Zone based firewall, class-map match-all statement

Hi All,

I have a question regarding the use of L7 class maps in reference to zone
based firewalls. Using the following class-map

parameter-map type regex REGEX_DIGG-1

pattern .*[dD][iI][gG][gG]\.[cC][oO]|[mM]

parameter-map type regex REGEX_IMAGES-1

pattern .*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])

class-map type inspect http match-all CMAP_DIGG_IMAGES
 match request header host regex REGEX_DIGG-1
 match request uri regex REGEX_IMAGES-1

The important part of the class map to note is the "match-all" statement. I
would have assumed that in order for a http stream to match the class map
both match conditions would have to be true?

Anyway doing some testing from a host on the inside of the firewall to a
host on the outside I see the class map is in fact matched when only one of
the conditions is true.

R1# telnet 150.1.2.2 80 /source-interface lo0
Trying 150.1.2.2, 80 ... Open
GET /image.gif HTTP/1.1 <<<< Matches the REGEX_IMAGES-1
Host cisco.com <<<<< Does not match the class map.

You can see the log messages below show both the http header and uri is
matched. Any idea why that would be the case?

*Jan 17 07:09:42.409: %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field
(^[Hh][Oo][Ss][Tt]:.*[dD][iI][gG][gG]\.[cC][oO]|[mM]) matched - resetting
session 150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
CMAP_DIGG_IMAGES

*Jan 17 07:09:42.413: %APPFW-4-HTTP_URI_REGEX_MATCHED: URI regex
(.*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])) matched - resetting session
150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
CMAP_DIGG_IMAGES

Cheers,

Matt

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 14:54:52 ART