ActiveX objects may pose security risks because they can contain code intended to attack hosts and
servers on a protected network. You can disable ActiveX objects with ActiveX filtering.

ActiveX controls, formerly known as OLE or OCX controls, are components that you can insert in a web
page or another application. These controls include custom forms, calendars, or any of the extensive
third-party forms for gathering or displaying information. As a technology, ActiveX creates many
potential problems for network clients including causing workstations to fail, introducing network
security problems, or being used to attack servers.

The filter activex command blocks the HTML object commands by commenting them out within the
HTML web page. ActiveX filtering of HTML files is performed by selectively replacing the <APPLET>
and </APPLET>, and <OBJECT CLASSID> and </OBJECT> tags with comments. Filtering of nested
tags is supported by converting top-level tags to comments.

Caution

The filter activex command also blocks any Java applets, image files, or multimedia objects that are
embedded in object tags.

If the <object> or </object> HTML tags split across network packets or if the code in the tags is longer
than the number of bytes in the MTU, the ASA cannot block the tag.

ActiveX blocking does not occur when users access an IP address referenced by the alias command or
for clientless SSL VPN traffic.

Licensing Requirements for ActiveX Filtering

The following table shows the licensing requirements for this feature:

Model

License Requirement

All models

Base License.