Announcement

Collapse
No announcement yet.

CCP Firewall policy - Post doesn't work

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • CCP Firewall policy - Post doesn't work

    I ran through CCP tonight on a 881 router for a customer and set it to high security.
    At ifrst, everything seemed ok, then my friendly tester notified me that they can't post forms, or do basically anything but very similar web browsing.

    I've looked back over the config changes that were made (after reverting them!)
    I suspect the following is the issue:
    class-map type inspect http match-any ccp-app-httpmethods
    match request method bcopy
    match request method bdelete
    match request method bmove
    match request method bpropfind
    match request method bproppatch
    match request method connect
    match request method copy
    .....snip....
    would i be on track ?
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

  • #2
    Re: CCP Firewall policy - Post doesn't work

    Yes

    But without seeing the rest of the config, I would suggest checking the policy-map that is referencing the posted class-map. Based on the problem you describe, the policy-map is probably set to "drop" the methods listed in the class-map instead of pass or inspect the methods.

    Based on the companies security policy, you may want to create a separate class-map/policy-map definition for http methods. For instance, one that allows marketing staff to post to sites like facebook and another that restricts (drops) attempts to "post" to all other websites.

    Comment


    • #3
      Re: CCP Firewall policy - Post doesn't work

      thanks!

      class map, probably thesee:

      policy-map type inspect http ccp-action-app-http
      class type inspect http ccp-http-blockparam
      log
      reset
      exit
      class type inspect http ccp-app-httpmethods
      log
      reset
      exit
      I saw somewhere else that they changed it from "reset" to "allow"

      but I think the simpler option would be to remove the entnire class-map
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment

      Working...
      X