11-26
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
HTTP Inspection
In conjunction with NAT, the FTP application inspection translates the IP address within the application
payload. This is described in detail in RFC 959.
HTTP Inspection
This section describes the HTTP inspection engine. This section includes the following topics:
• HTTP Inspection Overview, page 11-26
• Select HTTP Map, page 11-26
• HTTP Class Map, page 11-27
• Add/Edit HTTP Traffic Class Map, page 11-27
• Add/Edit HTTP Match Criterion, page 11-28
• HTTP Inspect Map, page 11-32
• “URI Filtering” section on page 11-33
• “Add/Edit HTTP Policy Map (Security Level)” section on page 11-33
• “Add/Edit HTTP Policy Map (Details)” section on page 11-34
• “Add/Edit HTTP Map” section on page 11-35
HTTP Inspection Overview
Use the HTTP inspection engine to protect against specific attacks and other threats that are associated
with HTTP traffic. HTTP inspection performs several functions:
• Enhanced HTTP inspection
• URL screening through N2H2 or Websense
See Information About URL Filtering, page 29-2 for information.
• Java and ActiveX filtering
The latter two features are configured in conjunction with Filter rules.
The enhanced HTTP inspection feature, which is also known as an application firewall and is available
when you configure an HTTP map, can help prevent attackers from using HTTP messages for
circumventing network security policy. It verifies the following for all HTTP messages:
• Conformance to RFC 2616
• Use of RFC-defined methods only.
• Compliance with the additional criteria.
Select HTTP Map
The Select HTTP Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions > Protocol Inspection Tab >
Select HTTP Map