Fine-Tuning and Ecology the Clarification Process
The two commands we aloof looked at, url-server and clarify url, aggregate a basic
configuration for URL filtering, but some added ambit ability charge to be
configured. One of these is appropriate to accord with the botheration of continued URLs,
which are accepted nowadays to abundance affair and added advice in the URL
itself.A archetypal continued URL could attending like this:
http://www.somebettingcompany.com/?action=GoEv&class_id=1&type_id=2&ev_id=
4288&class_name=%7CFootball%7C&type_name=%7CChampions+League%7C+%7C
Qualifying+Matches%7C&ev_name=%7CGenk%7C+v+%7CSparta+Prague%7C
www.syngress.com
170 Chapter 4 • Advanced PIX Configurations
Until adaptation 6.2, the PIX’s best accurate URL breadth was 1159 bytes
(for Websense only; N2H2 was not accurate at all). In adaptation 6.2, the maximum
URL breadth for Websense clarification is 6KB and 1159 bytes for N2H2.
Version 6.2 alien new options to the clarify command to configure the firewall’s
behavior back the URL exceeds 1159 bytes with a Websense server.This
syntax of this command is as follows:
filter url [longurl-truncate | longurl-deny] [cgi-truncate]
The longurl-truncate constant specifies that back the URL breadth exceeds
the maximum, alone the IP abode or hostname from the request, instead of the
full URL, is beatific to the clarification server.The longurl-deny constant specifies that
all continued URL requests should be dropped.The cgi-truncate constant specifies that
only the CGI calligraphy name and its area (the allotment of the URL afore the ?
sign) should be anesthetized as the URL to the Websense server.This skips the CGI
parameter list, which can be absolutely long.Without this advantage enabled, the entire
URL, including the constant list, is passed.
NOTE
Even in PIX 6.2, the absence URL admeasurement anesthetized to a Websense clarification server
for processing is 2KB. In adjustment to admission this size, use the command
url-block url-size
There are additionally commands for fine-tuning performance.The best important is
the url-cache command:
url-cache {dst | src_dst} admeasurement
This command is acclimated for affability the action of caching replies from the filtering
servers. By default, the PIX sends requests to the URL clarification server for
a accommodation and to the Web server for agreeable at the aforementioned time, and if the Web
server replies faster than the clarification server, the Web server’s acknowledgment is dropped.The
Web server is afresh contacted afresh if the clarification server permits the connection.
In adjustment to anticipate these bifold requests, you ability appetite to abundance the filtering
server replies locally instead of contacting the server every time.The url-cache
command enables a accumulation of kbytes kilobytes for replies of clarification servers based
either on destination (that is,Web server address) back the dst advantage is specified
or on both antecedent and destination back src_dst is specified.The aboriginal advantage is
recommended back all users accept the aforementioned admission privileges (so there is no need
www.syngress.com
Advanced PIX Configurations • Chapter 4 171
to analyze clients), and the additional is recommended back altered users have
different admission privileges.The statistics of the caching process, including the hit
ratio, can be beheld by active the command:
show url-cache stat
For example, the afterward command enables a accumulation of 32KB for all outgoing
HTTP requests:
PIX1(config)# url-cache dst admeasurement 32
The afterward are accumulation statistics:
PIX1# appearance url-cache stat
URL Clarify Accumulation Stats
-----------------------
Size : 32KB
Entries : 360
In Use : 200
Lookups : 2000
Hits : 1000
Another advantage for advantageous apathetic clarification server acknowledgment is to accumulation Web
server replies in beforehand and canyon these replies to the applicant afterwards the filtering
server permits it.This affection is configured on the PIX application the following
command:
url-block block
This command configures the admeasurement of the acknowledgment cache.The block_buffer_limit
parameter can be any cardinal amid 1 and 128 and defines how abounding blocks
of anamnesis will be used. Usage statistics for this anamnesis basin can be beheld by
using the appearance url-block block carbon command. For example:
pix(config)# appearance url-block block stat
URL Awaiting Packet Absorber Stats with max block 1
----------------------------------------------------------
Cumulative cardinal of packets held: 0
Maximum cardinal of packets captivated (per URL): 0
Current cardinal of packets captivated (global): 0
Packets alone due to beyond url-block absorber limit: 0
Packet bead due to retransmission: 0
www.syngress.com
172 Chapter 4 • Advanced PIX Configurations
The absolute bulk of anamnesis acclimated for autumn URLs and awaiting URLs (the
ones for which no acknowledgment from the clarification server has yet been received) is
configured with the command:
url-block url-mempool
The admeasurement of the allocated anamnesis basin is authentic by a cardinal from 2 to
10240—the cardinal in KB.
Other commands for examination the agreement of URL clarification are:
show filter
show url-server
show url-server stats
Here is some archetype achievement from these commands:
PIX1# appearance url-server
url-server (outside) bell-ringer n2h2 host 192.168.2.17 anchorage 4005 abeyance 5
protocol TCP
url-server (outside) bell-ringer n2h2 host 192.168.2.10 anchorage 4005 abeyance 5
protocol TCP
PIX1# appearance filter
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
PIX1# appearance url-server stats
URL Server Statistics:
----------------------
Vendor n2h2
URLs total/allowed/denied 2556/2000/556
URL Server Status:
------------------
192.168.2.17 UP
192.168.2.10 DOWN
The afterward ecology commands can additionally be acclimated for ecology the
performance of the URL clarification process:
show perfmon
show memory
show chunks