Re: Zone based firewall, class-map match-all statement from Matt Eason on 2010-11-15 (Ccielab archives 11/2010)

From: Matt Eason <matt.d.eason_at_gmail.com>
Date: Mon, 15 Nov 2010 23:14:14 +0800

Oh, doh. How did I miss that :/

Thanks Adel.

On Monday, November 15, 2010, Adel Abouchaev <adel_at_netmasterclass.net> wrote:
> Remove the | in front of [mM] in the domain name pattern.
>
> Adel Abouchaev, CCIE# 12037, CISSP, MCSE
>
> Technical Support Engineer
> Netmasterclass LLC, Cisco Learning Partner
> RFC821: adel_at_netmasterclass.net
> E.164: +18886772669
> HTTP: www.netmasterclass.net
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Matt
> Eason
> Sent: Sunday, November 14, 2010 10:55 PM
> To: ccielab_at_groupstudy.com
> Subject: Zone based firewall, class-map match-all statement
>
> Hi All,
>
> I have a question regarding the use of L7 class maps in reference to zone
> based firewalls. Using the following class-map
>
> parameter-map type regex REGEX_DIGG-1
>
> pattern .*[dD][iI][gG][gG]\.[cC][oO]|[mM]
>
>
>
> parameter-map type regex REGEX_IMAGES-1
>
> pattern .*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])
>
> class-map type inspect http match-all CMAP_DIGG_IMAGES
> match request header host regex REGEX_DIGG-1
> match request uri regex REGEX_IMAGES-1
>
> The important part of the class map to note is the "match-all" statement. I
> would have assumed that in order for a http stream to match the class map
> both match conditions would have to be true?
>
> Anyway doing some testing from a host on the inside of the firewall to a
> host on the outside I see the class map is in fact matched when only one of
> the conditions is true.
>
> R1# telnet 150.1.2.2 80 /source-interface lo0
> Trying 150.1.2.2, 80 ... Open
> GET /image.gif HTTP/1.1 <<<< Matches the REGEX_IMAGES-1
> Host cisco.com <<<<< Does not match the class map.
>
> You can see the log messages below show both the http header and uri is
> matched. Any idea why that would be the case?
>
>
>
> *Jan 17 07:09:42.409: %APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field
> (^[Hh][Oo][Ss][Tt]:.*[dD][iI][gG][gG]\.[cC][oO]|[mM]) matched - resetting
> session 150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
> ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
> CMAP_DIGG_IMAGES
>
>
> *Jan 17 07:09:42.413: %APPFW-4-HTTP_URI_REGEX_MATCHED: URI regex
> (.*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])) matched - resetting session
> 150.1.1.1:43926 150.1.2.2:80 <http://150.1.2.2/> on zone-pair
> ZP_INSIDE_TO_OUTSIDE class CMAP_INSIDE_TO_OUTSIDE_HTTP appl-class
> CMAP_DIGG_IMAGES
>
> Cheers,
>
> Matt
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Nov 15 2010 - 23:14:14 ART

This archive was generated by hypermail 2.2.0 : Sun Dec 05 2010 - 22:14:56 ART