3 Replies Latest reply on Aug 25, 2016 3:12 AM by macgyver7

    Internet Filtering Protocol (IFP) Message Specification

    mvjames

      I have been unable to find any documentation on IFP (aside for what is on the the MWG Product Guide), or its integration with other products. Intel Security Support has referred me here. With the discontinuance of SmartFilter (original IFP product) few years ago and the selling of SideWinder (McAfee Enterprise Firewall) to ForcePoint (formerly Ratheon|Websense)

       

      We have Cisco Adaptive Security Appliance (ASA)'s Content Inspection configured to query an external policy/control server (MWG) via the Internet Filtering Protocol (IFP) [ie the smartcomputing via TCP 4005].

      1. Performing a capture of the TCP 4005 (from the MWG), I am able to see the requested URL and the message response (ie redirect Block page). Is there anyway to decode the values in that stream? what are the protocol message field values? WireShark does not have it defined.


      2. Does the IFP protocol provide to identify which ASA is sending the request of policy determination? Is there a McAfee property where the IP of the originating ASA is stored and can be used in RuleSet/Rule set determination?


      3.  Does the McAfee have any third-party integration configuration suggestions? Similar to Websense Webfilter product.

        • 1. Re: Internet Filtering Protocol (IFP) Message Specification

          The protocol specification is intellectual property and is not disclosed. Only licensees of the SDK (like Cisco) get the documentation of the protocol.

           

          Connection.IP is the address of the IFP client (ASA) sending the request.

          If ASA includes it in the request (which I think it does), Client.IP is the address of the user making the request.

           

          The only thing I can find on IFP and ASA itself is in the installation guide.

          https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/ 21000/PD21278/en_US/sf_41104_ig_e.pdf

          • 2. Re: Internet Filtering Protocol (IFP) Message Specification
            Jon Scholten

            Hi!

             

            Erik has answered the first two questions, as far as the integration question, we're just using the same integration as SmartFilter did so all the commands are the same as you used before.

             

            Here is a dump of my commands for enabling and troubleshooting IFP on the Cisco device:

             

            PIX/ASA commands to enable IFP:

            1. Define the IFP Server using the command:

            url-server vendor [n2h2 | smartfilter] (if_name) host local_ip [timeout seconds] [protocol TCP | UDP version [1|4] [connections num_conns] ]
            # example:
            url-server vendor smartfilter host 10.0.0.1 timeout 10
            

            For vendor us the key below, the version is the version of the PIX/ASA:

            With versions 6.3 through 7.1, type n2h2.

            With version 7.2 or newer, type smartfilter.

            If you are using Webwasher/Web Gateway, either will apply so type n2h2/smartfilter depending on your version.

             

            2. Apply the filtering to the traffic using the command:

            filter url [http | port[-port]] source_ip source_mask dest_ip dest_mask [allow] [proxy-block] [longurl-truncate | longurl-deny] [cgi-truncate]
            # example:
            filter url http 0 0 0 0 allow longurl-truncate
            

             

             

            3. To apply filtering to HTTPS traffic* use the following command:

            filter https source_ip source_mask dest_ip dest_mask [allow]
            # example
            filter https 443 0 0 0 0 allow
            

            *This "https" command will only work on versions 7.2 or newer, older versions will not support filtering of https traffic.

             

             

            4. (Optional) To exempt traffic from filtering, use the following command:

            filter (https|url) except source_ip source_mask dest_ip dest_mask
            # example
            filter url except 10.10.0.0 255.255.0.0 0 0
            

             

            5. (Optional) To enable buffering of HTTP replies for URLs that are pending a response from the IFP filter server, type the following command:

            For block_buffer_limit, type the maximum number of blocks (1 to 128) for the URL buffer.

            url-block block [block_buffer_limit]
            # example
            url-block block 128
            

             

            6. (Informational) To remove any of the commands from the device just copy the exact command and place a 'no' in front of it.

            # example
            no filter https 443 10.10.0.0 255.255.0.0 0 0 allow
            

             

             

            --------------------Troubleshooting Commands--------------------

            To view information about the current URL filtering scheme, type the following commands:

            show filter url
            show url-server
            

            Use these commands to find out the address and port number for the SmartFilter IFP server, the timeout period, and whether the allow option is enabled or disabled.

             

            To show the configuration related to url filtering, enter the following command:

            show running-config url-server
            

             

            To view statistics related to communication between the Cisco PIX/ASA Firewall and the SmartFilter IFP server, type the following commands:

            show url-server stat
            show url-block block stat
            show perfmon
            

            Use these commands to view the number of URL requests sent, responses received, pages blocked and allowed, and processing failures.

             

            Best Regards,

            Jon