Device Manager GUI Guide vA1(7), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring Traffic Policies
Downloads: This chapterpdf (PDF - 526.0KB) The complete bookPDF (PDF - 11.63MB) | Feedback

Configuring Traffic Policies

Table Of Contents

Configuring Traffic Policies

Class Map and Policy Map Overview

Class Maps

Policy Maps

Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps

Application Protocol Inspection Overview

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

DNS Inspection Overview

FTP Inspection Overview

ICMP Inspection Overview

RTSP Inspection Overview

Configuring Virtual Context Class Maps

Deleting Class Maps

Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps

Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps

Configuring Virtual Context Policy Maps

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization

Special Characters for Matching String Expressions


Configuring Traffic Policies


ACE Appliance Device Manager helps you configure class maps and policy maps to provide a global level of classification for filtering traffic received by or passing through the ACE appliance. You create traffic policies and attach these policies to one or more VLAN interfaces associated with the ACE appliance to apply feature-specific actions to the matching traffic. The ACE appliance uses the individual traffic policies to implement functions such as:

Remote access using Secure Shell (SSH) or Telnet

Server load balancing

Network Address Translation (NAT)

HTTP deep packet inspection, application protocol inspection, or FTP command inspection

Secure Socket Layer (SSL) security services between a Web browser (the client) and the HTTP connection (the server)

TCP termination, normalization, and reuse

IP normalization and fragment reassembly

Related Topics

Class Map and Policy Map Overview

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Class Map and Policy Map Overview

You classify inbound network traffic destined to, or passing through, the ACE appliance based on a series of flow match criteria specified by a class map. Each class map defines a traffic classification; that is, network traffic that is of interest to you. A policy map defines a series of actions (functions) that you want applied to a set of classified inbound traffic.

Class maps enable you to classify network traffic based on the following criteria:

Layer 3 and Layer 4 traffic flow information—Source or destination IP address, source or destination port, virtual IP address, IP protocol and port, or management protocol

Layer 7 protocol information—HTTP cookie, HTTP URL, HTTP header, HTTP content, or FTP request commands

The traffic classification process consists of the following three steps:

1. Creating a class map, which comprise a set of match criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.

2. Creating a policy map, which refers to the class maps and identifies a series of actions to perform based on the traffic match criteria.

3. Activating the policy map and attaching it to a specific VLAN interface or globally to all VLAN interfaces associated with a context by configuring a virtual context global traffic policy to filter traffic received by the ACE appliance.

Traffic policies support the following feature-specific actions performed by the ACE appliance:

Remote access using the following management protocols: HTTP, HTTPS, Internet Control Message Protocol (ICMP), Simple Network Management Protocol (SNMP), Secure Shell (SSH), or Telnet

Server load balancing based on Layer 3 and Layer 4 connection information (virtual IP address)

Application acceleration and optimization

Server load balancing based on Layer 7 HTTP-related information (such as HTTP headers, cookies, and URLs), or client source IP address

SSL security services between a Web browser (the client) and the HTTP connection (the server)

HTTP deep packet inspection

FTP command request inspection

Application protocol inspection (also known as protocol fixup)

NAT

TCP/IP termination and normalization

Exchange XML documents over HTTP or secure HTTP (HTTPS)

The following overview topics describe the components that define a traffic policy:

Class Maps

Policy Maps

Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps

Configuring Virtual Context Global Traffic Policies, page 2-22

Class Maps

A class map defines each type of Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You create class maps to classify the traffic received and transmitted by the ACE appliance.

Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can pass through the ACE appliance or network management traffic that can be received by the ACE appliance.

Layer 7 protocol-specific classes identify server load balancing based on HTTP traffic, deep inspection of HTTP traffic, or the inspection of FTP commands by the ACE appliance.

A traffic class contains the following components:

Class map name

Class map type

One or more match conditions that define the match criteria for the class map

Instructions on how the ACE appliance evaluates match conditions when you specify more than one match statement in a traffic class (match-any, match-all)

The ACE supports a system-wide maximum of 8192 class maps.

The individual match conditions specify the criteria for classifying Layer 3 and Layer 4 network traffic as well as the Layer 7 HTTP server load balancing and application protocol-specific fields. The ACE appliance evaluates the packets to determine whether they match the specified criteria. If a statement matches, the ACE appliance considers that packet to be a member of the class and forwards the packet according to the specifications set in the traffic policy. Packets that fail to meet any of the matching criteria are classified as members of the default traffic class if one is specified.

The ACE appliance allows you to configure two Layer 7 HTTP load-balancing class maps in a nested traffic class configuration to create a single traffic class. You can perform Layer 7 class map nesting to achieve complex logical expressions. The ACE appliance restricts the nesting of class maps to two levels to prevent you from including one nested class map under a different class map.

Related Topics

Configuring Traffic Policies

Configuring Virtual Context Class Maps

Policy Maps

A policy map creates the traffic policy. The purpose of a traffic policy is to implement specific ACE appliance functions associated with a traffic class. A traffic policy contains the following components:

Policy map name

Previously created traffic class map or, optionally, the class-default class map

One or more of the individual Layer 3 and Layer 4 or Layer 7 policies that specify the actions to be performed by the ACE appliance

The ACE appliance supports a system-wide maximum of 4096 policy maps.

A Layer 7 policy map is always associated within a Layer 3 and Layer 4 policy map to provide an entry point for traffic classification. Layer 7 policy maps are considered to be child policies and can only be nested under a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on a VLAN interface; a Layer 7 policy map cannot be directly applied on an interface. For example, to associate a Layer 7 load-balancing policy map, you nest the load-balancing policy map by using the Layer 3 and Layer 4 Policy map action type.

If none of the classifications specified in policy maps match, then the ACE appliance executes the default actions specified against the class map configured with the Use Class Default option to use a default class map (if specified). All traffic that fails to meet the other matching criteria in the named class map belongs to the default traffic class. The Use Class Default feature has an implicit match-any match statement and is used to match any traffic classification.

The ACE appliance supports flexible class map ordering within a policy map. The ACE appliance executes only the actions for the first matching traffic classification, so the order of class maps within a policy map is very important. The policy lookup order is based on the security features of the ACE appliance. The policy lookup order is implicit, irrespective of the order in which you configure policies on the interface.

The policy lookup order of the ACE appliance is as follows:

1. Access control (permit or deny a packet)

2. Permit or deny management traffic

3. TCP/UDP connection parameters

4. Load balancing based on a virtual IP (VIP)

5. Application protocol inspection

6. Source NAT

7. Destination NAT

The sequence in which the ACE appliance applies the actions for a specific policy is independent of the actions configured for a class map inside a policy.

Related Topics

Configuring Traffic Policies

Configuring Virtual Context Policy Maps

Parameter Maps and Their Use in Layer 3 and Layer 4 Policy Maps

Parameter maps allow you to combine related actions in a Layer 3 and Layer 4 policy map. For example, an HTTP parameter map provides a means of performing actions on traffic ingressing an ACE appliance interface based on certain criteria such as HTTP header and cookie settings, server connection reuse, action to be taken when an HTTP header, cookie or URL exceeds a configured maximum length, and so on.

The ACE appliance uses policy maps to combine class maps and parameter maps into traffic policies and to perform certain configured actions on the traffic that matches the specified criteria in the policies.

The ACE Appliance Device Manager supports the following types of parameter maps:

Connection parameter maps that combine all TCP and IP connection-related behaviors pertaining to:

TCP normalization, termination, and server reuse

IP normalization, fragmentation, and reassembly

HTTP parameter maps that configure HTTP behavior for HTTP load-balanced connections.

SSL parameter maps that define the SSL session parameters that the ACE appliance applies to an SSL proxy service. SSL parameter maps let you apply the same SSL session parameters to different proxy services. You create an SSL parameter map for SSL termination and for SSL initiation.

Optimization parameter maps that define specific functions pertaining to application acceleration and optimization as performed by the ACE appliance. In this case, an optimization parameter map can be used to group the acceleration and optimization functions that fine-tune or control the actions specified in an associated optimization HTTP action list.

Related Topics

Using Parameter Maps, page 3-85

Configuring Connection Parameter Maps, page 3-85

Configuring HTTP Parameter Maps, page 3-91

Configuring Optimization Parameter Maps, page 3-93

Application Protocol Inspection Overview

Certain applications require special handling of the data portion of a packet as the packets pass through the ACE appliance. Application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic passing through the ACE appliance. Based on the specifications of the traffic policy, the ACE appliance accepts or rejects the packets to ensure the secure use of applications and services.

For information about application protocol inspection as configured and performed by the ACE appliance, see:

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

DNS Inspection Overview

FTP Inspection Overview

ICMP Inspection Overview

RTSP Inspection Overview

Performing Application Protocol Inspection

You can configure the ACE appliance to perform application protocol inspection, sometimes referred to as application protocol "fixup," for applications that:

Embed IP addressing information in the data packet, including the data payload.

Open secondary channels on dynamically assigned ports.

You may require that the ACE appliance perform application inspection of HTTP, FTP, DNS, ICMP, and RTSP protocols as a first step before passing the packets to the destination server. For HTTP, the ACE appliance performs deep packet inspection to statefully monitor the HTTP protocol and permits or denies traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP attributes such as HTTP header, URL, and the payload. For FTP, the ACE performs FTP command inspection for FTP sessions, allowing you to restrict specific commands by the ACE appliance.

Application inspection helps you identify the location of embedded IP addressing information in the TCP or UDP flow. This inspection allows the ACE appliance to translate embedded IP addresses and to update any checksum or other fields that are affected by the translation.

The need to translate IP addresses embedded in the payload of protocols is especially important for NAT (explicitly configured by the user) and server load-balancing (an implicit NAT).

Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the session.

You configure rules for application protocol inspection through the use of class maps and policy maps. The following items summarize the role of each function in configuring application protocol inspection:

Layer 7 Class Map—Provides the Layer 7 network traffic classification to identify HTTP deep protocol inspection attributes (such as HTTP header and URL) and FTP request commands.

Layer 7 Policy Map—Configures the applicable HTTP deep packet inspection or FTP request command actions executed on the network traffic that match the classifications defined in the Layer 7 class map.

Layer 3 and Layer 4 Class Map—Classifies network traffic passing through the ACE appliance for application inspection and matches traffic associated with the specified conditions in a policy map.

Layer 3 and Layer 4 Policy Map—Enables HTTP, DNS, FTP, ICMP, and RTSP protocol inspection and FTP command inspection for a traffic classification that matches the criteria listed the class map.

Table 7-1 describes the application inspection protocols supported by the ACE appliance, the default TCP or UDP protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and Port Address Translation (PAT).

Table 7-1 Application Inspection Support 

Application Protocol
Protocol
Port
NAT/PAT Support
Enabled by Default
Standards 1
Comments/Limitations

DNS

UDP

Src—Any

Dest—53

NAT

No

RFC 1123

Inspects DNS packets destined to port 53. You can specify the maximum length of the DNS packet to be inspected. See DNS Inspection Overview, for background information.

FTP

TCP

Src—Any

Dest—21

Both

Yes

RFC 959

Inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data. See FTP Inspection Overview, for background information.

FTP strict

TCP

Src—Any

Dest—21

Both

No

RFC 959

The FTP Strict field allows the ACE appliance to track each FTP command and response sequence, and also prevents an FTP client from determining valid usernames that are supported on an FTP server. See FTP Inspection Overview, for background information.

HTTP

TCP

Src—Any

Dest—80

Both

No

RFC 2616

Inspects HTTP packets. See HTTP Deep Packet Inspection Overview, for background information.

ICMP

ICMP

Src—N/A

Dest—N/A

Both

No

See ICMP Inspection Overview, for background information.

ICMP error

ICMP

Src—N/A

Dest—N/A

NAT

No

The ICMP Error field supports NAT of ICMP error messages. When you enable ICMP error inspection, the ACE appliance creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The ACE appliance overwrites the packet with the translated IP addresses. See ICMP Inspection Overview, for background information.

RTSP

TCP

Src—Any

Dest—554

NAT

No

RFC 2326, RFC 2327, RFC 1889

Inspects RTSP packets and translates the payload according to NAT rules. The ACE appliance opens secondary channels for audio and video. Not all the RTSP methods (packet types) specified in the RFC are supported. See RTSP Inspection Overview, for background information.

1 The ACE appliance is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the ACE appliance does not enforce the order.


Related Topics

Configuring Virtual Context Class Maps

Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps

Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps

Configuring Virtual Context Policy Maps

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

HTTP Deep Packet Inspection Overview

The ACE appliance performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a special case of application inspection where the ACE appliance examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the main focus of the application inspection process is on HTTP attributes such as HTTP header, URL, and to a limited extent, the payload. User-defined regular expressions can also be used to detect "signatures" in the payload.

You define policies to permit or deny the traffic, or to send a TCP reset message to the client or server to close the connection.

The security features covered by HTTP application inspection include:

RFC compliance monitoring and RFC method filtering

Content, URL, and HTTP header length checks

Transfer-encoding methods

Content type verification and filtering

Port 80 misuse

Related Topics

Performing Application Protocol Inspection

DNS Inspection Overview

FTP Inspection Overview

ICMP Inspection Overview

RTSP Inspection Overview

DNS Inspection Overview

Domain Name System (DNS) inspection performs the following tasks:

Monitors the message exchange to ensure that the ID of the DNS response matches the ID of the DNS query.

Allows one DNS response for each DNS query in a UDP connection. The ACE appliance removes the DNS session associated with the DNS query as soon as the DNS reply is forwarded.

Translates the DNS A-record based on the NAT configuration. Only forward lookups use NAT; the ACE appliance does not handle PTR records.


Note The DNS rewrite function is not applicable for PAT because multiple PAT rules are applicable for each A-record. The use of multiple PAT rules makes it difficult for the ACE appliance to properly choose the correct PAT rule.


Performs a maximum DNS packet length check to verify that the maximum length of a DNS reply is no greater than the value specified in the DNS inspection option.


Note If you specify the DNS inspection option without specifying the a value in DNS Maximum Length field, the ACE appliance does not check the DNS packet size.


Performs a number of security checks, including:

Verification that the maximum label length is no greater than 63 bytes

Verification that the maximum domain name length is no greater than 255 bytes

Check for the existence of compression loops

A single connection is created for multiple DNS sessions, as long as the DNS sessions are between the same two hosts, and the sessions have the same 5-tuple (source and destination IP address, source and destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Related Topics

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

FTP Inspection Overview

ICMP Inspection Overview

RTSP Inspection Overview

FTP Inspection Overview

File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message, dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP command must be acknowledged before the ACE appliance allows a new command. Command filtering allows you to restrict specific commands by the ACE appliance. When the ACE appliance denies a command, it closes the connection.

The FTP command inspection process, as performed by the ACE appliance:

Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be prenegotiated. The port is negotiated through the PORT or PASV commands.

Tracks the FTP command-response sequence. The ACE appliance performs the command checks listed below. If you specify the FTP Strict field in a Layer 3 and Layer 4 policy map, the ACE appliance tracks each FTP command and response sequence for the anomalous activity outlined below. The FTP Strict parameter is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.


Note The use of the FTP Strict parameter may affect FTP clients that do not comply with the RFC standards.


Truncated command—Checks the number of commas in the PORT and PASV reply command against a fixed value of five. If the value is not five, the ACE assumes that the PORT command is truncated and issues a warning message and closes the TCP connection.

Incorrect command—Checks the FTP command to verify if it ends with <CR><LF> characters, as required by RFC 959. If the FTP command does not end with those characters, the ACE appliance closes the connection.

Size of RETR and STOR commands—Checked the size of the RETR and STOR commands against a fixed constant of 256. If the size is greater, the ACE appliance logs an error message and closes the connection.

Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT command is sent from the server, the ACE appliance denies the TCP connection.

Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server. If a PASV reply command is sent from the client, the ACE appliance denies the TCP connection. This denial prevents a security hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."

Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections). If the negotiated port falls in this range, the ACE appliance closes the TCP connection.

Command pipelining—Checks the number of characters present after the port numbers in the PORT and PASV reply command against a constant value of 8. If the number of characters is greater than 8, the ACE appliance closes the TCP connection.

Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the IP address within the application payload. Refer to RFC 959 for background details.

Related Topics

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

DNS Inspection Overview

ICMP Inspection Overview

RTSP Inspection Overview

ICMP Inspection Overview

Internet Control Message Protocol (ICMP) inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic. If you do not use ICMP inspection, we recommend that you do not allow ICMP traffic to pass through the ACE appliance in an ACL because ICMP can be used to attack your network. ICMP inspection ensures that there is only one response for each request, and that the sequence number is correct.

For stateful ICMP, state information, as maintained for TCP or UDP flows, is maintained for ICMP instead of performing only the ACL and NAT functions. The maintenance of ICMP state information is required to resolve the following problems:

ICMP reply messages without request messages

Unsolicited ICMP error message

Unknown ICMP types

ICMP error messages are generated by intermediate nodes situated on the network path to a destination whenever a packet sent to that destination cannot be forwarded. ICMP error messages may also be generated by endpoint nodes, as in the case of port unreachable errors. These error messages carry the original packet for which the error is generated in the data part of the message. They also contain the addresses of the intermediate node or endpoint node in the outer header and destination in the inner header. ICMP error fixup handles address translation of node address and destination address to global addresses using NAT configuration.

ICMP error fixup is user-configurable, and if not enabled, intermediate node or endpoint node addresses are translated in the same way as the destination address of the embedded packet. As a result, error messages appear as if originating from the destination and the node addresses or the route to destination is not revealed.

ICMP inspection performs the following tasks for ICMP request or reply messages:

Creates a bidirectional session or connection record. The lookup key in the forward direction is the source IP address, destination IP address, protocol, ICMP type, ICMP identifier, and VLAN.

Verifies the connection record contains a sequence number window specifying the list of sequence numbers of outstanding requests for which replies are pending.

Verifies the connection record should have a timeout, so that inactive connection record can be reused for other flows and can protect inside network against fraudulent ICMP reply packets.

Allows reply packets only if a valid connection record exists and prevents the reply packets from passing through an ACL again if the connection record (or the state information) exists.

Creates a connection record for the transit ICMP request or reply packets, and also for those packets addressed to or from the ACE appliance.

ICMP error message inspection performs the following tasks:

Extracts the embedded IP header in the ICMP error message and checks for the presence of a connection record corresponding to the embedded packet for which the error message has been generated.

Performs an ACL of the ICMP error message regardless of the existence of a session for the embedded packet. The ICMP error message itself is stateless and requires access control.

Allocates NAT translation entries (xlate) for intermediate nodes or endpoint nodes to perform NAT of a local IP address to a global IP address in any ICMP error message.

Updates the checksum in the outer and inner headers.

Related Topics

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

DNS Inspection Overview

FTP Inspection Overview

RTSP Inspection Overview

RTSP Inspection Overview

Real Time Streaming Protocol (RTSP) is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. RTSP applications use the well-known port 554 with TCP and UDP as the control channel. The ACE appliance only supports TCP in conformity with RFC 2326.

The TCP control channel negotiates the data channels used to transmit audio and video traffic, depending on the transport mode that is configured on the client. The supported data transport modes are: rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp. Data transport types rtp/avp/tcp and x-real-rdt/tcp use the control channel to stream data. RTSP inspection is not required in this case to open a pinhole for the data channel.

The ACE appliance parses SETUP response messages with a status code of 200.

Because RFC 2326 does not require that the client and server ports be contained in the SETUP response message, the ACE appliance must keep track of state and remember the client ports in the SETUP message. QuickTime places the client ports in the SETUP message; the server responds with only the server ports.

During RTSP inspection, the ACE appliance does not:

Inspect RTSP messages passing through UDP ports.

Support RealNetworks multicast mode (x-real-rdt/mcast).

Support the ability to recognize HTTP cloaking where RTSP messages are hidden in HTTP messages.

Perform NAT on RTSP messages because the embedded IP addresses are contained in the Session Description Protocol (SDP) files as part of HTTP or RTSP messages.

The following additional restrictions apply to RTSP inspection as performed by the ACE appliance:

With Cisco IP/TV, the number of translations the ACE appliance performs on the SDP part of the message is proportional to the number of program listings in the Content Manager (each program listing can have at least six embedded IP addresses).

When using RealPlayer, you must properly configure transport mode. For the ACE appliance, add an ACL classification from the server to the client. For RealPlayer, change the transport mode by clicking Tools > Preferences > Connection > Network Transport > RTSP Settings.

If you use TCP mode on the RealPlayer, check the Attempt to use TCP for all content check box. It is not necessary to configure RTSP application inspection on the ACE appliance.

If you use UDP mode on the RealPlayer, check the Attempt to use UDP for all content check box. Configure RTSP application inspection on the ACE appliance. See Configuring Virtual Server Protocol Inspection, page 3-20 for information on configuring protocol inspection.

Related Topics

Performing Application Protocol Inspection

HTTP Deep Packet Inspection Overview

DNS Inspection Overview

FTP Inspection Overview

ICMP Inspection Overview

Configuring Virtual Context Class Maps

Class maps are used to define each Layer 3 and Layer 4 traffic class and each Layer 7 protocol class. You create class maps to classify the traffic received and transmitted by the ACE appliance.

Layer 3 and Layer 4 traffic classes contain match criteria that identify the IP network traffic that can pass through the ACE appliance or network management traffic that can be received by the ACE appliance.

Layer 7 protocol-specific classes identify server load balancing based on HTTP traffic, deep inspection of HTTP traffic, or the inspection of FTP commands by the ACE appliance.

A traffic class contains:

A class map name

One or more match commands that define the match criteria for the class map

Instructions on how the ACE appliance evaluates match commands when there is more than one match command in a traffic class


Note To successfully delete a class map from a context, the class map must no longer be in use. To delete multiple class maps, none of the class maps must be in use. If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class maps are deleted and a message appears stating that one of the class maps is in use. Remove the class map that is still in use from your selection, then click Delete. The selected class maps are removed.


Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 Click Add to add a new class map, or select an existing class map, then click Edit to modify it.

Step 3 The Name field contains an automatically incremented number for the class map. You can leave the number as it is or enter a different, unique number.

Step 4 In the Class Map Type field, select the type of class map you are creating:

Layer 3/4 Network Traffic—Indicates that this is a Layer 3 and Layer 4 class map for traffic other than network management traffic.

Layer 3/4 Management Traffic—Indicates that this is a Layer 3 and Layer 4 class map for network management traffic.

Layer 7 Server Load Balancing—Indicates that this is a Layer 7 class map for HTTP server load balancing.

Layer 7 HTTP Deep Packet Inspection—Indicates that this is a class map for HTTP deep packet inspection.

Layer 7 FTP Command Inspection—Indicates that this is a class map for FTP command inspection.

Step 5 For all selections except Layer 7 FTP Command Inspection, in the Match Type field, select the method the ACE appliance is to use to evaluate multiple match statements when multiple match conditions exist in the class map:

Match-any—Indicates that the class map is a match if at least one of the match conditions listed in the class map is satisfied.

Match-all—Indicates that the class map is a match only if all match conditions listed in the class map are satisfied.

Step 6 In the Description field, enter a brief description for this class map.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance and to configure match conditions for this class map:

Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps

Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps

Cancel to exit the procedure without saving your entries and to return to the Class Map table.

Next to save your entries and to configure another class map.


Related Topics

Using Virtual Contexts, page 2-1

Deleting Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Configuring Virtual Context Policy Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80

Deleting Class Maps

To successfully delete a class map from a context, the class map must no longer be in use. To delete multiple class maps, none of the class maps must be in use.

Assumption

The class map to be deleted is not being used.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 Select the class maps you want to delete, then click Delete.

If you attempt to delete multiple class maps and one of the class maps is still in use, none of the class maps are deleted and a message appears stating that one of the class map is in use. Remove the class map that is still in use from your selection, then click Delete. The Class Map table refreshes and the deleted class maps no longer appear.


Related Topics

Class Map and Policy Map Overview

Configuring Virtual Context Class Maps

Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps

Use this procedure to specify the match criteria for a Layer 3/Layer 4 network traffic class map on the ACE appliance.

Assumption

You have configured a Layer 3/Layer 4 class map and want to establish match conditions.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 In the Class Map table, select the Layer 3/4 network traffic class map you want to set match conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply common match conditions to them.

If the Match Condition tab does not appear below the Class Map table, click Show Tabs, which appears just below the Class Map table name.

Step 3 In the Match Condition table, click Add to add match criteria, or select the match condition you want to modify, then click Edit. The Match Condition configuration screen appears.

Step 4 In the Seq Number field, enter an integer from 2 to 255.

Step 5 In the Match Condition Type field, select the type of match condition to be used for this class map and configure any match-specific attributes as described in Table 7-2.

Table 7-2 Class Map Virtual-address Match Condition Attributes 

Match Condition Type
Description

Access-list

Indicates that an access list is the match type for this match condition.

In the ACL field, select the ACL to use as the match condition.

Virtual-address

Indicates that a virtual IP address is the match type for this match condition.

1. In the Virtual IP Address field, enter the VIP server IP address of the ACE appliance in dotted-decimal format, such as 192.168.11.1.

2. In the Virtual IP Netmask field, select the subnet mask for the virtual IP address.

3. In the Virtual Address Protocol field, select the protocol to be used for this match condition. For a list of protocols and their respective numbers, see Table 2-10.

Depending on the protocol that you select, additional fields appear. If they appear, enter the information described in the following steps.

4. In the Port Operator field, select the match criteria for the port:

Any—Indicates that any port using the selected protocol meets the match condition.

Equal—Indicates that a specific port using the protocol meets the match condition.

In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance is to include all ports.

Range—Indicates that the port must be one of a range of ports to meet the match condition. Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance is to include all ports.

a. In the Lower Port Number field, enter the first port number in the port range for the match condition.

b. In the Upper Port Number field, enter the last port number in the port range for the match condition.

Destination-address

Indicates that a destination address is the match type for this match condition.

1. In the Destination Address field, enter the destination IP address for this match condition in dotted-decimal format, such as 192.168.11.1.

2. In the Destination Netmask field, select the subnet mask for the destination IP address.

Source-address

Indicates that a source IP address is the match type for this match condition.

1. In the Source Address field, enter the source IP address for this match condition in dotted-decimal format, such as 192.168.11.1.

2. In the Source Netmask field, select the subnet mask for the source IP address.

Any

Indicates that any Layer 3 or Layer 4 traffic passing through the ACE appliance meets the match condition.

Port

Indicates that a UDP or TCP port or range of ports is the match type for this match condition.

1. In the Port Protocol field, select TCP or UDP as the protocol to be matched.

2. In the Port Operator field, select the match criteria for the port:

Any—Indicates that any port using the selected protocol meets the match condition.

Equal—Indicates that a specific port using the protocol meets the match condition.

In the Port Number field, enter the port to be matched. Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance is to include all ports.

Range—Indicates that the port must be one of a range of ports to meet the match condition.

a. In the Lower Port Number field, enter the first port number in the port range for the match condition.

b. In the Upper Port Number field, enter the last port number in the port range for the match condition.

Valid entries are integers from 0 to 65535. A value of 0 indicates that the ACE appliance is to include all ports.


Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table.


Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.


Cancel to exit the procedure without saving your entries and to return to the Match Condition table.

Next to save your entries and to configure additional match conditions.


Related Topics

Configuring Traffic Policies

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Configuring Virtual Context Policy Maps

Configuring Virtual Context Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Use this procedure to identify the network management protocols that can be received by the ACE appliance.

Assumption

You have configured a network management class map and want to establish the match conditions.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 In the Class Map table, select the Layer 3/Layer 4 management class map you want to set match conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply common match conditions to them.

If the Match Condition table does not appear below the Class Map table, select Show Tabs, which appears just below the Class Map table name.

Step 3 In the Match Condition table, click Add to add match criteria, or select the match conditions you want to modify, then click Edit. The Match Condition configuration screen appears.

Step 4 Enter the match conditions (see Table 7-3).

Table 7-3 Management Class Map Match Conditions 

Field
Description

Seq Number

Enter an integer from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions.

Match Condition Type

Select Management to confirm that this is for Layer 3/Layer 4 management traffic.

Note To change the type of match condition, you must delete the class map and add it again with the correct match type.

Mgmt Protocol Type

This field identifies the network management protocols that can be received by the ACE appliance.

Select the allowed protocol for this match condition:

HTTP—Specifies the Hypertext Transfer Protocol (HTTP).

HTTPS—Specifies the secure (SSL) Hypertext Transfer Protocol (HTTP) for connectivity with the ACE Appliance Device Manager GUI on the ACE appliance.

ICMP—Specifies the Internet Control Message Protocol (ICMP), commonly referred to as ping.

SNMP—Specifies the Simple Network Management Protocol (SNMP).

SSH—Specifies a Secure Shell (SSH) connection to the ACE appliance.

TELNET—Specifies a Telnet connection to the ACE appliance.

KALAP UDP—Specifies the KeepAlive Appliance Protocol over UDP.

XML-HTTPS—Specifies HTTPS as the transfer protocol for sending and receiving XML documents between the ACE appliance and a Network Management System (NMS).

Traffic Type

Select the type of traffic:

Any—Indicates that any client source IP address meets the match condition.

Source-address—Indicates that a specific source IP address is part of the match condition.

Source Address

This field appears if Source-address is selected for Traffic Type.

Enter the source IP address of the client in dotted-decimal notation, such as 192.168.11.1.

Source Netmask

This field appears if Source-address is selected for Traffic Type.

Select the subnet mask for the source IP address.


Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table.


Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.


Cancel to exit the procedure without saving your entries and to return to the Match Condition table.

Next to save your entries and to configure additional match conditions.


Related Topics

Configuring Traffic Policies

Configuring Virtual Context Class Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Use this procedure to set match conditions for Layer 7 server load-balancing class maps.

Assumption

You have configured a load-balancing class map and want to establish the match conditions.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 In the Class Map table, select the Layer 7 server load balancing class map you want to set match conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply common match conditions to them.

If the Match Condition tab does not appear below the Class Map table, click Show Tabs, which appears just below the Class Map table name.

Step 3 In the Match Condition table, click Add to add match criteria, or select the match condition you want to modify, then click Edit. The Match Condition configuration screen appears.

Step 4 In the Seq Number field, enter an integer from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions.

Step 5 In the Match Condition Type field, select the type of match to use and configure condition-specific attributes as described in Table 7-4.

Table 7-4 Load-Balancing Class Map Condition Types 

Match Condition Type
Description

Http-cookie

Indicates that an HTTP cookie is to be used to establish a match condition.

1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.

3. Select the Secondary Cookie Matching check box to indicate that the ACE appliance is to use both the cookie name and the cookie value to satisfy this match condition. Clear this check box to indicate that the ACE appliance is to use either the cookie name or the cookie value to satisfy this match condition.

Http-header

Indicates that an HTTP header is to be used to establish a match condition.

1. In the Header Name field, specify the header to be used in one of the following ways:

To specify an HTTP header that is not one of the standard HTTP headers, select the first radio button, then enter the HTTP header name in the Header Name field. Valid entries are unquoted text strings with no spaces and a maximum of 64 characters.

To specify a standard HTTP header, click the second radio button, then select an HTTP header from the list.

2. In the Header Value field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. If the string includes spaces, enclose the string in quotes. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Http-url

Indicates that a portion of an HTTP URL is to be used to establish a match condition.

1. In the URL Expr field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

2. In the Method field, enter the HTTP method to match. Valid entries are method names entered as unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

Source-address

Indicates that the source IP address is to be used to establish a match condition.

1. In the Source Address field, enter the source IP address of the client in dotted-decimal notation, such as 192.168.11.1.

2. In the Source Netmask field, select the subnet mask of the source IP address.

Class-map

Indicates that a class map is to be used to establish a match condition.

In the Class Map field, select the class map to apply to this match condition.


Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table.


Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.


Cancel to exit the procedure without saving your entries and to return to the Match Condition table.

Next to save your entries and to configure additional match conditions.


Related Topics

Using Virtual Contexts, page 2-1

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps

The ACE Appliance Device Manager allows you to create Layer 7 class maps and policy maps to be used for HTTP deep packet inspection by the ACE appliance. When these features are configured, the ACE appliance performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic based on the actions in the defined policy maps. You can configure the following security features as part of HTTP deep packet inspection to be performed by ACE appliances:

Regular expression matching on name in an HTTP header, URL name, or content expressions in an HTTP entity body

Content, URL, and HTTP header length checks

MIME-type message inspection

Transfer-encoding methods

Content type verification and filtering

Port 80 misuse by tunneling protocols

RFC compliance monitoring and RFC method filtering

Use this procedure to configure a Layer 7 class map for deep packet inspection of HTTP traffic.

Assumption

You have configured a Layer 7 deep packet inspection class map and want to establish match conditions.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 In the Class Map table, select the Layer 7 HTTP deep packet inspection class map you want to set match conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply common match conditions to them.

If the Match Condition tab does not appear below the Class Map table, click Show Tabs, which appears just below the Class Map table name.

Step 3 In the Match Condition table, click Add to add match criteria, or select the match condition you want to modify, then click Edit. The Match Condition configuration screen appears.

Step 4 In the Seq Number field, enter an integer from 2 to 255 as the line number. The number entered here does not indicate a priority or sequence for the match conditions.

Step 5 In the Match Condition Type field, select the method by which match decisions are to be made and configure condition-specific attributes as described in Table 7-5.

Table 7-5 HTTP Protocol Inspection Match Condition Types 

Match Condition Type
Description

Content

Specific content contained within the HTTP entity-body is to be used for application inspection decisions.

1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are integers from 1 to 4000.

Content Length

The content parse length in an HTTP message is to be used for application inspection decisions.

1. In the Content Length Operator field, select the operand to be used to compare content length:

Equal—Indicates that the content length must equal the number in the Content Length Value field.

Greater than—Indicates that the content length must be greater than the number in the Content Length Value field.

Less than—Indicates that the content length must be less than the number in the Content Length Value field.

Range—Indicates that the content length must be within the range specified in the Content Length Lower Value field and the Content Length Higher Value field.

2. Enter values to apply for content length comparison:

If you select Equal, Greater than, or Less than in the Content Length Operator field, the Content Length Value field appears. In the Content Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 4294967295.

If you select Range in the Content Length Operator field, the Content Length Lower Value and the Content Length Higher Value fields appear:

1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value field.

2. In the Content Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 0 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value field.

Header

The name and value in an HTTP header are to be used for application inspection decisions.

1. In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP Header to specify a different HTTP header.

2. If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to be matched. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

3. In the Header Value field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. If the string includes spaces, enclose the string with quotes. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Header Length

The length of the header in the HTTP message is to be used for application inspection decisions.

1. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for application inspection decisions:

Request—Indicates that HTTP header request messages are to be checked for header length.

Response—Indicates that HTTP header response messages are to be checked for header length.

2. In the Header Length Operator field, select the operand to be used to compare header length:

Equal—Indicates that the header length must equal the number in the Header Length Value field.

Greater Than—Indicates that the header length must be greater than the number in the Header Length Value field.

Less Than—Indicates that the header length must be less than the number in the Header Length Value field.

Range—Indicates that the header length must be within the range specified in the Header Length Lower Value field and the Header Length Higher Value field.

3. Enter values to apply for header length comparison:

If you select Equal, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value field appears. In the Header Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 255.

If you select Range in the Header Length Operator field, the Header Length Lower Value and the Header Length Higher Value fields appear:

1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value field.

2. In the Header Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value field.

Header MIME Type

Multipurpose Internet Mail Extension (MIME) message types are to be used for application inspection decisions.

In the Header MIME Type field, select the MIME message type to use for this match condition.

Port Misuse

The misuse of port 80 (or any other port running HTTP) is to be used for application inspection decisions.

Indicate the application category to use for this match condition:

IM—Indicates that instant messaging applications are to be used for this match condition.

P2P—Indicates that peer-to-peer applications are to be used for this match condition.

Tunneling—Indicates that tunneling applications are to be used for this match condition.

Request Method

The request method is to be used for application inspection decisions.

By default, ACE appliances allow all request and extension methods. This option allows you to configure class maps that define application inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods.

1. In the Request Method Type field, select the type of compliance to be used for application inspection decision:

Ext—Indicates that an HTTP extension method is to be used for application inspection decisions.

RFC—Indicates that a request method defined in RFC 2616 is to be used for application inspection decisions.

Depending on your selection, the Ext Request Method field or the RFC Request Method field appears.

2. In the Request Method field, select the specific request method to be used.

Transfer Encoding

An HTTP transfer-encoding type is to be used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.

In the Transfer Encoding field, select the type of encoding that is to be checked:

Chunked—The message body is transferred as a series of chunks.

Compress—The encoding format that is produced by the UNIX file compression program compress.

Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.

Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.

Identity—The default (identity) encoding which does not require the use of transformation.

URL

URL names are to be used for application inspection decisions.

In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

URL Length

URL length is to be used for application inspection decisions.

1. In the URL Length Operator field, select the operand to be used to compare URL length:

Equal—Indicates that the URL length must equal the number in the URL Length Value field.

Greater Than—Indicates that the URL length must be greater than the number in the URL Length Value field.

Less Than—Indicates that the URL length must be less than the number in the URL Length Value field.

Range—Indicates that the URL length must be within the range specified in the URL Length Lower Value field and the URL Length Higher Value field.

2. Enter values to apply for URL length comparison:

If you select Equal, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value field appears. In the URL Length Value field, enter the value for comparison. Valid entries are from 1 to 65535 bytes.

If you select Range in the URL Length Operator field, the URL Length Lower Value and the URL Length Higher Value fields appear:

1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value field.

2. In the URL Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value field.


Step 6 Click:

Deploy Now to deploy this configuration on the ACE appliance.


Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.


Cancel to exit this procedure without saving your entries and to return to the Match Condition table.

Next to configure another match condition for this class map.


Related Topics

Configuring Virtual Context Policy Maps

Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps

Setting Match Conditions for Layer 7 FTP Command Inspection Class Maps

Use this procedure to set match conditions for a Layer 7 FTP command inspection class map.

Assumption

You have configured a Layer 7 command inspection class map and want to establish match criteria.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Class Map. The Class Map table appears.

Step 2 In the Class Map table, select the Layer 7 FTP command inspection class map that you want to configure match conditions for. You can select multiple class maps (hold down the Shift key while selecting entries) and apply common match conditions to them.

If the Match Condition tab does not appear below the Class Map table, click Show Tabs, which appears just below the Class Map table name.

Step 3 In the Match Condition table, click Add to add match criteria, or select the match condition you want to modify, then click Edit. The Match Condition configuration screen appears.

Step 4 In the Seq Number field, enter an integer from 2 to 255.

Step 5 In the Match Condition Type field, select Request Method Name as the match condition type for this class map.

Step 6 In the Request Method Name field, select the FTP command to be inspected. Table 7-6 identifies the FTP commands that can be inspected.

Table 7-6 FTP Commands for Inspection 

FTP Command
Description

appe

Append data to the end of the specified file on the remote host.

cdup

Change to the parent of the current directory.

dele

Delete the specified file.

get

Copy the specified file from the remote host to the local system.

help

List all available FTP commands.

mkd

Create a directory using the specified path and directory name.

put

Copy the specified file from the local system to the remote host.

rmd

Remove the specified directory.

rnfr

Rename a file, specifying the current file name. Used with rnto.

rnto

Rename a file, specifying the new file name. Used with rnfr.

site

Execute a site-specific command.

stou

Store a file on the remote host and give it a unique name.

syst

Query the remote host for operating system information.


Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance and to return to the Match Condition table.


Note If you click Deploy Now, the ACE appliance drops the traffic and then restarts it, even if you have not made changes. If you have not altered existing match conditions, click Cancel instead of Deploy Now to ensure uninterrupted traffic.


Cancel to exit this procedure without saving your entries and to return to the Match Condition table.

Next to configure another match condition for this class map.


Related Topics

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Setting Match Conditions for Layer 3/Layer 4 Network Traffic Class Maps

Setting Match Conditions for Layer 3/Layer 4 Management Traffic Class Maps

Setting Match Conditions for Layer 7 Server Load-Balancing Class Maps

Setting Match Conditions for Layer 7 HTTP Deep Packet Inspection Class Maps

Configuring Virtual Context Policy Maps

Policy maps establish traffic policy for the ACE appliance. The purpose of a traffic policy is to implement specific ACE appliance functions associated with a traffic class. A traffic policy contains:

A policy map name.

A previously created traffic class map or, optionally, the class-default class map.

One or more of the individual Layer 3/Layer 4 or Layer 7 policies that specify the actions to be performed by the ACE appliance.

The ACE appliance executes actions specified in a policy map on a first-match, multi-match, or all-match basis:

First-match—With a first-match policy map, the ACE appliance executes only the action specified against the first classification that it matches. Layer 3/Layer 4 Management Traffic, Layer 7 Server Load Balancing, Layer 7 FTP Command Inspection, and Layer 7 HTTP Optimization policy maps are first-match policy maps.

Multi-match—With a multi-match policy map, the ACE appliance executes all possible actions applicable for a specific classification. Layer 3/Layer 4 Network Traffic policy maps are multi-match policy maps.

All-match—With an all-match policy map, the ACE appliance attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

You can view a context's policy maps and their types in the Policy Map table (Config > Virtual Contexts > context > Expert > Policy Map.)

Use this procedure to create a policy map for a virtual context.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 Click Add to add a new policy map, or select an existing policy map, then click Edit to modify it.

Step 3 The Policy Map Name field contains an automatically incremented number for the policy map. Either leave the entry as it is or enter a different, unique number.

Step 4 In Type, select the type of policy map you are creating:

Layer 3/4 Network Traffic—Indicates that this is a Layer 3 and Layer 4 policy map for traffic passing through the ACE appliance.

Layer 3/4 Management Traffic—Indicates that this is a Layer 3 and Layer 4 policy map for network management traffic received by the ACE appliance.

Layer 7 Server Load Balancing—Indicates that this is a Layer 7 policy map for HTTP server load balancing.

Layer 7 HTTP Deep Packet Inspection—Indicates that this is a policy map for HTTP deep packet inspection.

Layer 7 FTP Command Inspection—Indicates that this is a policy map for FTP command inspection.

Layer 7 HTTP Optimization—Indicates that this is a policy map for optimizing HTTP traffic.

Step 5 Click:

Deploy Now to deploy this configuration on the ACE appliance. Continue with one of the following to define rules and actions for this policy map:

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization

Cancel to exit this procedure without saving your entries and to return to the Policy Map table.

Next to save your entries and to configure another policy map.


Related Topics

Using Virtual Contexts, page 2-1

Configuring Virtual Context Class Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Use this procedure to configure the rules and actions for Layer 3/Layer 4 traffic other than network management traffic.

Assumptions

You have configured a Layer 3/Layer 4 policy map.

A class map has been defined if you do not want to use the class-default class map.

The following must be configured for the selected context depending on the action to be applied to the rule:

For an SSL proxy action, an SSL proxy service. See Configuring SSL Proxy Service, page 4-16.

For a dynamic NAT action, a NAT VLAN and a NAT pool. See Configuring Virtual Context VLAN Interfaces, page 5-1.

For an Appl parameter action, an HTTP parameter map. See Configuring HTTP Parameter Maps, page 3-91.

For a Connection action, a Connection parameter map. See Configuring Connection Parameter Maps, page 3-85.

For an HTTP optimization action, an Optimization parameter map. See Configuring Optimization Parameter Maps, page 3-93.

For an FTP command inspection option, a Layer 7 FTP inspection policy map. See Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection.

For an HTTP protocol inspection option, a Layer 7 HTTP deep packet inspection policy map. See Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection.

To associate with a policy map, a defined Layer 7 policy map. See Configuring Virtual Context Policy Maps.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the Layer 3/Layer 4 network traffic policy map you want to set rules and actions for, then select the Rule tab.

If the Rule tab does not appear below the Policy Map table, click Show Tabs beneath the table name.

Step 3 In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The Rule configuration screen appears.

Step 4 In the Rule Type field, confirm that Classmap is selected.

Step 5 To use the class-default class map, select the Use Class Default check box.

Step 6 To use a previously created class map for this rule:

a. Clear the Use Class Default check box.

b. In the Class Map Name field, select the class map to be used.

c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map:

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

d. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance and to define actions for this rule (see Step 8).

Cancel to exit this procedure without saving your entries and to return to the Policy Map table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 6 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 8 To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit to modify it. The Action configuration screen appears.

Step 9 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

Step 10 In the Action Type field, select the type of action to be taken for this rule, then configure the related attributes. See Table 7-7.

Table 7-7 Layer 3/Layer 4 Policy Map Action Attributes 

Action Type
Description/Steps

Vip-icmp-reply

Indicates that a VIP is to send an ICMP ECHO-REPLY response to ICMP requests.

In the Active field, indicate the response to ICMP requests:

N/A—Indicates that this option is not configured.

False—Indicates that a VIP is not to send an ICMP ECHO-REPLY response to an ICMP request.

True—Indicates that a VIP is to send an ICMP ECHO-REPLY response to an ICMP request.

Policymap

Indicates that the ACE appliance is to associate a Layer 7 server load-balancing policy map with this Layer 3/Layer 4 policy map.

In the Policy Map field, select the Layer 7 policy map to associate with this Layer 3/Layer 4 policy map.

Vip-in-service

Indicates that a VIP is to be enabled for server load-balancing operations.

Nat

Indicates that the ACE appliance is to implement network address translation (NAT) for this rule.

1. In the NAT Mode field, select the type of NAT to be used:

Static NAT—Indicates that NAT is to translate each local address to a fixed global address. Continue with Step 2.

Dynamic NAT—Indicates that NAT is to translate local addresses to a pool of global addresses. Continue with Step 3.

2. If you select Static NAT:

a. In the Static Mapped Netmask field, select the subnet mask to apply to the static mapped address.

b. In the Static Port field, enter the TCP or UDP port to use for static port redirection. Valid entries are integers from 0 to 65535.

c. In the Static Mapped Address field, enter the IP address to use for static NAT translation. This entry establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class-map traffic classification).

d. In the NAT Protocol field, select the protocol to use for NAT:

- N/A—Indicates that this attribute is not to be set.

- UDP—Indicates that the ACE appliance is to use UDP for NAT.

- TCP—Indicates that the ACE appliance is to use TCP for NAT.

e. In the VLAN Id field, select the VLAN to use for NAT.

3. If you select Dynamic NAT:

a. In the NAT Pool Id field, enter the number of the pool of IP addresses that exist under the VLAN specified in the VLAN Id field. Valid entries are integers from 1 to 2147483647. See Configuring VLAN Interface NAT Pools, page 5-9.

b. In the VLAN Id field, select the VLAN to use for NAT.

Ssl-proxy

Indicates that the ACE appliance is to use an SSL proxy server service to define the SSL parameters the ACE appliance is to use during the handshake and subsequent SSL session.

1. In the SSL Proxy field, select the SSL proxy server service to use in the handshake and subsequent SSL session when the ACE appliance engages with an SSL client.

2. In the SSL Proxy Type field, select Server to indicate that the ACE appliance is to be configured so that it is recognized as an SSL server.

Appl-parameter

Indicates that an HTTP parameter map containing HTTP-related actions is to be implemented for this rule.

In the HTTP Parameter Map field, select the HTTP parameter map to use.

Connection

Indicates that a Connection parameter map containing TCP/IP connection-related commands that pertain to normalization and termination is to be implemented for this rule.

In the Connection Parameter Map field, select the Connection parameter map that is to be used.

Inspect

Indicates that deep packet inspection is to be implemented for this rule.

1. In the Inspect Type field, select the protocol that is to be inspected.

2. Provide any protocol-specific information.

Table 7-8 describes the available options for deep packet inspection actions.

HTTP Optimize

Indicates that HTTP optimization is to be implemented for this rule.

In the HTTP Optimization Policy field, select the HTTP optimization policy map to use.


Table 7-8 Policy Map Deep Packet Inspection Options 

Inspection Option
Description

DNS

Indicates that Domain Name System (DNS) query inspection is to be implemented. DNS requires application inspection so that DNS queries will not be subject to the generic UDP handling based on activity timeouts. Instead, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received. The ACE appliance performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length.

In the DNS Maximum Length field, enter the maximum length of a DNS reply in bytes. Valid entries are integers from 512 to 65535.

FTP

Indicates that FTP inspection is to be implemented. The ACE appliance inspects FTP packets, translates the address and port embedded in the payload, and opens up secondary channel for data.

1. In the FTP Strict field, indicate whether the ACE appliance is to check for protocol RFC compliance and prevent Web browsers from sending embedded commands in FTP requests:

N/A—Indicates that this attribute is not set.

False—Indicates that the ACE appliance is not to check for RFC compliance or prevent Web browsers from sending embedded commands in FTP requests.

True—Indicates that the ACE appliance is to check for RFC compliance and prevent Web browsers from sending embedded commands in FTP requests.

2. If you select True, in the FTP Inspect Policy field, select the Layer 7 FTP command inspection policy to be implemented for this rule.

HTTP

Indicates that enhanced Hypertext Transfer Protocol (HTTP) inspection is to be performed on HTTP traffic. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the ACE appliance. By default, the ACE appliance allows all request methods.

1. In the HTTP Inspect Policy field, select the HTTP inspection policy map to be implemented for this rule. If you do not specify a Layer 7 policy map, the ACE appliance performs a general set of Layer 3 and Layer 4 protocol fixup actions and internal RFC compliance checks.

2. In the URL Logging field, indicate whether Layer 3 and Layer 4 traffic is to be monitored:

N/A—Indicates that this attribute is not set.

False—Indicates that Layer 3 and Layer 4 traffic is not to be monitored.

True—Indicates that Layer 3 and Layer 4 traffic is to be monitored. When enabled, this function logs every URL request that is sent in the specified class of traffic, including the source or destination IP address and the URL that is accessed.

ICMP

Indicates that Internet Control Message Protocol (ICMP) payload inspection is to be performed. ICMP inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic.

In the ICMP Error field, indicate whether the ACE appliance is to perform name address translation on ICMP error messages:

N/A—Indicates that this attribute is not set.

False—Indicates that the ACE appliance is not to perform NAT on ICMP error messages.

True—Indicates that the ACE appliance is to perform NAT on ICMP error messages. When enabled, the ACE appliance creates translation sessions for intermediate or endpoint nodes that send ICMP error messages based on the NAT configuration. The ACE appliance overwrites the packet with the translated IP addresses.

RTSP

Indicates that Real Time Streaming Protocol (RTSP) packet inspection is to be implemented. RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. The ACE appliance monitors Setup and Response (200 OK) messages in the control channel established using TCP port 554 (no UDP support).

RSH

Indicates that Remote Shell (RSH) inspection is to be implemented. RSH is a UNIX command line interface for remotely executing commands.

SqlNet

Indicates that Structured Query Language Network (SqlNet) inspection is to be implemented.


Step 11 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Action table.

Next to save your entries and to configure another Action.

Step 12 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Configuring Traffic Policies

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Use this procedure to configure the rules and actions for IP management traffic received by the ACE appliance.

Assumptions

A network management policy map has been configured.

A class map has been defined for a class map rule if you do not want to use the class-default class map.

Procedure


Step 1 Select Config > Virtual Contexts  > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the Layer 3/Layer 4 management traffic policy map you want to set rules and actions for, then select the Rule tab. The Rule table appears.

Step 3 In the Rule table, click Add to add a new rule, or select the rule you want to modify, then click Edit. The Rule screen appears.

Step 4 In the Rule Type field, confirm that classmap is selected.

Step 5 To use the class-default class map, select the Use Class Default check box.

Step 6 To use a previously created class map for this rule:

a. Clear the Use Class Default check box.

b. In the Class Map Name field, select the class map to be used.

c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

d. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 7 Click:

Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 8.

Cancel to exit this procedure without saving your entries and to return to the Policy Map table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 6 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 8 To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit to modify it. The Action configuration screen appears.

Step 9 In the Action configuration screen:

a. In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

b. In the Action Type field, select Mgmt-permit to indicate that this action permits or denies network management traffic.

c. In the Action field, specify the action that is to occur:

Permit—Indicates that the ACE appliance is to accept network management traffic when this rule is met.

Deny—Indicates that the ACE appliance is to deny network management traffic when this rule is met.

Step 10 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Action table.

Next to save your entries and to configure another action.

Step 11 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Configuring Traffic Policies

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Use this procedure to set rules and actions for Layer 7 server load-balancing policy maps.

Assumptions

You have configured a load-balancing policy map and want to establish the corresponding rules and actions.

If you want to configure an SSL proxy action, you have configured SSL proxy service for this context.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the load-balancing policy map you want to set rules and actions for, then select the Rule tab. The Rule table appears.

Step 3 In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule configuration screen appears.

Step 4 Select the type of rule to be used:

Class map—Indicates that the ACE appliance is to use an existing class map that identifies the rules and corresponding actions. If you select this rule type, continue with Step 5.

Matchcondition—Indicates that the ACE appliance is to use a set of conditions to identify the rules and corresponding actions. If you select this rule type, continue with Step 6.

Step 5 If you select Class Map, either select the Use Class Default check box to use a default class map or specify a previously created class map:

a. Clear the Use Class Default check box.

b. In the Class Map Name field, select the class map to be used.

c. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

d. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 6 For match conditions:

a. In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

b. In the Match Condition Type field, select the method by which match decisions are to be made and their corresponding conditions. See Table 7-9 for information about these selections.

Table 7-9 Policy Match Condition Types 

Match Condition
Description

Http-cookie

Indicates that HTTP cookies are to be used for this rule.

If you select this method:

1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching string expressions. Table 7-13 lists the supported characters that you can use for matching string expressions.

Http-header

Indicates that the HTTP header and a corresponding value are to be used for this rule.

If you select this method:

1. In the Header Name field, enter the name of the generic field in the HTTP header. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Header Value field, enter the header-value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. To include spaces, enclose the entire string in quotes. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Http-url

Indicates that this rule is to perform regular expression matching against the received packet data from a particular connection based on the HTTP URL string.

If you select this method:

1. In the URL Expr field, enter a URL, or portion of a URL, to match. Valid entries are URL strings from 1 to 255 alphanumeric characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The ACE appliance supports regular expressions for matching URL strings. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

2. In the Method Expr field, enter the HTTP method to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. The method can either be one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).

Source-address

Indicates that this rule is to use a client source IP address to establish match conditions.

If you select this method:

1. In the Source IP Address field, enter the source IP address of the client. Enter the IP address in dotted-decimal notation (for example, 192.168.11.2).

2. In the Source Netmask field, enter the subnet mask of the IP address. Enter the netmask in dotted-decimal notation (for example, 255.255.255.0). The default is 255.255.255.255.


Step 7 For specific class maps and match conditions, in the Insert Before field, indicate whether this rule is to precede another defined policy rule:

N/A—Indicates that this option is not applicable.

False—Indicates that this rule is not to precede another defined policy rule.

True—Indicates that this rule is to precede another policy rule.

If you select True, in the Insert Before Policy Rule field, select the policy rule that this rule is to precede.

Step 8 Click:

Deploy Now to deploy the configuration on the ACE appliance. The Action table appears below the Rule table. To define the actions for this rule, continue with Step 9.

Cancel to exit this procedure without saving your entries and to return to the Rule table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 7 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 9 In the Action table, click Add to add a new action for this rule, or select an existing action, then click Edit to modify it.

Step 10 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

Step 11 In the Action tab in the Action Type field, select the action to be taken and configure any action-specific attributes as described in Table 7-10.

Table 7-10 Policy Map Actions for Load Balancing 

Action
Description

Serverfarm

Indicates that the ACE appliance is to load balance client requests for content to a server farm.

1. In the Server Farm field, select the server farm to which requests for content are to be sent.

2. In the Backup Server Farm field, select the backup server farm to which requests for content are to be sent.

Leave this field blank to indicate that no backup server farm is to be used.

3. Select the Sticky Enabled check box to indicate that the sticky group associated with this policy and applied to the primary server farm is applied to the backup server farm. Clear the Sticky Enabled check box to indicate that the sticky group associated with this policy and applied to the primary server farm in that policy is not applied to the backup server farm.

4. Select the Aggregate State Enabled check box to indicate that the operational state of the backup server farm is taken into consideration when evaluating the state of the load-balancing class in a policy map. Clear this check box to indicate that the operational state of the backup server farm is not taken into consideration when evaluating the state of the load-balancing class in a policy map.

Drop

Indicates that the ACE appliance is to discard packets that match this policy map.

Forward

Indicates that the ACE appliance is to forward requests that match this policy map without load balancing the requests.

Insert-http

Indicates that the ACE appliance is to insert an HTTP header for Layer 7 load balancing for requests that match this policy map.

This option allows the ACE appliance to identify a client whose IP address has been translated using NAT by inserting a generic header and string value in the client HTTP request.

1. In the HTTP Header Name field, enter the name of the generic field in the HTTP header. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the HTTP Header Value field, enter the value to be inserted into the HTTP header. Valid entries are unquoted text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. To include spaces, enclose the entire string in quotes. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Sticky-serverfarm

Indicates that requests matching this policy map be load balanced to a sticky server farm.

In the Sticky Group field, select the sticky server farm that is to be used for requests that match this policy map.

Ssl-proxy

Indicates that the ACE appliance is to use an SSL proxy client service to define the SSL parameters the ACE appliance is to use during the handshake and subsequent SSL session.

1. In the SSL Proxy field, select the SSL proxy server service to be used for this action.

2. In the SSL Proxy Type field, select Client to indicate that the ACE appliance is to be configured so that it is recognized as an SSL client.

Compress

Indicates that the ACE appliance is to compress packets that match this policy map. This option is available only when you associate an HTTP-type class map with a policy map.

In the Compress Method field, specify the method that the ACE appliance is to use to compress packets:

Deflate—Indicates that the ACE appliance is to use the DEFLATE compression method when the client browser supports both the DEFLATE and GZIP compression methods.

Gzip—Indicates that ACE appliance is to use the GZIP compression method when the client browser supports both the DEFLATE and GZIP compression methods.

Set IP TOS

The ACE is to set the IP Differentiated Services Code Point (DSCP) bit in the Type of Service (ToS) byte. Once the IP DSCP bit is set, other Quality of Service (QoS) services can then operate on the bit settings.

In the IP TOS Rewrite Value field, enter the IP DSCP value. Valid entries are integers from 0 to 255.


Step 12 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit the procedure without saving your entries and to return to the Action table.

Next to save your entries and to configure another action.

Step 13 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Use this procedure to add rules and actions for Layer 7 HTTP deep packet inspection policy maps.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the Layer 7 deep packet inspection policy map that you want to set rules and actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key while selecting entries) and apply common rules and actions to them.

The Rule table appears just below the Policy Map table. If you do not see the Rule tab, click Show Tabs just under the Policy Map table title.

Step 3 In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule configuration screen appears.

Step 4 In the Rule Type field, select the type of rule to be used:

Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules and corresponding actions. Continue with Step 5.

Matchcondition—Indicates that the ACE appliance is to use a set of conditions to identify the rules and corresponding actions. Continue with Step 7.

Step 5 For class maps, select the Use Class Default check box to use the class-default class map, or clear the check box to use a previously created class map.

Step 6 If you clear the Use Class Default check box:

a. In the Class Map Name field, select the class map to be used.

b. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

c. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 7 For match conditions:

a. In the Match Condition Name field enter a name for the match condition. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

b. In the Match Condition Type field, select the method by which match decisions are to be made and their corresponding conditions. See Table 7-11 for information about these selections.

Table 7-11 HTTP Deep Packet Inspection Match Types 

Match Condition Type
Description

Content

Specific content contained within the HTTP entity-body is used for application inspection decisions.

1. In the Content Expression field, enter the content that is to be matched. Valid entries are alphanumeric strings from 1 to 255 characters.

2. In the Content Offset field, enter the number of bytes to be ignored starting with the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. Valid entries are from 1 to 4000 bytes.

Content Length

The content parse length in an HTTP message is used for application inspection decisions.

1. In the Content Length Operator field, select the operand to be used to compare content length:

Equal—Indicates that the content length must equal the number in the Content Length Value field.

Greater than—Indicates that the content length must be greater than the number in the Content Length Value field.

Less than—Indicates that the content length must be less than the number in the Content Length Value field.

Range—Indicates that the content length must be within the range specified in the Content Length Lower Value field and the Content Length Higher Value field.

2. Enter values to apply for content length comparison:

If you select Equal, Greater than, or Less than in the Content Length Operator field, the Content Length Value field appears. In the Content Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 4294967295.

If you select Range in the Content Length Operator field, the Content Length Lower Value and the Content Length Higher Value fields appear:

1. In the Content Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 4294967295. The number in this field must be less than the number entered in the Content Length Higher Value field.

2. In the Content Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 4294967295. The number in this field must be greater than the number entered in the Content Length Lower Value field.

Content-type Verification

Verifies the content MIME-type messages with the header MIME-type. This inline match command limits the MIME-types in HTTP messages allowed through the ACE appliance. It verifies that the header MIME-type value is in the internal list of supported MIME-types and the header MIME-type matches the actual content in the data or entity body portion of the message. If they do not match, the ACE appliance performs the specified Layer 7 policy map action.

Note Content Type Verification is only available an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.

Header

The name and value in an HTTP header are used for application inspection decisions.

1. In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP Header to specify a different HTTP header.

2. If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

3. In the Header Value field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Header Length

The length of the header in the HTTP message is used for application inspection decisions.

1. In the Header Length Type field, specify whether HTTP header request or response messages are to be used for application inspection decisions:

Request—Indicates that HTTP header request messages are to be checked for header length.

Response—Indicates that HTTP header response messages are to be checked for header length.

2. In the Header Length Operator field, select the operand to be used to compare header length:

Equal—Indicates that the header length must equal the number in the Header Length Value field.

Greater Than—Indicates that the header length must be greater than the number in the Header Length Value field.

Less Than—Indicates that the header length must be less than the number in the Header Length Value field.

Range—Indicates that the header length must be within the range specified in the Header Length Lower Value field and the Header Length Higher Value field.

3. Enter values to apply for header length comparison:

If you select Equal, Greater Than, or Less Than in the Header Length Operator field, the Header Length Value field appears. In the Header Length Value field, enter the number of bytes for comparison. Valid entries are integers from 0 to 255.

If you select Range in the Header Length Operator field, the Header Length Lower Value and the Header Length Higher Value fields appear:

1. In the Header Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 0 to 255. The number in this field must be less than the number entered in the Header Length Higher Value field.

2. In the Header Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 255. The number in this field must be greater than the number entered in the Header Length Lower Value field.

Header MIME Type

Multipurpose Internet Mail Extension (MIME) message types are used for application inspection decisions.

In the Header MIME Type field, select the MIME message type to be used for this match condition.

Port Misuse

The misuse of port 80 (or any other port running HTTP) is used for application inspection decisions.

Indicate the application category to be used for this match condition:

IM—Indicates that instant messaging applications are to be used for this match condition.

P2P—Indicates that peer-to-peer applications are to be used for this match condition.

Tunneling—Indicates that tunneling applications are to be used for this match condition.

Request Method

The request method is used for application inspection decisions.

By default, ACE appliances allow all request and extension methods. This option allows you to configure class maps that define application inspection decisions based on compliance to request methods defined in RFC 2616 and by HTTP extension methods.

1. In the Request Method Type field, select the type of compliance to be used for application inspection decision:

Ext—Indicates that an HTTP extension method is to be used for application inspection decisions.

RFC—Indicates that a request method defined in RFC 2616 is to be used for application inspection decisions.

Depending on your selection, the Ext Request Method field or the RFC Request Method field appears.

2. In the Request Method field, select the specific request method to be used.

Strict HTTP

Internal compliance checks are performed to verify that a message is compliant with the HTTP RFC standard, RFC 2616. If the HTTP message is not compliant, the ACE appliance performs the specified Layer 7 policy map action.

Note Strict HTTP is only available as an inline match condition. Because this Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, it appears as an inline match condition.

Transfer Encoding

An HTTP transfer-encoding type is used for application inspection decisions. The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient.

In the Transfer Encoding field, select the type of encoding that is to be checked:

Chunked—The message body is transferred as a series of chunks.

Compress—The encoding format that is produced by the UNIX file compression program compress.

Deflate—The .zlib format that is defined in RFC 1950 in combination with the DEFLATE compression mechanism described in RFC 1951.

Gzip—The encoding format that is produced by the file compression program GZIP (GNU zip) as described in RFC 1952.

Identity—The default (identity) encoding which does not require the use of transformation.

URL

URL names are used for application inspection decisions.

In the URL field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

URL Length

URL length is used for application inspection decisions.

1. In the URL Length Operator field, select the operand to be used to compare URL length:

Equal—Indicates that the URL length must equal the number in the URL Length Value field.

Greater Than—Indicates that the URL length must be greater than the number in the URL Length Value field.

Less Than—Indicates that the URL length must be less than the number in the URL Length Value field.

Range—Indicates that the URL length must be within the range specified in the URL Length Lower Value field and the URL Length Higher Value field.

2. Enter values to apply for URL length comparison:

If you select Equal, Greater Than, or Less Than in the URL Length Operator field, the URL Length Value field appears. In the URL Length Value field, enter the value for comparison. Valid entries are from 1 to 65535 bytes.

If you select Range in the URL Length Operator field, the URL Length Lower Value and the URL Length Higher Value fields appear:

1. In the URL Length Lower Value field, enter the lowest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be less than the number entered in the URL Length Higher Value field.

2. In the URL Length Higher Value field, enter the highest number of bytes to be used for this match condition. Valid entries are integers from 1 to 65535. The number in this field must be greater than the number entered in the URL Length Lower Value field.


Step 8 In the Insert Before field, specify whether this rule is to precede another rule in this policy map:

N/A—Indicates that this attribute is not set.

False—Indicates that this rule is not to precede another rule in the policy map.

True—Indicates that this rule is to precede another rule in the policy map.

Step 9 If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 10 Click:

Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 11.

Cancel to exit this procedure without saving your entries and to return to the Policy Map table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 8 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 11 To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit to modify it. The Action configuration screen appears.

Step 12 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

Step 13 In the Action Type field, select the action to be taken for this rule:

Permit—Indicates that the specified HTTP traffic is to be allowed if it meets the specified HTTP deep packet inspection match criteria.

Reset—Indicates that the specified HTTP traffic is to be denied. A TCP reset message is sent to the client or server to close the connection.

Step 14 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Action table.

Next to configure another action for this policy map and rule.

Step 15 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

Setting Policy Map Rules and Actions for Layer 7 FTP Command Inspection

Use this procedure to add rules and actions for Layer 7 FTP command inspection policy maps.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the Layer 7 FTP command inspection policy map you want to set rules and actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key while selecting entries) and apply common rules and actions to them.

The Rule table appears just below the Policy Map table. If you do not see the Rule tab, click Show Tabs just under the Policy Map table title.

Step 3 In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule configuration screen appears.

Step 4 In the Rule Type field, select the type of rule to be used:

Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules and corresponding actions.

Match condition—Indicates that the ACE appliance is to use a set of conditions to identify the rules and corresponding actions.

Step 5 For class maps, select the Use Class Default check box to use the class-default class map, or clear the check box to use a previously created class map.

Step 6 If you clear the Use Class Default check box:

a. In the Class Map Name field, select the class map to be used.

b. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

c. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 7 For match conditions:

a. In the Match Condition Name field enter a name for the match condition for this rule. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

b. In the Match Condition Type field, select Request Method Name as the match condition type for this rule.

c. In the Request Method Name field, select the FTP command to be inspected for this rule. Table 7-6 describes the FTP commands that can be inspected.

Step 8 In the Insert Before field, specify whether this rule is to precede another rule in this policy map:

N/A—Indicates that this attribute is not set.

False—Indicates that this rule is not to precede another rule in the policy map.

True—Indicates that this rule is to precede another rule in the policy map.

Step 9 If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 10 Click:

Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 11.

Cancel to exit this procedure without saving your entries and to return to the Policy Map table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 8 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 11 To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit to modify it. The Action configuration screen appears.

Step 12 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

Step 13 In the Action Type field, specify the action to be taken for this rule:

Deny—Indicates that the ACE appliance is to deny the specified FTP command when this rule is met.

Mask-reply—Indicates that the ACE appliance is to mask the reply to the FTP syst command by filtering sensitive information from the command output. The action applies to the FTP syst command only.

Step 14 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Action table.

Next to save your entries and to configure another action for this rule.

Step 15 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Setting Policy Map Rules and Actions for Layer 7 HTTP Optimization

Use this procedure to add rules and actions for Layer 7 HTTP optimization policy maps.

Assumptions

An action list has been configured. See Configuring Action Lists, page 8-3 for more information.

A class map has been defined if you are not using the class-default class map. See Configuring Virtual Context Class Maps for more information.

Procedure


Step 1 Select Config > Virtual Contexts > context > Expert > Policy Map. The Policy Map table appears.

Step 2 In the Policy Map table, select the Layer 7 HTTP optimization policy map you want to set rules and actions for, then select the Rule tab. You can select multiple policy maps (hold down the Shift key while selecting entries) and apply common rules and actions to them.

The Rule table appears just below the Policy Map table. If you do not see the Rule tab, click Show Tabs just under the Policy Map table title.

Step 3 In the Rule table, click Add to add a new rule, or select an existing rule, then Edit to modify it. The Rule configuration screen appears.

Step 4 In the Rule Type field, select the type of rule to be used:

Class Map—Indicates that the ACE appliance is to use an existing class map that identifies the rules and corresponding actions.

Matchcondition—Indicates that the ACE appliance is to use a set of conditions to identify the rules and corresponding actions.

Step 5 For class maps, select the Use Class Default check box to use the class-default class map, or clear the check box to use a previously created class map.

Step 6 If you clear the Use Class Default check box:

a. In the Class Map Name field, select the class map to be used.

b. In the Insert Before field, indicate whether this rule is to precede another rule in this policy map.

N/A—Indicates that this option is not configured.

False—Indicates that this rule is not to precede another rule in this policy map.

True—Indicates that this rule is to precede another rule in this policy map.

c. If you select True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 7 For match conditions:

a. In the Match Condition Name field, enter a name for the match condition for this rule. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

b. In the Match Condition Type field, select the type of match condition to use and configure condition-specific options as described in Table 7-12.

Table 7-12 Layer 7 HTTP Optimization Match Condition Types 

Match Condition Type
Procedure

Cookie

Indicates that an HTTP cookie is to be used to establish a match condition.

1. In the Cookie Name field, enter a unique cookie name. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

2. In the Cookie Value field, enter a unique cookie value expression. Valid entries are unquoted text strings with no spaces and a maximum of 255 alphanumeric characters.

3. In the Secondary field, indicate whether the ACE appliance is to use both the cookie name and the cookie value to satisfy this match condition:

N/A—Indicates that this option is not configured.

False—Indicates that the ACE appliance is to use either the cookie name or the cookie value to satisfy this match condition.

True—Indicates that the ACE appliance is to use both the cookie name and the cookie value to satisfy this match condition.

Header

Indicates that an HTTP header is to be used to establish a match condition.

1. In the Header field, select one of the predefined HTTP headers to be matched, or select HTTP Header to specify a different HTTP header.

2. If you select HTTP Header, in the Header Name field, enter the name of the HTTP header to match. Valid entries are unquoted text strings with no spaces and a maximum of 64 alphanumeric characters.

3. In the Header Value field, enter the header value expression string to compare against the value in the specified field in the HTTP header. Valid entries are text strings with a maximum of 255 alphanumeric characters. The ACE appliance supports regular expressions for matching. To include spaces in the string, enclose the entire string in quotes. All headers in the header map must be matched. See Table 7-13 for a list of the supported characters that you can use in regular expressions.

Http-url

Indicates that a portion of an HTTP URL is to be used to establish a match condition.

1. In the URL Expr field, enter a URL or a portion of a URL to match. Valid entries are URL strings from 1 to 255 alphanumeric characters and include only the portion of the URL following www.hostname.domain. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.

2. In the Method field, enter the HTTP method to match. Valid entries are method names entered as unquoted text strings with no spaces and a maximum of 64 alphanumeric characters. You can enter either one of the standard HTTP 1.1 method names (OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT) or a text string that must be matched exactly (for example, CORVETTE).


Step 8 In the Insert Before field, specify whether this rule is to precede another rule in this policy map:

N/A—Indicates that this attribute is not set.

False—Indicates that this rule is not to precede another rule in the policy map.

True—Indicates that this rule is to precede another rule in the policy map.

Step 9 If you set Insert Before to True, the Insert Before Policy Rule field appears. Select the rule that you want the current rule to precede.

Step 10 Click:

Deploy Now to deploy this configuration on the ACE appliance. The Action table appears below the Rule table. To define actions for this rule, continue with Step 11.

Cancel to exit this procedure without saving your entries and to return to the Rule table.

Next to save your entries and to configure another rule.


Note If you selected the Insert Before option in Step 8 and specified True, perform the following steps to refresh the Rule tab before adding an action for this rule:

1. Click the Rule tab to refresh the Rule table.

2. In the Rule table, select the newly added rule.

When the screen refreshes, an empty action list appears.


Step 11 To add an action for this rule, click Add in the Action table, or select an existing action, then click Edit to modify it. The Action configuration screen appears.

Step 12 In the Id field, either accept the automatically incremented entry or assign a unique identifier for this action.

Step 13 In the Action Type field, select Action-list to indicate that an action list is to be employed when the match criteria are met.

Step 14 In the Action List field, select the action list to apply to this policy map and rule.

Step 15 In the Optimization Parameter Map field, select the optimization parameter map to apply to this policy map and rule.

Step 16 Click:

Deploy Now to deploy this configuration on the ACE appliance.

Cancel to exit this procedure without saving your entries and to return to the Action table.

Next to save your entries and to configure another action for this rule.

Step 17 Click the Rule tab to refresh the Rule table before adding a new rule.


Related Topics

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic

Setting Policy Map Rules and Actions for Layer 3/Layer 4 Management Traffic

Setting Policy Map Rules and Actions for Layer 7 Server Load-Balancing Traffic

Setting Policy Map Rules and Actions for Layer 7 HTTP Deep Packet Inspection

Special Characters for Matching String Expressions

Table 7-13 identifies the special characters that can be used in matching string expressions.

Table 7-13 Special Characters for Matching String Expressions 

Convention
Description

.

One of any character.

.*

Zero or more of any character.

\.

Period (escaped).

\xhh

Non-printable character.

[charset]

Match any single character from the range.

[^charset]

Do not match any character in the range. All other characters represent themselves.

()

Expression grouping.

expr1 | expr2

OR of expressions.

(expr)*

0 or more of expression.

(expr)+

1 or more of expression.

.\a

Alert (ASCII 7).

.\b

Backspace (ASCII 8).

.\f

Form-feed (ASCII 12).

.\n

New line (ASCII 10).

.\r

Carriage return (ASCII 13).

.\t

Tab (ASCII 9).

.\v

Vertical tab (ASCII 11).

.\0

Null (ASCII 0).

.\\

Backslash.

.\x##

Any ASCII character as specified in two-digit hexadecimal notation.


Related Topics

Configuring Traffic Policies

Configuring Virtual Context Class Maps

Configuring Virtual Context Policy Maps

Configuring Load Balancing with Real Servers, page 3-45

Configuring Server Farm Load Balancing, page 3-47

Configuring Load Balancing Using Sticky Groups, page 3-80