Websense URL filtering(CLI) - ASA

Introduction

  • you cannot implement URL filtering from lower security level to higher
  • url-filtering can cause high CPU usage
  • access to web site is ALWAYS slower with url-filtering than without, so please take it into account before implementation
  • if user authentication is enabled on Asa also user name is sending to Websense.
  • in case of primary Websense is down Asa will ask all secondary servers(if configured) until get respond,if not response from servers will be given than firewall will go either into "allow mode" or drop http requests(depends on configuration).
  • being in "allow mode" every 1 minutes asa will try to set TCP connection to Websense servers and if TCP can be established URL filtering will start to work again

 

schemat_dzialania-websense.png

 

Configuration

  • set url-server

(config)#url-server (inside) vendor websense host x.x.x.x timeout 15 protocol tcp version 1 connection 10

timeout - max idle time permitted until asa switches to next server on the list, by default 30 secs

tcp version - websense version 1(default),4 if we use authentication,udp is only allowed in version 4

connections

  • set url-filter

(config)#filter url http x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow longurl-truncate proxy-block cgi-truncate

(config)#filter https https x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow

(config)#filter ftp ftp x.x.x.x x.x.x.x y.y.y.y y.y.y.y allow

x.x.x.x x.x.x.x - source of http request - our lan

y.y.y.y y.y.y.y - destination of http request - Internet or servers farm

allow - when primary(or secondary) url-server is unreacheable then allow traffic without filtering, if command is not set all http traffic in case of Websense servers are down are dropped.

longurl-truncate - when URL exceeded buffer limit, asa sends only destination ip or hostname to Websense server,there is also option longurl-deny which deny this traffic

proxy-block - block traffic to http proxy servers

cgi-truncate - when there is parameter list prefixed by "?" Asa truncate this URL by removing all text after and including "?"

If you configure "longurl-truncate" or "cgi-truncate" and you are running at least v6.3.0 of Websense, then as best practice, consider removing them.(source Websense site)


  • set url-filter exception from general policy,e.g. do not check http request to server in network 192.168.1.0 255.255.255.0 coming from 149.121.228.0/24

(config)#filter url except 149.121.228.0 255.255.252.0 192.168.1.0 255.255.255.0 allow

 

allow has the same meaning like in normal rules.


we can add exception also for ftp,https,java and activex

  • set buffers

When http request has been sent to web server,Asa sends at the same time request to Websense server and forward http request to web server.

If Websense does not respond faster than Web server ,content from Web server is dropped user has to repeat the request.To avoid this situation we will set buffers like below

(config)#url-block block block-buffer 100

number of block to be buffer(1 block = 1550bytes)

(config)#url-block url-mempool 8192

maximum memory available for buffering(pending URL and long URL) - value from 2 up to 10240KB

Configure buffer settings based on free RAM on Asa and real traffic.There is no sense to put high value when there is only few users on site and access to Websense server is extremally fast.

  •  set cache

(config)#url-cache dst 128

url-cache allows to cache server addresses,so Asa will not ask again Websense for this url.

This works only if all sites hosted at the addresses in all category are permitted all times.

instead of dst you can set src_dst,then it will be cached based on both source and destination addresses.Use it only if users do not share the same URL filtering policy.

  • set long URL

by default long URL is 1160 characters and more, you can change this value typing command like below

(config)#url-block url-size 3

url-size -  in KB and can be from 2 to 4KB


Troubleshooting


#show url-server statistics

websense1.png

 

this command shows us all stats regarding our websense server settings,e.g.:
how many url has been allowed/blocked

how many url has been allowed by cache/server

server timeouts and many more.

 

#show url-block block statistics

websense2.png

 

 #show url-cache statistics

websense3.png

 this command shows us all about url-cache,e.g. size,how many urls are in cache,etc.

#show perfmon detail

websense4.png

Info about performance url access and url server requests.

 

Tested on ASA 8.2(2)

dzbanek 2012-10-26 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.