Configuring HTTP inspection:-
1. Create a L7 class-map with the type (inspect or regex) depending on your requirement.
regex reg_google "www\.google\.com" ! class-map type regex match-any regex_class match regex reg_google class-map type inspect http match-any http_class match request method get match request header host regex class regex_class
Note: If you have multiple matches to be performed you can use different types of class-maps and those can then be referred in a L7 policy-map. If you have a single match to be made then that can directly be done under a L7 policy-map like below;
policy-map type inspect http http_policy_single_match parameters match request method get drop-connection log
2. Create a L7 policy-map for HTTP, refer the previously configured inspect class-map within this policy-map and assign the required type of action;
policy-map type inspect http http_policy1 parameters spoof-server "NETWORKOLOGY" protocol-violation action drop-connection class http_class drop-connection log
3. Create a L3/L4 class-map which matches the traffic you want to inspect. Or you could also use the inspection_default class as that matches HTTP port 80.
class-map http_class_l3l4 match port tcp eq www
4. Create L3/L4 policy-map, refer the L3/L4 class-map and L7 policy-map underneath it Apply it to the source interface;
policy-map inside_policy class http_class_l3l4 inspect http http_policy1 ! service-policy inside_policy interface IN
5. Verifying the configuration:-
ASA-FW# show service-policy interface IN inspect http Interface IN: Service-policy: inside_policy Class-map: http_class_l3l4 Inspect: http http_policy1, packet 0, drop 0, reset-drop 0 protocol violations packet 0 server spoofs, packet 0 class http_class (match-any) Match: request method get, 0 packets Match: request header host regex class regex_class, 0 packets drop-connection log, packet 0
Types of matches that can be made for inspecting HTTP packets;
class-map type inspect http match-any class-map type inspect http match-all match not match req-resp match request [ args | body | header | method | uri ] match response [ body | header | status-line ]
Common match statements used for inspecting HTTP packets;
match request body length gt 1024 match request body regex match request header date regex match request header host regex xxxx (domain name of the web server) match request header user-agent regex xxxx (user-agent string of the http client) match request header length gt 1024 match request method get (Requests data from a specified resource) match request method post (Submits data to be processed to a specified resource) match request method put (Submits data to be processed or updated to a specified resource) match request uri length gt match request uri regex xxx match response body java-applet match response body length match response body regex xxx match response header date regex match response header length gt match response header server regex xxx
Quick summarization of steps to remember while configuring HTTP inspection:-
1. Define L7 class-map (type or inspect) that matches the stuff that you want to inspect in an HTTP packet. (request/response, header/body/method/uri)
2. Define L7 policy-map and configure the action to be taken on the referenced L7 class-map. (drop-connection/reset)
3. Define a L3/L4 class-map which matches the L3/L4 properties of the traffic to be matched.
4. Define the L3/L4 policy-map. Reference the L3/L4 class-map and inspect the HTTP protocol with specifying the L7 policy-map after it.
5. Apply it it to the source interface. In the lab exam, if specific direction or interface isn’t mentioned and the question speaks for the generic HTTP traffic in all directions, then the L7 policy-map can be applied to the HTTP inspection under the inspection_default class-map used in the global_policy.
Parameters of a protocol:-
– Each protocol inspection has its own parameters which are specific to that protocol. These can be used per the requirement.
policy-map type inspect http http_policy3 parameters spoof-server "MySecureServer" protocol-violation action drop-connection