RE: Zone based firewall, class-map match-all statement from Adel Abouchaev on 2010-11-15 (Ccielab archives 11/2010)

From: Adel Abouchaev <adel_at_netmasterclass.net>
Date: Mon, 15 Nov 2010 03:16:23 -0800

Remove the | in front of [mM] in the domain name pattern.

Adel Abouchaev, CCIE# 12037, CISSP, MCSE

Technical Support Engineer
Netmasterclass LLC, Cisco Learning Partner
RFC821: adel_at_netmasterclass.net
E.164: +18886772669
HTTP: www.netmasterclass.net

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Matt
Eason
Sent: Sunday, November 14, 2010 10:55 PM
To: ccielab_at_groupstudy.com
Subject: Zone based firewall, class-map match-all statement

Hi All,

I have a question regarding the use of L7 class maps in reference to zone
based firewalls. Using the following class-map

parameter-map type regex REGEX_DIGG-1

pattern .*[dD][iI][gG][gG]\.[cC][oO]|[mM]

parameter-map type regex REGEX_IMAGES-1

pattern .*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])

class-map type inspect http match-all CMAP_DIGG_IMAGES
match request header host regex REGEX_DIGG-1
match request uri regex REGEX_IMAGES-1

The important part of the class map to note is the "match-all" statement. I
would have assumed that in order for a http stream to match the class map
both match conditions would have to be true?

Anyway doing some testing from a host on the inside of the firewall to a
host on the outside I see the class map is in fact matched when only one of
the conditions is true.

R1# telnet 150.1.2.2 80 /source-interface lo0
Trying 150.1.2.2, 80 ... Open
GET /image.gif HTTP/1.1 <<<< Matches the REGEX_IMAGES-1
Host cisco.com <<<<< Does not match the class map.

You can see the log messages below show both the http header and uri is
matched. Any idea why that would be the case?

*Jan 17 07:09:42.409: %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field
(^[Hh][Oo][Ss][Tt]:.*[dD][iI][gG][gG]\.[cC][oO]|[mM]) matched - resetting
session 150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
CMAP_DIGG_IMAGES

*Jan 17 07:09:42.413: %APPFW-4-HTTP_URI_REGEX_MATCHED: URI regex
(.*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])) matched - resetting session
150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
CMAP_DIGG_IMAGES

Cheers,

Matt

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 03:16:23 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART