Filter
Top Products
21-36
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Configuring Content Filtering Maps for Zone-based Firewall Policies
• For devices running releases below 12.4(20)T, you must create a URL Filter parameter map. In the
Policy Object Manager, select Maps > Parameter Maps > Web Filter > URL Filter, and review
the detailed usage information in Configuring URL Filter Parameter Maps, page 21-42.
–
To perform local filtering on the router using lists of allowed (whitelisted) and denied
(blacklisted) hosts, create the lists on the Local Filtering tab. Any Web access request is first
compared to these lists before the request is sent on to an external filtering server (if you have
configured one). These lists contain either complete domain names (such as www.cisco.com),
or partial names (such as cisco.com), but they do not include paths or page names, and you
cannot use wildcards.
–
To use a SmartFilter (N2H2) or Websense server, configure the type of server you are using and
its address information on the External Filter tab. You can also configure other settings that
control communication with the server. You cannot configure a Trend Micro server using the
URL Filter parameter map.
• For devices running release 12.4(20)T and higher, the preferred approach is to use a Web Filter
policy map. Although Web Filter policy maps are more complex, they provide added flexibility, and
they let you access Trend Micro filtering servers. In the Policy Object Manager, select Maps >
Policy Maps > Web Filter > Web Filter, and review the detailed usage information in Configuring
Web Filter Maps, page 21-46.
A Web Filter policy map incorporates other types of maps. To create the policy map, you will need
one or more of these other types of maps:
–
Parameter maps – On the Parameters tab of the Add and Edit Web Filter Map dialog boxes, you
can select parameter maps for the various types of Web filtering if you do not want to use the
default settings. If you are using SmartFilter (N2H2) or Websense, you need to select a
parameter map because the map identifies those servers. For Local and Trend Micro filtering,
parameter maps configure some general settings, the most interesting of which is whether to
display a message or Web page when a URL is blocked. In the Policy Object Manager, you can
find parameter maps for Local, N2H2, Trend, and Websense in the Maps > Parameter Maps
> Web Filter folder. For detailed usage information, see Configuring Local Web Filter
Parameter Maps, page 21-37, Configuring N2H2 or WebSense Parameter Maps, page 21-38, or
Configuring Trend Parameter Maps, page 21-41.
Note You configure Trend Micro server information on the Content Filtering tab of the Zone
Based Firewall page (select Firewall > Settings > Zone Based Firewall). See Zone Based
Firewall Page, page 21-49.
–
Class maps for match conditions – These class maps define the type of traffic you want to target
and specify the action to be taken. You select a type of filtering (Local, SmartFilter/N2H2,
Websense, or Trend Micro), specify the class map that identifies the targeted traffic, and choose
an action (such as Allow, Reset, etc.) to be taken for that traffic. In the Policy Object Manager,
you can find class maps for Local, N2H2, Trend, and Websense in the Maps > Class Maps >
Web Filter folder.
These class-map configurations depend on the type of filtering:
Local Filtering – The Local WebFilter class map is a list of one or more URLF Glob parameter
maps that specify either domain names or URL keywords that you want to target. A URL
keyword is any text string delineated by forward-slash (/) characters in a URL. These class maps
help you define allowed (whitelisted) and denied (blacklisted) URL lists for a WebFilter
policy—create separate maps for each list. For detailed usage information, see Configuring