Go to the table of contents Go to the previous page Go to the next page
Integrating Forcepoint URL Filtering with Cisco > Cisco integration configuration procedure
Cisco integration configuration procedure
Deployment and Installation Center | Forcepoint URL Filtering
Configuration procedure
To configure your security appliance to send Internet requests to Filtering Service for policy enforcement:
1.
2.
3.
Enter enable, followed by the enable password to put the security appliance into privileged EXEC mode.
4.
Enter configure terminal to activate configure mode.
 
Note 
For help with individual commands, enter help followed by the command. For example, help filter shows the complete syntax for the filter command and explains each option.
5.
Use the url-server command to enable URL management by your web protection software.
url-server (<if_name>) vendor websense host <ip_address> [timeout <seconds>] [protocol {TCP | UDP} version {1 | 4} [connections <num_conns>]]
The url-server command takes the following parameters:
TCP is the recommended and default setting. The recommended protocol version is 4. The default is 1.
If this parameter is not specified, it defaults to 5, which is the recommended setting.
Example:
url-server (inside) vendor websense host 10.255.40.164 timeout 30 protocol TCP version 4 connections 5
The url-server command communicates the location of Filtering Service to the Cisco security appliance. More than one url-server command can be entered. Multiple commands allow redirection to another Filtering Service after the specified timeout period, if the first server becomes unavailable.
6.
*
To review the current URL server rules, enter show running-config url-server.
*
To review all the filter rules, enter show running-config filter.
To configure HTTP request management, use the following command:
filter url http <port>[-<port>] <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
For an explanation of the filter url parameters, see Parameters for the filter commands.
Examples:
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows the specified local IP address to request all websites, governed by web protection policies.
You can enter multiple filter url commands to set up different portions of the network for policy enforcement. Set up the smaller groups first, followed by the larger groups, to assure that all groups receive the correct policies. Use a general filter url command for all computers to be managed, and then use the Forcepoint Security Manager to apply policies to individual clients (by IP address, user name, group, or OU).
See the Administrator Help for information about creating and applying policies.
7.
*
*
*
Enter exit to go up a level to run the show command.
 
To configure HTTPS request management, use the following command:
filter https <port> <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow]
For an explanation of the filter https parameters, see Parameters for the filter commands.
Examples:
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows the specified local IP address to request all websites, governed by web protection policies.
You can enter multiple filter https commands to set up different portions of the network for policy enforcement. Organize the commands as described above for filter url.
8.
*
*
*
Enter exit to go up a level to run the show command.
To configure FTP request management, use the following command:
filter ftp <port> <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [interact-block]
For an explanation of the filter ftp parameters, see Parameters for the filter commands.
Examples:
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows access via web protection software from the specified local IP address to all websites.
You can enter multiple filter ftp commands to set up different portions of the network for filtering. Organize the commands as described above for filter url.
9.
filter {url | https | ftp} except <local_ip> <local_mask> <foreign_ip> <foreign_mask>
This command allows you to bypass web protection software for traffic coming from, or going to a specified IP address or addresses.
For example, suppose that the following filter command was entered to cause all HTTP requests to be forwarded to Filtering Service:
filter url http 0 0 0 0
You could then enter:
filter url except 10.1.1.1 255.255.255.255 0 0
This would allow any outbound HTTP traffic from the IP address 10.1.1.1 to go unfiltered.
10.
Configure the security appliance to handle long URLs using the url-block url-mempool and url-block url-size commands:
a.
To specify the amount of memory assigned to the URL buffer, enter:
url-block url-mempool <memory_pool_size>
Here, <memory_pool_size> is the size of the buffer in KB. You can enter a value from 2 to 10240. The recommended value is 1500.
b.
url-block url-size <long_url_size>
Here, <long_url_size> is the maximum URL size in KB. You can enter a value from 2 to 4. The recommended value is 4.
11.
Configure the URL response block buffer using the url-block block command to prevent replies from the web server from being dropped in high-traffic situations.
On busy networks, the lookup response from Filtering Service may not reach the security appliance before the response arrives from the web server.
The HTTP response buffer in the security appliance must be large enough to store web server responses while waiting for Filtering Service.
To configure the block buffer limit, use the following command:
url-block block <block_buffer_limit>
 
Here, <block_buffer_limit> is the number of 1550-byte blocks to be buffered. You can enter a value from 1 to 128.
*
To view the current configuration for all 3 url-block commands, enter show running-config url-block.
*
Enter show url-block block statistics to see how the current buffer configuration is functioning. The statistics include the number of pending packets held and the number dropped. The clear url-block block statistics command clears the statistics.
12.
For example, if you entered the following to enable filtering:
filter url http 10.0.0.0 255.0.0.0 0 0
Enter the following to disable filtering:
no filter url http 10.0.0.0 255.0.0.0 0 0
Repeat for each filter command issued, as appropriate.
13.
*
copy run start
*
exit
write memory
Filtering Service is ready to manage Internet requests after the Forcepoint URL Database is downloaded and the software is activated within the Cisco security appliance. See the Administrator Help for information about configuring your web protection software and downloading the URL Database.
Parameters for the filter commands
The parameters used by the filter http, filter https, and filter ftp commands include the following. Note that some of the parameters listed do not apply to all 3 commands.
http <port>[-<port>]
<port>
<local_ip>
<local_mask>
Network mask of the local_ip address (the IP address requesting access).
<foreign_ip>
<foreign_mask>
Network mask of the foreign_ip address (the IP address to which access is requested).
*
Enter longurl-truncate to send only the host name or IP address to Filtering Service.
*
Enter longurl-deny to deny the request without sending it to Filtering Service.

Go to the table of contents Go to the previous page Go to the next page
Integrating Forcepoint URL Filtering with Cisco > Cisco integration configuration procedure
Copyright 2023 Forcepoint. All rights reserved.