These are the steps for configuring PIX/ASA Firewall for Websense integration. These instructions are for basic security setups. The first step is to telnet in the security appliance. Enter “enable” and the required password. Configure the terminal or type either: config t.
PIX Version 6 and Older
With these you have to type the following:
url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
The commands for filtering FTP and HTTP are:
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
PIX Version 6.3 and Newer
Instead of the protocol name, you have to use the port number.
url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4
To filter FTP and HTTPS traffic, use this command:
filter https 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 20 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
filter ftp 21 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Appliance Version 7 and Newer
The command is the following:
url-server (if_name) vendor websense host <IP of Websense server > protocol tcp version 4 connections 8
filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
If you need to set up the security appliance the command is:
url-server (if_name) vendor websense host <IP of Websense server> protocol tcp version 4
filter url 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
Notes & Warnings
If several firewalls are transmitting WISP requests to a filtering service, every single one has to be set up to relay a similar protocol (UDP or TYCP).
For web servers on DMZ, you must not include your web server from the filter. This is done via the command ‘filter url except…”. If you don’t, access to servers will bog down. This is really due to firewalls. Note that Websense server has no part in affecting servers.
Filtering Exceptions
A Cisco Firewall can be arranged not to go through a particular traffic at Websense. This can be done via the Filter URL command. You can implement an exclude rule for an Internet protocol address for people who won’t get filtered. This is going to bypass incoming traffic. Here is what the command looks like:
filter url except local_IP local_mask foreign_IP foreign_mask allow
The command below will set up a firewall so traffic from the 10.1.1.1 IP address can proceed without filtering.
filter url except 10.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 allow
The following command gives you access to a particular Internet protocol address (i.e., 216.109.124.73)) without a filter.
filter url except 0.0.0.0 0.0.0.0 216.109.124.73 255.255.255.255 allow
The following command will exempt from filtering FTP traffic:
filter ftp 21 except 0.0.0.0 0.0.0.0 216.109.124.73 255.255.255.255 allow
When configuring PIX/ASA firewall for Websense integration, keep in mind that the filter URL except command is going to influence every protocol for the Internet protocol address or network scope. You can prevent a slow response by entering their Internet protocol address as PIX exceptions.
Note that some URLs that rely on Active X controls have lengthy URL strings. The security appliance cannot process it correctly. You can fix this by utilizing TCP rather than UDP. You also have to put in an extra three lines to the setup. It will expand the internal buffer dimensions that manage GET requests. These commands have to be included:
url-block url-mempool <memory-pool-size>
url-block url-size <long-url-size>
url-block block <block-buffer-limit>
To avoid mistakes, only qualified personnel should run these commands as messing them up could bring more trouble than you will want.
Caroline is a free lancer writer of http://www.rolo.org/