the except parameter in the
filter url command. For example:
pixfw(config)#filter url http 0 0 0 0
pixfw(config)#filter url except 10.10.10.20 255.255.255.255 0 0
This policy filters all HTTP traffic with the exception of HTTP traffic that originates from
host 10.10.10.20.
Websense database version 4 contains the following enhancements:
■ URL filtering allows the Cisco Security Appliance to check outgoing URL requests
against the policy defined on the Websense server.
■ Username logging tracks the username, group, and domain name on the Websense
server.
■ Username lookup lets the Cisco Security Appliance use the user authentication table to
map the host’s IP address to the username.
There are instances in which the web server replies to a user HTTP request faster than the
URL-filtering servers. In these instances, the url-cache command provides a configuration
option to buffer the response from a web server if its response is faster than that from the
N2H2 or Websense URL-filtering server. This prevents the web server’s response from being
loaded twice, improving throughput. The syntax of the url-cache command is as follows: