0

I have a PIX 515E, running PIXOS 6.3, which has fixup protocol http 80 in the configuration.

Can anyone point me to documentation that describes exactly what this does to web traffic.

Cisco's own command reference says:

fixup protocol http

The fixup protocol http command sets the port for Hypertext Transfer Protocol (HTTP) traffic application inspection. The default port for HTTP is 80.

Use the port option to change the default port assignments from 80. Use the port-port option to apply HTTP application inspection to a range of port numbers.

Note The no fixup protocol http command still enables the filter url command.

HTTP inspection performs several functions:

•URL logging of GET messages

•URL screening through N2H2 or Websense

•Java and ActiveX filtering

The latter two features must be configured in conjuction with the filter command.

We don't use WebSense on the PIX, and we don't need the PIX to perform URL logging - and we don't have filter commands enabled. Is there any reason why I shouldn't turn the fixup protocol off altogether? Certainly disabling that logging should improve performance (we already have URL logging using a separate WebSense box).

Richard Gadsden
  • 3,686
  • 4
  • 29
  • 58
  • 1
    In general I've found Cisco's "fixup" inspection to be worse than useless, with the sole exception of "fixup ftp". For example, right now if we see email delivery problems to a host that has the tell tale signs of "fixup esmtp", we will refuse to debug it until it's off. In 99% of cases, this measure has fixed the issue. – Niall Donegan Feb 22 '11 at 13:03

2 Answers2

1

In PIX 6.3 the fixup http command has rather limited behavior when compared to its modern replacement in the 7.0 and up PIX and ASA releases -- inspect http as part of the Modular Policy Framework (MPF).

PIX 6.3

You have defined the PIX 6.3 capabilities straight from the PIX 6.3 Command Reference. I can expound a bit

URL Logging of GET Messages enables the PIX to log all HTTP GET (no POST) to the PIX's logging facilities. This can dump quite a bit (especially in 2011 when there is a lot of HTTP traffic on modern networks) of logs.

URL screening through N2H2 or Websense enables the PIX to send HTTP requests using Internet Filtering Protocol (IFP) or Websense protocol v4, respectively. This will allow your PIX, inline to traffic, to make HTTP URL policy decisions without having to play proxy tricks on the clients. Note that you need an N2H2 or Websense server/appliance deployed.

Java and ActiveX filtering enables the PIX filter out Java applets and ActiveX code from pages served via HTTP.

PIX/ASA 7 and later

The PIX/ASA version 7 (and later) code enables you to perform all of the above tasks and adds Enhanced HTTP inspection, as described in ASA 8.4 Command Reference. ASA 8.4 is the latest version of the ASA code at this time.

Enhanced HTTP inspection, as described, allows a firewall administrator to really drill down HTTP policy, including adherence to RFC2616, max URL length, max body size, even based on host header (want to block Facebook without N2H2, Websense, Squid, OpenDNS, or any other service?). Great flexibility once you grasp the modular policy framework (MPF) of 7 and later code, which owes its roots to the modular QoS CLI (MQC) from IOS.

In PIX 6.3 it is generally safe to remove the fixup http command if you do not require those features. On PIX/ASA 7 and later it can also be removed if you are not using any of the features. To make use of Enhanced HTTP inspection on PIX/ASA 7 you must configure an http-map.

Weaver
  • 1,952
  • 12
  • 13
0

If you don't want the features involved, then, no, there is no reason why you should use http fixup. It can be useful for a "one box" solution in some situations, but generally speaking it does create problems.

Aaron
  • 2,968
  • 1
  • 23
  • 36