[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

Advice on CISCO ASA Inspection policies.

I've been testing internet download speeds via our ASA5510 firmaware version 8.2(1)

I've been downloading large Service Pack files from MS and am seeing a single session download speeds of around 200KB/S. We have an ethernet suppiled dedicated Internet connection at 4Mb.

This speed is acceptable as this actully equates to around 1.6Mb/s which is just under half of our dedicated bandwidth.

I was tweaking some settings on the ASA and disabled the HTTP protocol inspection found under configuration>Firewall>Service Policy Rules by editing the _inspection_default global policy.

The same file now downloads at around 400KB/s = 3.2Mb/s . My question is does anyone have any experience of permanently disabling this feature and if so are there any known issues caused by this. Has anyone been affected by vulnerabilities. What am I leaving our network open to. From what I gather this will mean the FW acts as a standard stateful firewall and so will not perform any for of higher layer (layers 5-7) inspection for HTTP traffic

I appreciate it performs additional security filtering and inspecting of HTTP traffic but am still unsure whether it is required. I guess it's a case of balancing download speeds with security and which is most important to us.

Any advice would be appreciated
1 Solution
PeterHingAuthor Commented:
Hi There

Based on another fw at another site I am testing the disabling of this feature. I can see a 40% throughput improvement

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Tackle projects and never again get stuck behind a technical roadblock.
Join Now