I have a PIX 515E, running PIXOS 6.3, which has fixup protocol http 80 in the configuration.
Can anyone point me to documentation that describes exactly what this does to web traffic.
Cisco's own command reference says:
fixup protocol http
The fixup protocol http command sets
the port for Hypertext Transfer
Protocol (HTTP) traffic application
inspection. The default port for HTTP
is 80.Use the port option to change the
default port assignments from 80. Use
the port-port option to apply HTTP
application inspection to a range of
port numbers.Note The no fixup protocol http
command still enables the filter url
command.HTTP inspection performs several
functions:•URL logging of GET messages
•URL screening through N2H2 or
Websense•Java and ActiveX filtering
The latter two features must be
configured in conjuction with the
filter command.
We don't use WebSense on the PIX, and we don't need the PIX to perform URL logging – and we don't have filter commands enabled. Is there any reason why I shouldn't turn the fixup protocol off altogether? Certainly disabling that logging should improve performance (we already have URL logging using a separate WebSense box).
Best Answer
In PIX 6.3 the
fixup httpcommand has rather limited behavior when compared to its modern replacement in the 7.0 and up PIX and ASA releases --inspect httpas part of the Modular Policy Framework (MPF).PIX 6.3
You have defined the PIX 6.3 capabilities straight from the PIX 6.3 Command Reference. I can expound a bit
URL Logging of GET Messages enables the PIX to log all HTTP GET (no POST) to the PIX's logging facilities. This can dump quite a bit (especially in 2011 when there is a lot of HTTP traffic on modern networks) of logs.
URL screening through N2H2 or Websense enables the PIX to send HTTP requests using Internet Filtering Protocol (IFP) or Websense protocol v4, respectively. This will allow your PIX, inline to traffic, to make HTTP URL policy decisions without having to play proxy tricks on the clients. Note that you need an N2H2 or Websense server/appliance deployed.
Java and ActiveX filtering enables the PIX filter out Java applets and ActiveX code from pages served via HTTP.
PIX/ASA 7 and later
The PIX/ASA version 7 (and later) code enables you to perform all of the above tasks and adds Enhanced HTTP inspection, as described in ASA 8.4 Command Reference. ASA 8.4 is the latest version of the ASA code at this time.
Enhanced HTTP inspection, as described, allows a firewall administrator to really drill down HTTP policy, including adherence to RFC2616, max URL length, max body size, even based on host header (want to block Facebook without N2H2, Websense, Squid, OpenDNS, or any other service?). Great flexibility once you grasp the modular policy framework (MPF) of 7 and later code, which owes its roots to the modular QoS CLI (MQC) from IOS.
In PIX 6.3 it is generally safe to remove the
fixup httpcommand if you do not require those features. On PIX/ASA 7 and later it can also be removed if you are not using any of the features. To make use of Enhanced HTTP inspection on PIX/ASA 7 you must configure anhttp-map.