Cisco Systems and the ASA Services Module Manual De Usuario

The enhanced HTTP inspection feature, which is also known as an application firewall and is available 
when you configure an HTTP map (see 

), can help prevent attackers from using HTTP messages for circumventing network 

security policy. It verifies the following for all HTTP messages:

Conformance to RFC 2616

Use of RFC-defined methods only.

Compliance with the additional criteria.

To specify actions when a message violates a parameter, create an HTTP inspection policy map. You can 
then apply the inspection policy map when you enable HTTP inspection.

When you enable HTTP inspection with an inspection policy map, strict HTTP inspection with the action 
reset and log is enabled by default. You can change the actions performed in response to inspection 
failure, but you cannot disable strict inspection as long as the inspection policy map remains enabled. 

To create an HTTP inspection policy map, perform the following steps:

(Optional) Add one or more regular expressions for use in traffic matching commands according to the 
general operations configuration guide. See the types of text you can match in the match commands 
described in 

(Optional) Create one or more regular expression class maps to group regular expressions according to 
the general operations configuration guide.

(Optional) Create an HTTP inspection class map by performing the following steps.

A class map groups multiple traffic matches. Traffic must match all of the match commands to match 
the class map. You can alternatively identify match commands directly in the policy map. The difference 
between creating a class map and defining the traffic match directly in the inspection policy map is that 
the class map lets you create more complex match criteria, and you can reuse class maps.

To specify traffic that should not match the class map, use the match not command. For example, if the 
match not command specifies the string “example.com,” then any traffic that includes “example.com” 
does not match the class map.

For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection, 
reset, mask, set the rate limit, and/or log the connection in the inspection policy map.

If you want to perform different actions for each match command, you should identify the traffic directly 
in the policy map.

Create the class map by entering the following command:

ciscoasa(config)# class-map type inspect http [match-all | match-any] class_map_name

ciscoasa(config-cmap)# 

Where class_map_name is the name of the class map. The match-all keyword is the default, and 
specifies that traffic must match all criteria to match the class map. The match-any keyword 
specifies that the traffic matches the class map if it matches at least one of the criteria. The CLI 
enters class-map configuration mode, where you can enter one or more match commands.

(Optional) To add a description to the class map, enter the following command: