|
Command or Action |
Purpose |
Step 1 |
enable
Example: Router> enable |
Enables privileged EXEC mode.
- Enter your password if prompted.
|
Step 2 |
configure terminal
Example: Router# configure terminal |
Enters global configuration mode. |
Step 3 |
appfw policy-name policy-name
Example: Router(config)# appfw policy-name my_policy |
Defines an application firewall policy and enters application firewall policy configuration mode. |
Step 4 |
application protocol
Example: Router(cfg-appfw-policy)# application im aol |
Allows you to configure inspection parameters for a given protocol.
- protocol -- One of the following options:
- http (HTTP traffic will be inspected)
- im {aol | yahoo | msn} (Traffic for the specified instant messenger application will be inspected)
This command puts the router in appfw-policy-protocol configuration mode, where “protocol” is dependent upon the specified protocol. |
Step 5 |
audit-trail {on | off
Example: Router(cfg-appfw-policy-aim)# audit-trail on |
(Optional) Enables message logging for established or torn-down connections. If this command is not issued, the default value specified via the ip inspect audit-trailcommand will be used. |
Step 6 |
server {permit | deny} {name string | ip-address {ip-address | range ip-address-start ip-address-end}
Example:
Example: Router(cfg-appfw-policy-aim)# server permit name login.cat.aol.com |
Controls access to instant messenger servers.
Note |
The server command helps the instant messenger application engine to recognize the port-hopping instant messenger traffic and to enforce the security policy for that instant messenger application; thus, if this command is not issued, the security policy cannot be enforced if IM applications use port-hopping techniques. To deploy IM traffic enforcement policies effectively, it is recommended that you issue the appropriate server command. |
|
Step 7 |
timeout seconds
Example: Router(cfg-appfw-policy-aim)# timeout 30 |
(Optional) Specifies the elapsed length of time before an inactive connection is torn down.
- seconds --Available timeout range: 5 to 43200 (12 hours).
If this command is not issued, the default value specified via the ip inspect tcp idle-timecommand will be used.
Note |
Some IM applications continue to send “keepalive-like” packets that effectively prevent timeout even when the user is idle. |
|
Step 8 |
service {default | text-chat} action {allow [alarm] | reset [alarm] | alarm}
Example: Router(cfg-appfw-policy-aim)# service default action reset |
(Optional) Specifies an action when a specific service is detected in the instant messenger traffic.
- If a specific action is not specified for a service, the service defaultcommand will be performed.
- If the service default command is not specified for an application, the action is considered “reset” by the system.
|
Step 9 |
alert {on | off}
Example: Router(cfg-appfw-policy-aim)# alert on |
(Optional) Enables message logging when events, such as the start of a text-chat, begin. If this parameter is not configured, the global setting for the ip inspect alert-off command will take effect. |
Step 10 |
exit
Example: Router(cfg-appfw-policy-aim)# exit
Example: Router(cfg-appfw-policy)# exit
Example: Router(config)# exit |
(Optional) Exits application firewall policy protocol configuration mode, application firewall policy configuration mode, and global configuration mode. |
Step 11 |
show appfw {configuration | dns cache} [policy policy-name]
Example: Router# show appfw dns cache policy abc |
(Optional) Displays the IP addresses that have been resolved by the DNS server and stored in the DNS cache of the IM traffic policy enforcement component of the Cisco IOS router.
- If you don’t indicate a specific policy via the policy policy-name option, IP addresses gathered for all DNS names for all policies are displayed.
|