In this topic

Configuration procedure Parameters for the filter commands

Note  For help with individual commands, enter help followed by the command. For example, help filter shows the complete syntax for the filter command and explains each option.

Parameter	Definition
(<if_name>)	(required) The network interface to use for Filtering Service communication. You must type the parentheses ( ) when you enter a value for this parameter.
vendor websense	Indicates the URL management vendor.
<ip_address>	IP address of the machine running Filtering Service.
timeout <seconds>	The amount of time, in seconds, that the security appliance waits for a response before switching to the next Filtering Service that you defined as a url-server, or, if specified, going into allow mode and permitting all requests. If a timeout interval is not specified, this parameter defaults to 30 seconds. Range: 10 - 120; Default: 30
protocol {TCP | UDP} version {1 | 4}	Defines whether the Cisco security appliance should use TCP or UDP protocol to communicate with Filtering Service, and which version of the protocol to use. TCP is the recommended and default setting. The recommended protocol version is 4. The default is 1. Note: To send authenticated user information to Filtering Service, TCP version 4 must be selected.)
connections <num_conns>	Limits the maximum number of TCP connections permitted between the Cisco security appliance and Filtering Service. If this parameter is not specified, it defaults to 5, which is the recommended setting. If you select the UDP protocol, this option is not available. Range: 1 - 100; Default: 5.

Command example	Action
filter url http 0 0 0 0	Manages every HTTP request to all destinations. Applied to traffic on port 80.
filter url http 10.5.0.0 255.255.0.0 0 0	Manages the 10.5.x.x network going to any destination. Applied to traffic on port 80.
filter url http 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255	Manages the 10.5.0.69 host going to the 132.239.29.189 destination. Applied to traffic on port 80.

Command example	Action
filter https 443 0 0 0 0	Manages all HTTPS requests to all destinations. Applied to traffic on port 443.
filter https 443 10.5.0.0 255.255.0.0 0 0	Manages the 10.5.x.x network going to any destination. Applied to traffic on port 443.
filter https 443 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255	Manages the 10.5.0.69 host going to the 132.239.29.189 destination. Applied to traffic on port 443.

Command example	Action
filter ftp 21 0 0 0 0	Manages every FTP request to all destinations. Applied to traffic on port 21.
filter ftp 21 10.5.0.0 255.255.0.0 0 0	Manages the 10.5.x.x network going to any destination. Applied to traffic on port 21.
filter ftp 21 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255	Manages the 10.5.0.69 host going to the 132.239.29.189 destination. Applied to traffic on port 21.

Parameter	Applies to	Definition
http <port>[-<port>]	filter http	Defines which port number, or range of port numbers, the security appliance watches for HTTP requests. If you do not specify a port number, port 80 is used by default.
<port>	filter https filter ftp	Defines the port number the security appliance watches for https or ftp requests. The standard HTTPS port is 443. The standard FTP port is 21.
<local_ip>	filter http filter https filter ftp	IP address requesting access. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all internal clients. This address is the source for all connections to be filtered.
<local_mask>	filter http filter https filter ftp	Network mask of the local_ip address (the IP address requesting access). You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the local network.
<foreign_ip>	filter http filter https filter ftp	IP address to which access is requested. You can use 0.0.0.0 (or in shortened form, 0) to specify all external destinations.
<foreign_mask>	filter http filter https filter ftp	Network mask of the foreign_ip address (the IP address to which access is requested). Always specify a mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts within the external network.
[allow]	filter http filter https filter ftp	Lets outbound connections pass through the security appliance without filtering when Filtering Service is unavailable. If you omit this option, and Filtering Service becomes unavailable, the security appliance stops all outbound HTTP, HTTPS, or FTP traffic until Filtering Service is available again.
[cgi-truncate]	filter http	Sends CGI scripts to Filtering Service as regular URLs. When a URL has a parameter list starting with a question mark (?), such as a CGI script, the URL is truncated. All characters after, and including the question mark, are removed before sending the URL to Filtering Service.
[interact-block]	filter ftp	Prevents users from connecting to the FTP server through an interactive FTP client. An interactive FTP client allows users to change directories without entering the complete directory path, so Filtering Service cannot tell if the user is requesting something that should be blocked.
[longurl- truncate | longurl-deny]	filter http	Specify how to handle URLs that are longer than the URL buffer size limit. Enter longurl-truncate to send only the host name or IP address to Filtering Service. Enter longurl-deny to deny the request without sending it to Filtering Service.
[proxy-block]	filter http	Enter this parameter to prevent users from connecting to an HTTP proxy server.