Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 8
Report Inappropriate Content
Message 1 of 4

Internet Filtering Protocol (IFP) Message Specification

I have been unable to find any documentation on IFP (aside for what is on the the MWG Product Guide), or its integration with other products. Intel Security Support has referred me here. With the discontinuance of SmartFilter (original IFP product) few years ago and the selling of SideWinder (McAfee Enterprise Firewall) to ForcePoint (formerly Ratheon|Websense)

We have Cisco Adaptive Security Appliance (ASA)'s Content Inspection configured to query an external policy/control server (MWG) via the Internet Filtering Protocol (IFP) [ie the smartcomputing via TCP 4005].

1. Performing a capture of the TCP 4005 (from the MWG), I am able to see the requested URL and the message response (ie redirect Block page). Is there anyway to decode the values in that stream? what are the protocol message field values? WireShark does not have it defined.

2. Does the IFP protocol provide to identify which ASA is sending the request of policy determination? Is there a McAfee property where the IP of the originating ASA is stored and can be used in RuleSet/Rule set determination?

3.  Does the McAfee have any third-party integration configuration suggestions? Similar to Websense Webfilter product.

3 Replies
McAfee Retired
McAfee Retired
Report Inappropriate Content
Message 2 of 4

Re: Internet Filtering Protocol (IFP) Message Specification

The protocol specification is intellectual property and is not disclosed. Only licensees of the SDK (like Cisco) get the documentation of the protocol.

Connection.IP is the address of the IFP client (ASA) sending the request.

If ASA includes it in the request (which I think it does), Client.IP is the address of the user making the request.

The only thing I can find on IFP and ASA itself is in the installation guide.

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: Internet Filtering Protocol (IFP) Message Specification


Erik has answered the first two questions, as far as the integration question, we're just using the same integration as SmartFilter did so all the commands are the same as you used before.

Here is a dump of my commands for enabling and troubleshooting IFP on the Cisco device:

PIX/ASA commands to enable IFP:

1. Define the IFP Server using the command:

url-server vendor [n2h2 | smartfilter] (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version [1|4] [connections num_conns] ]

# example:

url-server vendor smartfilter host timeout 10

For vendor us the key below, the version is the version of the PIX/ASA:

With versions 6.3 through 7.1, type n2h2.

With version 7.2 or newer, type smartfilter.

If you are using Webwasher/Web Gateway, either will apply so type n2h2/smartfilter depending on your version.

2. Apply the filtering to the traffic using the command:

filter url [http | port[-port]] source_ip source_mask dest_ip dest_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]

# example:

filter url http 0 0 0 0 allow longurl-truncate

3. To apply filtering to HTTPS traffic* use the following command:

filter https source_ip source_mask dest_ip dest_mask [allow]

# example

filter https 443 0 0 0 0 allow

*This "https" command will only work on versions 7.2 or newer, older versions will not support filtering of https traffic.

4. (Optional) To exempt traffic from filtering, use the following command:

filter (https|url) except source_ip source_mask dest_ip dest_mask

# example

filter url except 0 0

5. (Optional) To enable buffering of HTTP replies for URLs that are pending a response from the IFP filter server, type the following command:

For block_buffer_limit, type the maximum number of blocks (1 to 128) for the URL buffer.

url-block block [block_buffer_limit]

# example

url-block block 128

6. (Informational) To remove any of the commands from the device just copy the exact command and place a 'no' in front of it.

# example

no filter https 443 0 0 allow

--------------------Troubleshooting Commands--------------------

To view information about the current URL filtering scheme, type the following commands:

show filter url

show url-server

Use these commands to find out the address and port number for the SmartFilter IFP server, the timeout period, and whether the allow option is enabled or disabled.

To show the configuration related to url filtering, enter the following command:

show running-config url-server

To view statistics related to communication between the Cisco PIX/ASA Firewall and the SmartFilter IFP server, type the following commands:

show url-server stat

show url-block block stat

show perfmon

Use these commands to view the number of URL requests sent, responses received, pages blocked and allowed, and processing failures.

Best Regards,


Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: Internet Filtering Protocol (IFP) Message Specification

You can derive the protocol by looking at the source code for the openufp project on GitHub.

GitHub - jeroennijhof/openufp: Open URL Filtering Proxy is an URL Filtering Server for N2H2 or Webse...

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community