Installation Guide Supplement for use with Integrated Cisco Products
Websense Web Security and Websense Web Filter, v7.5

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Configuring a Cisco Security Appliance > Configuration procedure

3.
Enter enable, followed by the enable password to put the security appliance into privileged EXEC mode.
4.
Enter configure terminal to activate configure mode.
Note 
For help with individual commands, enter help followed by the command. For example, help filter shows the complete syntax for the filter command and explains each option.
5.
Use the url-server command to enable URL filtering by Websense software.
url-server (<if_name>) vendor websense host <ip_address> [timeout <seconds>] [protocol {TCP | UDP} version {1 | 4} [connections <num_conns>]]
The url-server command takes the following parameters:
In v7.0 of the Cisco security appliance software, a value for this parameter must be entered.
In v6.3.1 and earlier, <if_name> defaults to inside if not specified.
The amount of time, in seconds, that the security appliance waits for a response before switching to the next Filtering Service that you defined as a url-server, or, if specified, going into allow mode and permitting all requests.
If a timeout interval is not specified, this parameter defaults to 30 seconds in v7.0(1) and later, and 5 seconds in earlier versions of the Cisco PIX or ASA software.
*
v7.0(1) and later: Range: 10 - 120;
Default: 30
*
v6.3: Range: 1 - 30; Default: 5
protocol {TCP | UDP} version {1 | 4}
Defines whether the Cisco security appliance should use TCP or UDP protocol to communicate with Filtering Service, and which version of the protocol to use.
TCP is the recommended and default setting. The recommended protocol version is 4. The default is 1. (Note: To send authenticated user information to Filtering Service, TCP version 4 must be selected.)
connections <num_conns>
Limits the maximum number of TCP connections permitted between the Cisco security appliance and Filtering Service.
If this parameter is not specified, it defaults to 5, which is the recommended setting.
Range: 1 - 100; Default: 5.
url-server (inside) vendor websense host 10.255.40.164 timeout 30 protocol TCP version 4 connections 5
The url-server command communicates the location of Filtering Service to the Cisco security appliance. More than one url-server command can be entered. Multiple commands allow redirection to another Filtering Service after the specified timeout period, if the first server becomes unavailable.
*
To review the current URL server rules, enter show running-config url-server (v7.0) or show url-server (v6.3).
*
To review all the filter rules, enter show running-config filter (v7.0) or show filter (v6.3).
filter url http <port>[-<port>] <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [cgi-truncate] [longurl-truncate | longurl-deny] [proxy-block]
filter url http 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255
Filters the 10.5.0.69 host going to the 132.239.29.189 destination.
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows access from the specified local IP address to all Web sites, as filtered by Websense software
You can enter multiple filter url commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general filter url command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
*
To review the current URL server rules, enter show run url-server (v7.0) or show url-server (v6.3.1).
*
To review all the filter rules, enter show run filter (v7.0) or show filter (v6.3.1).
*
If you are running v7.0 of Cisco software, enter exit to go up a level to run the show command.
Note 
The filter https command is supported in v6.3.1 and higher of the Cisco PIX Firewall/ASA software.
Filters all HTTPS requests to all destinations. Filtering is applied to traffic on port 443.
filter https 443 10.5.0.0 255.255.0.0 0 0
filter https 443 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255
Filters the 10.5.0.69 host going to the 132.239.29.189 destination.
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows access from the specified local IP address to all Web sites, as filtered by Websense software.
You can enter multiple filter https commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general filter https command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
*
To review the current URL server rules, enter show run url-server (v7.0) or url-server (v6.3.1).
*
To review all the filter rules, enter show run filter (v7.0) or show filter (v6.3.1).
*
If you are running v7.0 of Cisco software, enter exit to go up a level to run the show command.
Note 
The filter ftp command is supported in v6.3.1 and higher of the Cisco PIX Firewall/ASA software.
filter ftp <port> <local_ip> <local_mask> <foreign_ip> <foreign_mask> [allow] [interact-block]
filter ftp 21 10.5.0.69 255.255.255.255 132.239.29.189 255.255.255.255
Filters the 10.5.0.69 host going to the 132.239.29.189 destination.
Using zeroes for the last two entries, <foreign_ip> and <foreign_mask>, allows access via Websense software from the specified local IP address to all Web sites.
You can enter multiple filter ftp commands to set up different portions of the network for filtering. Set up the smaller groups first, followed by the larger groups, to assure that all groups are filtered properly. Use a general filter ftp command for all computers to be filtered, and then use TRITON - Web Security to apply filtering policies to individual clients (computers, networks, users, groups, and domains [OUs]).
9.
After entering commands to define filtering for HTTP, HTTPS, and FTP requests, you can define any required exceptions to these filtering rules by adding the except parameter to the filter command:
10.
Configure the security appliance to handle long URLs using the url-block url-mempool and url-block url-size commands:
Note 
The url-block commands are supported in v6.2 and higher of the Cisco PIX Firewall/ASA software.
a.
Increase the size of the security appliance's internal buffer to handle long URL strings. If the URL buffer size is set too low, some Web pages may not display.
Here, <memory_pool_size> is the size of the buffer in KB. You can enter a value from 2 to 10240. The recommended value is 1500.
Here, <long_url_size> is the maximum URL size in KB. You can enter a value from 2 to 4. The recommended value is 4.
11.
Configure the URL response block buffer using the url-block block command to prevent replies from the Web server from being dropped in high-traffic situations.
Note 
The url-block commands are supported in v6.2 and higher of the Cisco PIX Firewall/ASA software.
On busy networks, the lookup response from Filtering Service may not reach the security appliance before the response arrives from the Web server.
The HTTP response buffer in the security appliance must be large enough to store Web server responses while waiting for a filtering decision from the Filtering Service.
Here, <block_buffer_limit> is the number of 1550-byte blocks to be buffered. You can enter a value from 1 to 128.
*
To view the current configuration for all 3 url-block commands, enter show running-config url-block (v7.0) or show url-block (v6.3).
*
Enter show url-block block statistics to see how the current buffer configuration is functioning. The statistics include the number of pending packets held and the number dropped. The clear url-block block statistics command clears the statistics.
exit
write memory
Websense software is ready to filter Internet requests after the Websense Master Database is downloaded and the software is activated within the Cisco security appliance. See the Websense Installation Guide and the TRITON - Web Security Help for information about configuring Websense software and downloading the Master Database.


Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Configuring a Cisco Security Appliance > Configuration procedure