You are correct, if all the ASA sees is an HTTPS request, then the TCP payload is encrypted, which prevents the ASA's URL filtering (or any other TCP payload inspection).
Typically, url filtering is done by an http reverse-proxy or load-balancer (like Cisco's ACE/CSM, F5 LTM, or Citrix Netscaler to name a few). The devices I mentioned can also offload SSL encryption from your web server pool as well.
Offloading SSL before you perform payload scrubbing / inspection has some significant advantages. By off-loading your encryption at a load-balancer, the IDS / IPS / Firewall can also see the raw HTTP traffic, which means it can spot application-layer attacks and it generally gives you better protection, if that's a priority.
Summary
You should use Cisco's Embedded Syslog Manager. ESM can dynamically modify or throttle syslog messages when they are generated on the router.
I built an example (see bottom of answer) of how to rate-limit configuration messages within a test time window; for the purposes of this demo, I substituted [regexp {CONFIG} $::orig_msg]
instead of [regexp {FAN_LOW_RPM} $::orig_msg]
so I could illustrate rate-limiting messages like %SYS-5-CONFIG_I: Configured from console by vty0
.
I edited the tcl script at the bottom of the answer with [regexp {CONFIG} $::orig_msg]
, and tftp'd the script into flash...
DEN-EDGE-02#copy tftp://172.16.1.5/filterSyslog.tcl flash:
Destination filename [filterSyslog.tcl]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing tftp://172.16.1.5/filterSyslog.tcl...
Loading filterSyslog.tcl from 172.16.1.5: !
[OK - 684 bytes]
684 bytes copied in 0.104 secs (6577 bytes/sec)
DEN-EDGE-02#
Then I configured my router with the name of the script, and the syslog server's address (172.16.1.5).
logging filter flash:filterSyslog.tcl
logging trap debugging
logging host 172.16.1.5 vrf mgmtVrf filtered
Now when you go into configuration mode on the router, the syslog messages are rate-limited.
[mpenning@tsunami tftpboot]$ sudo tshark -ni eth0 udp and host 172.16.1.204
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
3.472614 172.16.1.204 -> 172.16.1.5 Syslog 177 LOCAL7.NOTICE: 278: Apr 21 05:37:58.189
CDT: %SYS-5-CONFIG_I: Configured from console by vty0 (172.16.1.5) - This message was
rate-limited by ESM
How it works
The ESM script at the bottom of the answer rate-limits FAN_LOW_RPM
messages. The example leverages the fact that NVMON-4-FAN_LOW_RPM
messages are sent every 30 seconds. For simplicity, I use an absolute 30-second window between 23:59:30 and 23:59:59 to rate-limit the messages. This script assumes the syslogs are sent at a constant rate, and are not intermittent. In the attached script, I use timestamps in HHMMSS
(24-hour) format so they would map easily to integers.
When a syslog message is ready to be sent, IOS stores it in $::orig_msg
. I just built a quick series of if .. else
clauses to detect whether the syslog message:
- Matches the regular expression (in this case,
FAN_LOW_RPM
)
- Occurs in the 30-second window between 23:59:30 and 23:59:59 (inclusive)
If the message contains FAN_LOW_RPM
and is within the time window, the script sends the message. Other messages containing FAN_LOW_RPM
messages are not sent. All other syslogs are sent (because we only want to silence the noisy messages).
FYI, for simplicity I intentionally avoided persisting timestamp values between the last NVMON-4-FAN_LOW_RPM
syslog message seen, although someone could do that too.
ESM syslog rate-limit script:
Save this file in flash as flash:filterSyslog.tcl
## Filename: filterSyslog.tcl
proc forceInteger { x } {
set count [scan $x %d%s n rest]
if { $count <= 0 || ( $count == 2 && ![string is space $rest] ) } {
# This is an error
return "-1"
}
return $n
}
set time_start 235900
set time_end 235959
# See http://wiki.tcl.tk/498 for information about TCL's strange number-handling
set timestamp [forceInteger [clock format [clock seconds] -format %H%M%S]]
### Modify the regexp below and use any message you want to rate-limit...
if { [regexp {FAN_LOW_RPM} $::orig_msg] } {
if {($time_start <= $timestamp) && ($timestamp <= $time_end)} {
# Send syslog messages inside the $time_start and $time_end
return "$::orig_msg - This message was rate-limited by ESM"
} else {
# Drop syslog messages outside $time_start to $time_end
return ""
}
} else {
# Return all other syslog messages as usual
return $::orig_msg
}
Best Answer
The ASA can only filter messages by severity, or by log message class, or by individual log message.
Unfortunately, there is no way for the ASA to filter on a specific attribute or value within a particular log message.
As was pointed out, this type of filtering is best done on the receiving end. I know you mentioned there is already a performance hit, but there would be the same (if not worse) performance hit on the Firewall, and the Firewall is typically passing traffic beyond just syslog, so would be more risky.