Websense URL filtering(CLI) - ASA
- you cannot implement URL filtering from lower security level to higher
- url-filtering can cause high CPU usage
- access to web site is ALWAYS slower with url-filtering than without, so please take it into account before implementation
- if user authentication is enabled on Asa also user name is sending to Websense.
- in case of primary Websense is down Asa will ask all secondary servers(if configured) until get respond,if not response from servers will be given than firewall will go either into "allow mode" or drop http requests(depends on configuration).
- being in "allow mode" every 1 minutes asa will try to set TCP connection to Websense servers and if TCP can be established URL filtering will start to work again
- set url-server
(config)#url-server (inside) vendor websense host x.x.x.x timeout 15 protocol tcp version 1 connection 10
timeout - max idle time permitted until asa switches to next server on the list, by default 30 secs
tcp version - websense version 1(default),4 if we use authentication,udp is only allowed in version 4
- set url-filter
(config)#filter url http x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow longurl-truncate proxy-block cgi-truncate
(config)#filter https https x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow
(config)#filter ftp ftp x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow
x.x.x.x x.x.x.x - source of http request - our lan
y.y.y.y y.y.y.y - destination of http request - Internet or servers farm
allow - when primary(or secondary) url-server is unreacheable then allow traffic without filtering, if command is not set all http traffic in case of Websense servers are down are dropped.
longurl-truncate - when URL exceeded buffer limit, asa sends only destination ip or hostname to Websense server,there is also option longurl-deny which deny this traffic
proxy-block - block traffic to http proxy servers
cgi-truncate - when there is parameter list prefixed by "?" Asa truncate this URL by removing all text after and including "?"
If you configure "longurl-truncate" or "cgi-truncate" and you are running at least v6.3.0 of Websense, then as best practice, consider removing them.(source Websense site)
- set url-filter exception from general policy,e.g. do not check http request to server in network 192.168.1.0 255.255.255.0 coming from 18.104.22.168/24
(config)#filter url except 22.214.171.124 255.255.252.0 192.168.1.0 255.255.255.0 allow
allow has the same meaning like in normal rules.
we can add exception also for ftp,https,java and activex
- set buffers
When http request has been sent to web server,Asa sends at the same time request to Websense server and forward http request to web server.
If Websense does not respond faster than Web server ,content from Web server is dropped user has to repeat the request.To avoid this situation we will set buffers like below
(config)#url-block block block-buffer 100
number of block to be buffer(1 block = 1550bytes)
(config)#url-block url-mempool 8192
maximum memory available for buffering(pending URL and long URL) - value from 2 up to 10240KB
Configure buffer settings based on free RAM on Asa and real traffic.There is no sense to put high value when there is only few users on site and access to Websense server is extremally fast.
- set cache
(config)#url-cache dst 128
url-cache allows to cache server addresses,so Asa will not ask again Websense for this url.
This works only if all sites hosted at the addresses in all category are permitted all times.
instead of dst you can set src_dst,then it will be cached based on both source and destination addresses.Use it only if users do not share the same URL filtering policy.
- set long URL
by default long URL is 1160 characters and more, you can change this value typing command like below
(config)#url-block url-size 3
url-size - in KB and can be from 2 to 4KB
#show url-server statistics
this command shows us all stats regarding our websense server settings,e.g.:
how many url has been allowed/blocked
how many url has been allowed by cache/server
server timeouts and many more.
#show url-block block statistics
#show url-cache statistics
this command shows us all about url-cache,e.g. size,how many urls are in cache,etc.
#show perfmon detail
Info about performance url access and url server requests.
Tested on ASA 8.2(2)