PIX/ASA Firewall for Websense integration Configuration – How It’s Done

These are the steps for configuring PIX/ASA Firewall for Websense integration. These instructions are for basic security setups. The first step is to telnet in the security appliance. Enter “enable” and the required password. Configure the terminal or type either: config t.

 

PIX Version 6 and Older

 

With these you have to type the following:

url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4

 

filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

The commands for filtering FTP and HTTP are:

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

 

PIX Version 6.3 and Newer

 

Instead of the protocol name, you have to use the port number.

url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4

 

To filter FTP and HTTPS traffic, use this command:

 

filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

 

Appliance Version 7 and Newer

 

The command is the following:

 

url-server (if_name) vendor websense host <IP of Websense server > protocol tcp version 4 connections 8

 

filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

If you need to set up the security appliance the command is:

url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4

 

filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow

 

Notes & Warnings

 

If several firewalls are transmitting WISP requests to a filtering service, every single one has to be set up to relay a similar protocol (UDP or TYCP).

 

For web servers on DMZ, you must not include your web server from the filter. This is done via the command ‘filter url except…”. If you don’t, access to servers will bog down. This is really due to firewalls. Note that Websense server has no part in affecting servers.

 

Filtering Exceptions

 

A Cisco Firewall can be arranged not to go through a particular traffic at Websense. This can be done via the Filter URL command. You can implement an exclude rule for an Internet protocol address for people who won’t get filtered. This is going to bypass incoming traffic. Here is what the command looks like:

 

filter url except local_IP local_mask foreign_IP foreign_mask allow

The command below will set up a firewall so traffic from the 10.1.1.1 IP address can proceed without filtering.

 

filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow

The following command gives you access to a particular Internet protocol address (i.e., 216.109.124.73)) without a filter.

 

filter url except 0.0.0.0 0.0.0.0 216.109.124.73 255.255.255.255 allow

 

The following command will exempt from filtering FTP traffic:

filter ftp 21 except 0.0.0.0 0.0.0.0 216.109.124.73 255.255.255.255 allow

 

When configuring PIX/ASA firewall for Websense integration, keep in mind that the filter URL except command is going to influence every protocol for the Internet protocol address or network scope. You can prevent a slow response by entering their Internet protocol address as PIX exceptions.

 

Note that some URLs that rely on Active X controls have lengthy URL strings. The security appliance cannot process it correctly. You can fix this by utilizing TCP rather than UDP. You also have to put in an extra three lines to the setup. It will expand the internal buffer dimensions that manage GET requests. These commands have to be included:

 

url-block url-mempool <memory-pool-size>

url-block url-size <long-url-size>

url-block block <block-buffer-limit>

 

To avoid mistakes, only qualified personnel should run these commands as messing them up could bring more trouble than you will want.

 

Caroline is a free lancer writer of http://www.rolo.org/

 


Posted

in

by