Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.8
Configuring Application Protocol Inspection on the Virtual Firewall
Downloads: This chapterpdf (PDF - 928.0KB) The complete bookPDF (PDF - 9.46MB) | Feedback

Configuring Application Protocol Inspection on the Virtual Firewall

Table Of Contents

Configuring Application Protocol Inspection on the Virtual Firewall

Contents

Information About Application Protocol Inspection

Performing Application Protocol Inspection

Application Inspection Protocol Overview

HTTP Deep Packet Inspection

DNS Inspection

FTP Inspection

ICMP Inspection

ILS Inspection

RTSP Inspection

SCCP Inspection

SIP Inspection

How to Configure Application Protocol Inspection

Configuring a Layer 7 HTTP Deep Inspection Policy

Creating a Layer 7 HTTP Deep Inspection Class Map

Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection

Applying a Traffic Policy to an Interface

Configuring a Layer 7 FTP Command Inspection Policy

Prerequisites

Configuring a Layer 7 SIP Inspection Policy

Prerequisites

Configuring a Layer 7 SCCP Inspection Policy

Prerequisites

What to Do Next

Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

Limitations on Application Protocol Inspection Due to Strict Error Checks

Prerequisites

Applying a Traffic Policy to an Interface

Prerequisites

Displaying Application Protocol Inspection Statistics and Service Policy Information

Prerequisites

Examples

How to Configure a Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

Configuring a DNS Parameter Map

Prerequisites

Configuring an HTTP Parameter Map

Prerequisites

Configuring a SCCP Parameter Map

SCCP Inspection Configuration Considerations

Prerequisites

Configuring a SIP Parameter Map

SIP Inspection Configuration Considerations

Prerequisites

Configuration Examples for Application Protocol Inspection

Layer 7 HTTP Deep Inspection Policy Configuration: Example

Layer 7 FTP Inspection Policy Configuration: Example

Layer 3 and Layer 4 Application Protocol Inspection for DNS Inspection: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring Application Protocol Inspection on the Virtual Firewall


This module describes how to configure application protocol inspection for the VFW application. Application protocol inspection provides functionality for several protocols that carry Layer 3 and Layer 4 information in the application payload, require some form of deep packet inspection of the HTTP protocol, or require FTP request command filtering.

Feature History for Configuring Application Protocol Inspection on the VFW Application

Release
Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Release 3.8.0

LDAP, SIP, and SCCP (skinny) protocol inspection were added.


Contents

Information About Application Protocol Inspection

How to Configure Application Protocol Inspection

How to Configure a Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

Configuration Examples for Application Protocol Inspection

Additional References

Information About Application Protocol Inspection

Certain applications require special handling of the data portion of a packet as the packets pass through the VFW application. Application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application. Based on the specifications of the traffic policy, the VFW application accepts or rejects the packets to ensure the secure use of applications and services.

This section includes the following topics on application protocol inspection:

Performing Application Protocol Inspection

Application Inspection Protocol Overview

Performing Application Protocol Inspection

You can configure the VFW application to perform application protocol inspection, sometimes referred to as application protocol fixup, for applications that:

Embed IP addressing information in the data packet, including the data payload.

Open secondary channels on dynamically assigned ports.

You may require that the VFW application perform application inspection of Domain Name System (DNS), FTP,HTTP, Internet Control Message Protocol (ICMP), Internet Locator Service (ILS), Real-Time Streaming Protocol (RTSP), Skinny Client Control Protocol (SCCP), and Session Initiation Protocol (SIP) as a first step before passing the packets to the destination server. For HTTP, the VFW application performs deep packet inspection to statefully monitor the HTTP protocol and permits or denies traffic based on user-defined traffic policies. HTTP deep packet inspection focuses mainly on HTTP attributes such as HTTP header, URL, and payload. For FTP, the VFW application performs FTP command inspection for FTP sessions, allowing you to restrict specific commands by the VFW application.

Application inspection helps you identify the location of embedded IP addressing information in the TCP or UDP flow. This inspection allows the VFW application to translate embedded IP addresses and to update any checksum or other fields that are affected by the translation.

The need to translate IP addresses embedded in the payload of protocols is especially important for NAT (explicitly configured by the user).

Application inspection also monitors TCP or UDP sessions to determine the port numbers for secondary channels. Some protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application protocol inspection function monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the session.

Table 9 describes the application inspection protocols supported by the VFW application, the default TCP or UDP protocol and port, and whether the protocol is compatible with Network Address Translation (NAT) and Port Address Translation (PAT).

Table 9 Application Inspection Support 

Application Protocol
Protocol
Port
NAT/PAT Support
Enabled by Default
Standards 1
Comments/Limitations

DNS

UDP

Src—Any

Dest—53

NAT

No

RFC 1123

Inspects DNS packets destined to port 53. You can specify the maximum length of the DNS packet to be inspected. See the "DNS Inspection" section for background information.

FTP

TCP

Src—Any

Dest—21

Both

No

RFC 959

Inspects FTP packets, translates address and port embedded in the payload, and opens up secondary channel for data. See the "FTP Inspection" section for background information.

FTP strict

TCP

Src—Any

Dest—21

Both

No

RFC 959

The inspect ftp strict command allows the VFW application to track each FTP command and response sequence, and prevents an FTP client from determining valid usernames that are supported on an FTP server. See the "FTP Inspection" section for background information.

HTTP

TCP

Src—Any

Dest—80

Both

No

RFC 2616

Inspects HTTP packets. See the "HTTP Deep Packet Inspection" section for background information.

ICMP

ICMP

Src—N/A

Dest—N/A

Both

No

See the "ICMP Inspection" section for background information.

ICMP error

ICMP

Src—N/A

Dest—N/A

NAT

No

The error keyword supports NAT of ICMP error messages. When you enable ICMP error inspection, the VFW application creates translation sessions for intermediate hops that send ICMP error messages, based on the NAT configuration. The VFW application overwrites the packet with the translated IP addresses. See the "ICMP Inspection" section for background information.

ILS

TCP

Src—Any

Dest—389

NAT

No

RFC 2251
(LDAPv3)

Includes support for
RFC 1777 (LDAPv2)

Referral requests and responses are not supported.

Users in multiple directories are not unified.

Single users having multiple identities in multiple directories cannot be recognized by NAT.

RTSP

TCP

Src—Any

Dest—554

NAT

No

RFC 2326, RFC 2327, RFC 1889

Inspects RTSP packets and translates the payload according to NAT rules. The VFW application opens up the secondary channels for audio and video. Not all the RTSP methods (packet types) specified in the RFC are supported. See the "RTSP Inspection" section for background information.

SCCP

TCP

Src—Any

Dest—2000

NAT

No

The VFW application does not support PAT with SCCP.

SIP

TCP and UDP

Src—Any

Dest—5060

NAT

No

RFC 2543,
RFC 3261,
RFC 3265,
RFC 3428

The VFW application does not support PAT with SIP.

1 The VFW application is in compliance with these standards, but it does not enforce compliance on packets being inspected. For example, FTP commands are supposed to be in a particular order, but the VFW application does not enforce the order.


You configure rules for application protocol inspection through the use of class maps, policy maps, and service policies. The following items summarize the role of each function in configuring application protocol inspection:

Layer 7 Class map—Provides the Layer 7 network traffic classification to identify HTTP deep protocol inspection attributes (such as HTTP header and URL), FTP request commands and Session Initiation Protocol (SIP) message attributes.

Layer 7 Policy Map—Configures the applicable HTTP deep packet inspection, SIP message inspection, or FTP request command actions executed on the network traffic that match the classifications defined in the Layer 7 class map. Also configures Skinny Client Control Protocol (SCCP) inspection.

Layer 3 and Layer 4 Class map—Classifies network traffic passing through the VFW application for application inspection and matches traffic associated with the specified inspect commands in a policy map.

Layer 3 and Layer 4 Policy map—Enables HTTP, DNS, FTP, ICMP, RTSP, SIP, and SCCP protocol inspection and FTP command inspection for a traffic classification that matches the criteria listed the class map.

Service policy—Activates the policy map and attaches the traffic policy to an interface or globally on all interfaces.

The flow chart shown in Figure 14 provides a basic overview of the process required to configure class maps and policy maps to perform application protocol inspection. The flow chart also illustrates how the VFW application associates the various components of the class map and policy map configuration with each other.

Figure 14 Application Protocol Inspection Configuration Flow Diagram

Application Inspection Protocol Overview

This section provides an overview on the following application inspection protocols supported by the VFW application:

HTTP Deep Packet Inspection

DNS Inspection

FTP Inspection

ICMP Inspection

ILS Inspection

RTSP Inspection

SCCP Inspection

SIP Inspection

HTTP Deep Packet Inspection

The VFW application performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a special case of application inspection where the VFW application examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the main focus of the application inspection process is on HTTP attributes such as HTTP header, URL, and to a limited extent, the payload. User-defined regular expressions can also be used to detect "signatures" in the payload.

You define policies to permit or deny the traffic, or to send a TCP reset message to the client or server to close the connection.

The security features covered by HTTP application inspection include:

RFC compliance monitoring and RFC method filtering

Content, URL, and HTTP header length checks

Transfer-encoding methods

Content type verification and filtering

Port 80 misuse

DNS Inspection

Domain Name System (DNS) inspection performs the following tasks:

Monitors the message exchange to ensure that the ID of the DNS response matches the ID of the DNS query.

Allows one DNS response for each DNS query in a UDP connection. The VFW application removes the DNS session associated with the DNS query as soon as the DNS reply is forwarded.

Translates the DNS A-record based on the NAT configuration. Only forward lookups are translated; the VFW application does not handle PTR records.


Note The DNS rewrite function is not applicable for PAT because multiple PAT rules are applicable for each A-record. The use of multiple PAT rules makes it difficult for the VFW application to properly choose the correct PAT rule.


Performs a maximum DNS packet length check to verify that the maximum length of a DNS reply is no greater than the value specified in the inspect dns command.


Note If you enter the inspect dns command without specifying the maximum-length option, the VFW application does not check the DNS packet size.


Performs a number of security checks, including:

Verification that the maximum label length is no greater than 63 bytes

Verification that the maximum domain name length is no greater than 255 bytes

Check for the existence of compression loops

A single connection is created for multiple DNS sessions, as long as the DNS sessions are between the same two hosts, and the sessions have the same 5-tuple (source and destination IP address, source and destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the security appliance within a limited period of time and there is no resource buildup. However, if you enter the show connection command, you see the idle timer of a DNS connection being reset by a new DNS session. This reset action is due to the nature of the shared DNS connection and is intended by design.

FTP Inspection

File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message, dynamic opening of ports, stateful tracking of request and response messages. Each specified FTP command must be acknowledged before the VFW application allows a new command. Command filtering allows you to restrict specific commands by the VFW application. When the VFW application denies a command, it closes the connection.

The FTP command inspection process, as performed by the VFW application:

Prepares a dynamic secondary data connection. The channels are allocated in response to a file upload, a file download, or a directory listing event and must be pre-negotiated. The port is negotiated through the PORT or PASV commands.

Tracks the FTP command-response sequence. The VFW application performs the following command checks listed below. If you specify the strict keyword with the inspect ftp command in a Layer 3 and Layer 4 policy map, the VFW application tracks each FTP command and response sequence for the anomalous activity outlined below. The strict keyword is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.


Note The use of the strict option may affect FTP clients that do not comply with the RFC standards.


Truncated command—Checks the number of commas in the PORT and PASV reply command against a fixed value of five. If the value is not five, the VFW application assumes that the PORT command is truncated and issues a warning message and closes the TCP connection.

Incorrect command—Checks the FTP command to verify if it ends with <CR><LF> characters, as required by RFC 959. If the FTP command does not end with those characters, the VFW application closes the connection.

Size of RETR and STOR commands—Checked the size of the RETR and STOR commands against a fixed constant of 256. If the size is greater, the VFW application logs an error message and closes the connection.

Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT command is sent from the server, the VFW application denies the TCP connection.

Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server. If a PASV reply command is sent from the client, the VFW application denies the TCP connection. This denial prevents a security hole when the user executes "227 xxxxx a1, a2, a3, a4, p1, p2."

Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections). If the negotiated port falls in this range, the VFW application closes the TCP connection.

Command pipelining—Checks the number of characters present after the port numbers in the PORT and PASV reply command against a constant value of 8. If the number of characters is greater than 8, the VFW application closes the TCP connection.

Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the IP address within the application payload. Refer to RFC 959 for background details.

ICMP Inspection

Internet Control Message Protocol (ICMP) inspection allows ICMP traffic to have a "session" so it can be inspected similarly to TCP and UDP traffic. Without using ICMP inspection, we recommend that you do not allow ICMP traffic to pass through the VFW application in an ACL. Without performing stateful inspection, ICMP can be used to attack your network. ICMP inspection ensures that there is only one response for each request, and that the sequence number is correct.

For stateful ICMP, state information, as maintained for TCP or UDP flows, is maintained for ICMP instead of performing only the ACL and NAT functions. The maintenance of ICMP state information is required to resolve the following problems:

ICMP reply messages without request messages

Unsolicited ICMP error message

Unknown ICMP types

ICMP error messages are generated by intermediate nodes situated on the network path to a destination whenever a packet sent to that destination cannot be forwarded. ICMP error messages may also be generated by endpoint nodes, as in the case of port unreachable errors. These error messages carry the original packet for which the error is generated in the data part of the message. They also contain the addresses of the intermediate node or endpoint node in the outer header and the destination in the inner header. ICMP error fixup handles address translation of node address and destination address to global addresses using NAT configuration.

ICMP error fixup is user-configurable, and if not enabled, intermediate node or endpoint node addresses are translated in the same way as the destination address of the embedded packet. As a result, error messages appear as if originating from the destination and the node addresses or the route to the destination is not revealed.

ICMP inspection performs the following tasks for ICMP request or reply messages:

Creates a bidirectional session or connection record. The lookup key in the forward direction is the source IP address, destination IP address, protocol, ICMP type, ICMP identifier, and interface.

Verifies that the connection record contains a sequence number window specifying the list of sequence numbers of outstanding requests for which replies are pending.

Verifies that the connection record should have a timeout, so that inactive connection records can be reused for other flows and can protect inside network against fraudulent ICMP reply packets.

Allows reply packets only if a valid connection record exists and prevents the reply packets from passing through an ACL again if the connection record (or the state information) exists.

Creates a connection record for the transit ICMP request or reply packets, and also for those packets addressed to or from the VFW application.

ICMP error message inspection performs the following tasks:

Extracts the embedded IP header in the ICMP error message and checks for the presence of a connection record corresponding to the embedded packet for which the error message has been generated.

Performs an ACL of the ICMP error message regardless of the existence of a session for the embedded packet. The ICMP error message itself is stateless and requires access control.

Allocates NAT translation entries (xlate) for intermediate nodes or endpoint nodes to perform NAT of a local IP address to a global IP address in any ICMP error message.

Updates the checksum in the outer and inner headers.

ILS Inspection

Internet Locator Service (ILS) is used by Microsoft NetMeeting to help users find other users. ILS interfaces with the Lightweight Directory Access Protocol (LDAP) to provide directory services. The VFW application ILS inspection feature provides NAT support for NetMeeting, Site Server, and Active Directory products that use LDAP to exchange directory information with an ILS server. The VFW application does not support PAT for ILS because the LDAP database stores only IP addresses and not ports.

ILS/LDAP follows the client/server model and uses a single TCP connection for each session. Depending on the client actions, several sessions may be required. During the connection setup, the client sends a BIND protocol data unit (PDU) to the server. After the client receives the BIND RESPONSE from the server, other messages (for example, ADD, DEL, SEARCH, or MODIFY) can be exchanged to perform operations on the ILS Directory.

The ADD REQUEST and SEARCH REQUEST PDUs may contain addresses of NetMeeting peers. NetMeeting version 2.x and 3.x provide ILS support.

Because ILS traffic occurs only on the secondary UDP channel, the VFW application disconnects the TCP connection after the TCP inactivity interval has elapsed. By default, the TCP inactivity is 60 minutes, but you can adjust it using a connection parameter map. For information about configuring a connection parameter map, see "Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall".

The VFW application performs the following ILS inspection operations:

Decodes the LDAP REQUEST/RESPONSE PDUs, using the Basic Encoding Rules (BER) decoder functions

Parses the LDAP packet

Extracts IP addresses

Translates IP addresses as necessary

Encodes the PDU with translated addresses using BER encode functions

Copies the newly encoded PDU back to the TCP packet

Performs an incremental TCP checksum and sequence number adjustment

The following restrictions apply to the ILS inspection feature:

Referral requests and responses are not supported.

Users in multiple directories are not unified.

Single users having multiple identities in multiple directories cannot be recognized by NAT.

RTSP Inspection

Real Time Streaming Protocol (RTSP) is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. RTSP applications use the well-known port 554 with TCP and UDP as the control channel. The VFW application only supports TCP in conformity with RFC 2326.

The TCP control channel negotiates the data channels used to transmit audio and video traffic, depending on the transport mode that is configured on the client. The supported data transport modes are rtp/avp, rtp/avp/udp, x-real-rdt, x-real-rdt/udp, and x-pn-tng/udp. Data transport types rtp/avp/tcp and x-real-rdt/tcp use the control channel to stream data. RTSP inspection is not required in this case to open a pinhole for the data channel.

The VFW application parses SETUP response messages with a status code of 200.

Because RFC 2326 does not require that the client and server ports be contained in the SETUP response message, the VFW application must keep track of state and remember the client ports in the SETUP message. QuickTime places the client ports in the SETUP message; the server responds with only the server ports.

During RTSP inspection, the VFW application does not:

Inspect RTSP messages passing through UDP ports.

Support RealNetworks multicast mode (x-real-rdt/mcast).

Support the ability to recognize HTTP cloaking where RTSP messages are hidden in HTTP messages.

Perform NAT on RTSP messages because the embedded IP addresses are contained in the Session Description Protocol (SDP) files as part of HTTP or RTSP messages.

The following additional restrictions apply to RTSP inspection as performed by the VFW application:

With Cisco IP/TV, the number of translations the VFW application performs on the SDP part of the message is proportional to the number of program listings in the Content Manager. (Each program listing can have at least six embedded IP addresses.)

When using RealPlayer, you must properly configure transport mode. For the VFW application, add an ACL classification from the server to the client. For RealPlayer, change the transport mode by clicking Tools>Preferences>Connection>Network Transport>RTSP Settings.

If you use TCP mode on the RealPlayer, check the Attempt to use TCP for all content check box. It is not necessary to configure RTSP application inspection on the VFW application.

If you use UDP mode on the RealPlayer, check the Attempt to use UDP for all content check box. Configure RTSP application inspection on the VFW application.

SCCP Inspection

Skinny Client Control Protocol (SCCP) is used in VoIP networks, for example, with Cisco IP phones and Cisco CallManager. The VFW application supports all versions of the SCCP protocol through version 3.3.2.

SCCP inspection provides the following operations:

Supports NAT for embedded IP addresses and ports.

Dynamically opens secure ports.

Drops messages with an SCCP prefix length that is less than the message ID length (configurable).

Supports video.

Validates message ID length (configurable maximum).

Ensures that only registered clients can make calls. This feature is configurable and is disabled by default.

SIP Inspection

Session Initiation Protocol (SIP) is used for call-handling sessions, especially two-party conferences. SIP works with SDP for call signaling.

SIP inspection provides the following operations:

Translates the SIP text-based messages, recalculates the content length for the SDP portion of the message, and recalculates the packet length and checksum.

Dynamically opens media connections for ports specified in the SDP portion of the SIP message as addresses and ports on which the endpoint should listen.

Opens RTP and RTCP connections between the two endpoints using media addresses and ports that are maintained in a SIP inspection database with CALL_ID, FROM, and TO indices from the SIP header. These indices identify the call, the source, and the destination.

Performs RFC 3261 compliance checks, including checking the Request Message to ensure that it is one of the predefined methods—OPTIONS, INVITE, REGISTER, ACK, CANCEL, BYE—and validates their syntax.

Checks whether a SIP message is compliant with the following RFC extensions:

RFC 2976 (INFO)

RFC 3262 (PRACK)

RFC 3265 (SUBSCRIBE/NOTIFY)

RFC 3311 (UPDATE)

RFC 3428 (MESSAGE)

RFC 3515 and RFC 3892 (REFER)

Enforces the mandatory header fields (From, To, Call-Id, CSeq, Via, Max-Forwards) presence and validity.

Enforces forbidden header fields.

Checks URI in Header fields against a permit or deny list of callers or callees. If the user is not entitled to talk to any host on the protected network, the SIP VFW application module generates a SIP message (Response 603 Decline).

Checks the Via field to deny messages from specific SIP proxy servers.

Checks the validity of each header parameter in the context of each message following the syntax rules specified in RFC 3261.

Removes the optional User-Agent and Server header fields to hide the endpoint software version.

Checks the Max-Forwards header field. If the Max-Forwards value reaches 0 before the request reaches its destination, the VFW application rejects the request with a 483 (Too Many Hops) error response.

Validates SIP URIs and URIs present in the SIP header fields.

Handles unknown SIP methods. Because SIP is an evolving protocol, which includes many extensions, some of the new methods may not be recognized by the VFW application. (Only the methods defined by RFC 3261 and the extensions listed above are supported.) You can configure how the VFW application handles "unknown" SIP methods.

Permits or denies third-party registrations or deregistrations and specifies which users are allowed to perform these functions. If this policy is enabled, REGISTER messages, with mismatched To and From headers and with From values that do not match any of the privileged user IDs, are dropped.

Protects against buffer overflows as follows:

Enforces the Content-Length and the Content-Type (user-configurable) values.

Allows you to configure the maximum size of a SIP message body. When a request or response SIP message passes through the VFW application module, the message is checked to ensure that it meets the size constraints. If it does not, the action configured for this policy by the user is executed.

Cross-checks the Content-Length header field value with the actual message size.

Allows you to select whether a subset of Content-types is permitted through the VFW application module. You can specify the Content-type string in the form of a regular expression, for example, Application/SDP, text/html. The default behavior is to allow all types.

Enforces SIP or SIPS URI length (user-configurable).

Enables or disables Instant Messenger (IM):

Allows you to disable IM over SIP, which causes the VFW application to drop all messages belonging to IM as specified by SIMPLE RFC extensions. An appropriate warning message is displayed to call out the exact methods that this feature drops.

You can specify a list of users (in the form of a regex) that are not allowed to use IM through the VFW application module.

Allows you to configure which SIP methods that the VFW application supports. You can also specify if additional SIP methods (that are not part of the RFCs or RFC extensions that the VFW application is compliant with) should be denied. The VFW application maintains the list of invalid methods as a regex table.

Enables you to hide or remove risky header fields (for example, Alert-Info and Call-Info) that, if provided by a malicious caller, may cause the callee to display inappropriate, offensive, dangerous, or illegal content.

Allows you to enable IP address privacy. If both the caller and the callee are on the inside network and on the same subnet, and the proxy is on the outside network, there is a possibility that the two parties may try to contact each other by bypassing the proxy. If enabled, this feature prevents such direct contact, because the embedded addresses in the message from the proxy to the callee are not fixed. Therefore, the callee cannot learn the real IP address of the caller.

How to Configure Application Protocol Inspection

The following tasks detail the procedures required to configure application protocol inspection on the VFW application:

Configuring a Layer 7 HTTP Deep Inspection Policy

Configuring a Layer 7 FTP Command Inspection Policy

Configuring a Layer 7 SIP Inspection Policy

Configuring a Layer 7 SCCP Inspection Policy

Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

Applying a Traffic Policy to an Interface

Displaying Application Protocol Inspection Statistics and Service Policy Information

Configuring a Layer 7 HTTP Deep Inspection Policy

This task describes how to create a Layer 7 class map and policy map to be used for HTTP deep packet inspection by the VFW application. The VFW application performs a stateful deep packet inspection of the HTTP protocol and permits or restricts traffic based on the actions in your configured policy maps. The following security features are included as part of HTTP deep packet inspection as performed by the VFW application:

Regular expression matching on name in an HTTP header, URL name, or content expressions in an HTTP entity body

Content, URL, and HTTP header length checks

MIME-type message inspection

Transfer-encoding methods

Content type verification and filtering

Port 80 misuse by tunneling protocols

RFC compliance monitoring and RFC method filtering


Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You configure regexes in:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists


To configure a Layer 7 HTTP deep inspection policy, you must perform each of the following tasks:

Creating a Layer 7 HTTP Deep Inspection Class Map

Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection

Applying a Traffic Policy to an Interface

Creating a Layer 7 HTTP Deep Inspection Class Map

This task describes how to create a Layer 7 HTTP deep inspection class map.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. changeto context_name

2. configure

3. class-map type http [match-all | match-any] map_name

4. [line_number] match content expression

5. [line_number] match content length operator bytes

6. [line_number] match header {header_name | header_field} header-value expression

7. [line_number] match header length {request | response} operator bytes

8. [line_number] match header mime-type mime_type

9. [line_number] match port-misuse application_category

10. [line_number] match request-method {ext | rfc} method

11. [line_number] match transfer-encoding coding_types

12. [line_number] match url expression

13. [line_number] match url length operator bytes

14. exit

15. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

changeto context_name

Example:

firewall/Admin# changeto C1

firewall/C1#

Logs into the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note The rest of the examples in this task use the Admin context. For details on creating contexts, see Configuring Virtualization on the Virtual Firewall.

Step 2 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 3 

class-map type http [match-all | match-any] map_name

Example:
firewall/Admin(config)# class-map type http 
inspect match-any HTTP_INSPECT_L7CLASS
firewall/Admin(config-cmap-http-insp)#

Creates a Layer 7 class map that is used for the deep packet inspection of HTTP traffic. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

Note Include one or more of the match commands listed in Step 4 though Step 13 as part of the Layer 7 HTTP deep packet inspection class map.

Step 4 

[line_number] match content expression

Example:
firewall/Admin(config-cmap-http-insp)# match 
content .*newp2psig 

(Optional) Use the match content command to configure the class map to define HTTP application inspection decisions based on content expressions contained within the HTTP content. The expression argument specifies the content contained within the HTTP entity-body. The range is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 5 

[line_number] match content length operator bytes

Example:
firewall/Admin(config-cmap-http-insp)# match 
content length eq 1000

(Optional) Use the match content length command to configure the class map to define application inspection decisions in the HTTP content up to the configured maximum content parse length. Allowable operators are as follows:

lt—Less than

gt—Greater than

eq—Equal to

neq—Not equal to

range—An inclusive range of size values

The bytes argument represents the content parse length in an HTTP message received by the VFW application. Valid entries are from 1 to 65535 bytes.

Step 6 

[line_number] match header {header_name | header_field} header-value expression

Example:
firewall/Admin(config-cmap-http-insp)# match 
header Host header-value .mycompanyexample.com 

(Optional) Use the match header command to configure the class map to define application inspection decisions based on the name and value in an HTTP header.

header_name—Specifies the name of the HTTP header to match (for example, www.example1.com). Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. Alternatively, you can enter a text string with spaces, provided that you enclose the entire string in quotation marks (").

header_field—Specifies a standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header field. Table 10 lists the supported HTTP/1.1 header fields.

header-value expression—Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. The VFW application supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the spaces are escaped or quoted. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 7 

[line_number] match header length {request | response} operator bytes

Example:
firewall/Admin(config-cmap-http-insp)# match 
header length request eq 256 

(Optional) Limits the HTTP traffic allowed through the VFW application based on the length of the entity body in the HTTP message.

requestSpecifies the size of the HTTP header request message that can be received by the VFW application.

response—Specifies the size of the HTTP header response message sent by the VFW application.

Allowable operators are as follows:

lt—Less than

gt—Greater than

eq—Equal to

neq—Not equal to

range—An inclusive range of size values

The bytes argument represents the size of the entity-body in an HTTP message received by the VFW application. Valid entries are from 1 to 65535 bytes.

Step 8 

[line_number] match header mime-type mime_type

Example:
firewall/Admin(config-cmap-http-insp)# match 
header mime-type audio\midi
firewall/Admin(config-cmap-http-insp)# match 
header mime-type audio\mpeg 

(Optional) Specifies a subset of the Multipurpose Internet Mail Extension (MIME)-type messages to be permitted or denied by the VFW application. The mime_type argument specifies the MIME type to be permitted through the VFW application. By default all mime-types are allowed. Table 12 lists all supported MIME types.

Step 9 

[line_number] match port-misuse application_category

Example:
firewall/Admin(config-cmap-http-insp)# match 
port-misuse p2p 

(Optional) Configures the class map to define application inspection compliance decisions that restrict certain HTTP traffic from passing through the VFW application. The application_category argument specifies the restricted HTTP application category for the class map. The possible values for application_category include:

im—Instant messaging application category. The VFW application checks for the Yahoo Messenger instant messaging application.

p2p—Peer-to-peer application category. The applications checked include Kazaa and Gnutella.

tunneling—Tunneling application category. The applications checked include: HTTPort/HTTHost, GNU Httptunnel, and Firethru.

Step 10 

[line_number] match request-method {ext | rfc} method

Example:
firewall/Admin(config-cmap-http-insp)# match 
request-method rfc connect
firewall/Admin(config-cmap-http-insp)# match 
request-method rfc get
firewall/Admin(config-cmap-http-insp)# match 
request-method rfc head
firewall/Admin(config-cmap-http-insp)# match 
request-method ext index 

(Optional) Configures the class map to define application inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods.

ext method—Specifies an HTTP extension method. If the RFC request messages does not contain one of the RFC 2616 HTTP request methods, the VFW application verifies that it is an extension method. The VFW application supports the inspection of the following HTTP request extension methods: copy, edit, getattr, getattrname, getprops, index, lock, mkdir, move, revadd, revlabel, revlog, revnum, save, setattr, startrev, stoprev, unedit, and unlock.

rfc method—Specifies an RFC 2616 HTTP request method that you want to perform an RFC compliance check on. The VFW application supports the inspection of the following RFC 2616 HTTP request methods: connect, delete, get, head, options, post, put, and trace.

Step 11 

[line_number] match transfer-encoding coding_types

Example:
firewall/Admin(config-cmap-http-insp)# match 
transfer-encoding chunked 

(Optional) Configures the class map to define application inspection decisions that limit the HTTP transfer-encoding types that can pass through the VFW application. The coding_types argument specifies the HTTP transfer-encoding type for the class map. Possible values include:

chunked—Message body is transferred as a series of chunks.

compress—The encoding format produced by the common UNIX file compression program "compress". This format is an adaptive Lempel-Ziv-Welch coding (LZW).

deflate—The .zlib format defined in RFC 1950 in combination with the deflate compression mechanism described in RFC 1951.

gzip—An encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952. This format is a Lempel-Ziv coding (LZ77) with a 32-bit CRC.

identity—The default (identity) encoding, which does not require the use of transformation.

Step 12 

[line_number] match url expression

Example:
firewall/Admin(config-cmap-http-insp)# match 
url .*.gif
firewall/Admin(config-cmap-http-insp)# match 
url .*.html 

(Optional) Configures the class map to define application inspection decisions based on URL name. The expression argument specifies the URL, or portion of a URL, to match and can be from 1 to 255 characters. Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The VFW application supports the use of regular expressions for matching. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 13 

[line_number] match url length operator bytes

Example:
firewall/Admin(config-cmap-http-insp)# match 
url length eq 10000 

(Optional) Limits the HTTP traffic allowed through the VFW application by specifying the maximum length of a URL in a request message that can be received by the VFW application. Allowable operators are as follows:

lt—Less than

gt—Greater than

eq—Equal to

neq—Not equal to

range—An inclusive range of size values

The bytes argument represents the size of the URL received by the VFW application. Valid entries are from 1 to 65535 bytes.

Step 14 

exit

Example:

firewall/Admin(config-if-mgmt)# exit

firewall/Admin#

Exits class map configuration mode.

Step 15 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Table 10 lists the supported HTTP/1.1 header fields.

Table 10 HTTP/1.1 Header Fields 

Field Name
Description

Accept

A semicolon-separated list of representation schemes (content type metainformation values) that will be accepted in the response to the request.

Accept-Charset

The character sets are acceptable for the response. This field allows clients capable of understanding more comprehensive or special-purpose character sets to signal that capability to a server that can representing documents in those character sets.

Accept-Encoding

Restricts the content encoding that a user will accept from the server.

Accept-Language

The ISO code for the language in which the document is written. The language code is an ISO 3316 language code with an optional ISO639 country code to specify a national variant.

Authorization

Specifies that the user agent wants to authenticate itself with a server, usually after receiving a 401 response.

Cache-Control

Directives that must be obeyed by all caching mechanisms along the request/response chain. The directives specify behavior intended to prevent caches from adversely interfering with the request or response.

Connection

Allows the sender to specify connection options.

Content-MD5

An MD5 digest of the entity-body that provides an end-to-end integrity check. Only a client or an origin server can generate this header field.

Expect

Used by a client to inform the server about what behaviors the client requires.

From

Contains the e-mail address of the person that controls the requesting user agent.

Host

The Internet host and port number of the resource being requested, as obtained from the original URL given by the user or referring resource. The Host field value must represent the naming authority of the origin server or gateway given by the original URL.

If-Match

Used with a method to make it conditional. A client that has one or more entities previously obtained from the resource can verify that one of those entities is current by including a list of their associated entity tags in the If-Match header field. The purpose of this feature is to allow efficient updates of cached information with a minimum amount of transaction overhead. It is also used, on updating requests, to prevent inadvertent modification of the wrong version of a resource. As a special case, the value "*" matches any current entity of the resource.

Pragma

Pragma directives understood by servers to whom the directives are relevant. The syntax is the same as for other multiple-value fields in HTTP, for example, the accept field, a comma-separated list of entries, for which the optional parameters are separated by semicolons.

Referer

The address (URL) of the resource from which the URL in the request was obtained.

Transfer-Encoding

Indicates what (if any) type of transformation has been applied to the message body to safely transfer it between the sender and the recipient.

User-Agent

Information about the user agent, for example a software program originating the request. This information is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations.

Via

Used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server on requests, and between the origin server and the client on responses.


Table 11 provides a list of the supported characters that you can use in regular expressions.


Note When matching data strings, note that the period (.) and question mark (?) characters do not have a literal meaning in regular expressions. Use brackets ([]) to match these symbols (for example, enter www[.]xyz[.]com instead of www.xyz.com). You can also use a backslash (\) to escape a dot (.) or a question mark (?).


Table 11 Special Characters for Matching String Expressions 

Convention
Description

.

One of any character.

.*

Zero or more of any character.

\.

Period (escaped).

[charset]

Match any single character from the range.

[^charset]

Do not match any character in the range. All other characters represent themselves.

()

Expression grouping.

(expr1 | expr2)

OR of expressions.

(expr)*

0 or more of expression.

(expr)+

1 or more of expression.

expr{m,n}

Repeat the expression between m and n times, where m and n have a range of 1 to 255.

expr{m}

Match the expression exactly m times. The range for m is from 1 to 255.

expr{m,}

Match the expression m or more times. The range for m is from 1 to 255.

\a

Alert (ASCII 7).

\b

Backspace (ASCII 8).

\f

Form-feed (ASCII 12).

\n

New line (ascii 10).

\r

Carriage return (ASCII 13).

\t

Tab (ASCII 9).

\v

Vertical tab (ASCII 11).

\0

Null (ASCII 0).

\\

Backslash.

\x##

Any ASCII character as specified in two-digit hexadecimal notation.


Table 12 lists the supported MIME types.

Table 12 Supported MIME Types

application\msexcel

application\mspowerpoint

application\msword

application\octet-stream

application\pdf

application\postscript

application\x-gzip

application\x-java-archive

application\x-java-vm

application\x-messenger

application\zip

audio\*

audio\basic

audio\midi

audio\mpeg

image\x-portable-bitmap

image\x-portable-greymap

image\x-xpm

text\*

text\css

text\html

text\plain

text\richtext

text\sgml

text\xmcd

text\xml

video\*

video\flc

video\mpeg

video\quicktime

video\sgi

video\x-fli

audio\x-adpcm

audio\x-aiff

audio\x-ogg

audio\x-wav

image\*

image\gif

image\jpeg

image\png

image\tiff

image\x-3ds

image\x-bitmap

image\x-niff


Example

The following example illustrates how to specify HTTP_INSPECT_L7CLASS as the name of a class map and identify that at least one command in the Layer 7 HTTP application inspection class map must be satisfied for the VFW application to indicate a match:

host1/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS
firewall/Admin(config-cmap-http-insp)# match header length request eq 200
firewall/Admin(config-cmap-http-insp)# match header Host header-value 
.*mycompanyexample.com
firewall/Admin(config-cmap-http-insp)# match url length eq 10000
firewall/Admin(config-cmap-http-insp)# match url .*.gif
 
   

What to Do Next

After configuring a Layer 7 HTTP deep inspection class map, you need to configure a Layer 7 HTTP deep packet inspection policy map as described in the "Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map" section.

Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map

This task describes how to configure a Layer 7 HTTP deep inspection policy map. The Layer 7 policy map configures the applicable HTTP deep packet inspection actions executed on the network traffic that match the classifications defined in a class map, as defined in "Creating a Layer 7 HTTP Deep Inspection Class Map" section. You then associate the completed Layer 7 HTTP deep packet inspection policy with a Layer 3 and Layer 4 policy map, and activate the operation on an interface (see the "Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection" section and the "Applying a Traffic Policy to an Interface" section for more information).

Prerequisites

You must have configured a Layer 7 HTTP inspection class map as described in the "Creating a Layer 7 HTTP Deep Inspection Class Map" section.

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. policy-map type inspect http all-match map_name

3. class map_name

4. permit
or
reset

5. end

6. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

policy-map type inspect http all-match map_name

Example:
firewall/Admin(config)# policy-map type 
inspect http all-match HTTP_INSPECT_L7POLICY

Creates and configures a Layer 7 policy map that enables the deep packet inspection of the HTTP protocol.

Step 3 

class map_name

Example:
firewall/Admin(config-pmap-ins-http)# class 
HTTP_INSPECT_L7CLASS

Associates a class map defined in "Creating a Layer 7 HTTP Deep Inspection Class Map" section with the Layer 7 policy map, and enters policy map class configuration mode.

It is possible to include a single inline match criteria in the policy map without specifying a traffic class using an applicable Layer 7 match command. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map. Refer to the "Configuration Tip: Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map" section for more information.

Step 4 

permit
or
reset

Example:
firewall/Admin(config-pmap-mgmt-c)# permit

Specifies to permit or deny the traffic defined by the class. If reset is used, a TCP reset message is sent to the client or server to close the connection.

By default, HTTP inspection allows traffic which does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action will be taken by the VFW application. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all the other requests.

Note By default, all matches are applied to both HTTP request and response messages, but the class class-default command is only applied to HTTP requests.

Step 5 

end

Example:

firewall/Admin(config-pmap-mgmt-c)# end

firewall/Admin#

Exits configuration mode.

Step 6 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuration Tip: Including Inline Match Statements in a Layer 7 HTTP Deep Packet Inspection Policy Map

To include a single inline match criterion in the policy map without specifying a traffic class, enter an applicable Layer 7 match command. The inline Layer 7 policy map match commands function the same as a Layer 7 class map with match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

The HTTP deep packet inspection policy map inline match commands include the following:

match name content expression [offset number]

match name content length {eq bytes | gt bytes | lt bytes | range bytes1 bytes2}

match name content-type-verification

match name header {header_name | header_field} header-value expression

match name header length {request | response} {eq bytes | gt bytes | lt bytes | range bytes1 bytes2}

match name header mime-type mime_type

match name port-misuse application_category

match name request-method {ext method | rfc method}

match name strict-http

match name transfer-encoding coding_types

match name url expression

match name url length {eq bytes | gt bytes | lt bytes | range bytes1 bytes 2}

The match content-type-verification and match strict-http commands are available only as inline match commands under the Layer 7 policy-map type inspect http command. Because these two Layer 7 HTTP deep inspection match criteria cannot be combined with other match criteria, they appear as inline match commands for a policy map.

These two match commands perform the following HTTP deep inspection functions:

match content-type-verification—Verifies the content MIME-type messages with the header MIME-type. This inline match command limits the MIME-types in HTTP messages allowed through the VFW application. It verifies that the header MIME-type value is in the internal list of supported MIME-types and the header MIME-type matches the actual content in the data or entity body portion of the message. If they do not match, the VFW application performs the specified Layer 7 policy map action: permit or reset.


Note The MIME-type HTTP inspection process requires a search up to the configured maximum content parse length of the HTTP message, which may degrade performance of the VFW application.


match strict-http—Enforces that the internal compliance checks verify that a message is compliant with the HTTP RFC standard, RFC 2616. If the HTTP message is not compliant, the VFW application performs the specified Layer 7 policy map action: permit or reset.

For example, to add an inline match command to a Layer 7 HTTP deep inspection policy map, enter:

firewall/Admin(config-pmap-ins-http)# match L7httpinspect port-misuse p2p

What to Do Next

You must configure a Layer 3 and Layer 4 policy map and associate it with the Layer 7 HTTP deep packet inspection policy map that you created in this task. See "Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection" section.

Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection

After you create a Layer 7 HTTP deep packet inspection policy, you must associate it with a Layer 3 and Layer 4 policy map. This task describes briefly how to create a Layer 3 and Layer 4 policy map and associate it with the Layer 7 HTTP deep packet inspection policy map. For more information regarding Layer 3 and Layer 4 class maps and policy maps, refer to the "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section.

Prerequisites

You must have configured a Layer 7 HTTP deep packet inspection policy. Refer to the "Creating a Layer 7 HTTP Deep Inspection Class Map" section and the "Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map" section.

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. class-map [match-all | match-any] map_name

3. [line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

4. exit

5. policy-map multi-match map_name

6. class map_name

7. inspect http [policy policy_map2 | url-logging]

8. end

9. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

class-map [match-all | match-any] map_name

Example:
firewall/Admin(config)# class-map match-all 
HTTP_INSPECT_L4CLASS

Creates a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application for HTTP deep packet inspection. If you do not specify match-all or match-any, traffic must match all the match criteria to be classified as part of the traffic class.

Step 3 

[line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

Example:
firewall/Admin(config-cmap)# match port tcp eq 
80

Specifies a match command as part of the Layer 3 and Layer 4 class map. Refer to "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section for a list of available match commands.

Note For HTTP protocol inspection, the class map must have TCP as the configured protocol and a specific port or range of ports.

Step 4 

exit

Example:

firewall/Admin(config-cmap)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 5 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
HTTP_INSPECT_L4POLICY

Creates a Layer 3 and Layer 4 policy map and associates the Layer 7 HTTP deep packet inspection policy map to activate the operation. Specify the actions you want to apply to the Layer 3 and Layer 4 user-defined class map and, if appropriate, to the default class map.

Step 6 

class map_name

Example:
firewall/Admin(config-pmap)# class 
HTTP_INSPECT_L4CLASS

Associates the class map defined in Step 2 with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 7 

inspect http [policy policy_map | url-logging]

Example:
firewall/Admin(config-pmap-c)# inspect http 
policy HTTP_INSPECT_L7POLICY

Associates the HTTP deep packet inspection policy map with the Layer 3 and Layer 4 class map being defined. For example, the HTTP deep packet inspection policy map created in "Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map" section is associated with the Layer 3 and Layer 4 class map.

Step 8 

end

Example:

firewall/Admin(config-pmap-c)# end

firewall/Admin#

Exits configuration mode.

Step 9 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

What to Do Next

You must attach the Layer 3 and Layer 4 traffic policy that you created in this task to an interface. See "Applying a Traffic Policy to an Interface" section.

Applying a Traffic Policy to an Interface

After you have created the Layer 3 and Layer 4 traffic policy, you must attach it to a single interface or globally to all interfaces. This task describes how to attach the traffic policy to an interface.

Prerequisites

You must have created a Layer 3 and Layer 4 traffic policy as described in "Configuring a Layer 3 and Layer 4 Traffic Policy for Layer 7 HTTP Deep Packet Inspection" section.

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. interface interface_name

3. service-policy input policy_name

4. exit

5. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

interface interface_name

Example:
firewall/Admin(config)# interface i1

Enters interface configuration mode for a firewall interface.

Step 3 

service-policy input policy_name

Example:
firewall/Admin(config-if)# service-policy 
input HTTP_INSPECT_L4POLICY

Attaches the Layer 3 and Layer 4 traffic policy to an interface.

Step 4 

end

Example:

firewall/Admin(config-if)# end

firewall/Admin#

Exits configuration mode.

Step 5 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring a Layer 7 FTP Command Inspection Policy

This section describes how to create a Layer 7 class map and policy map to be used for FTP command inspection by the VFW application, a security feature that prevents web browsers from sending embedded commands to the VFW application in FTP requests. Each FTP command must be acknowledged before the VFW application allows a new command. FTP inspection allows traffic by default and restricts traffic that fails the security checks. Command filtering allows you to restrict specific commands through the VFW application. When the VFW application denies a command, it closes the connection.

This task describes how to perform the following main procedures:

Create a Layer 7 class map for the inspection of FTP request commands

Create and configure a Layer 7 policy map that enables FTP command inspection

Create a Layer 3 and Layer 4 class map to classify network traffic for FTP command inspection

Create a Layer 3 and Layer 4 policy map and associates the Layer 7 FTP command inspection policy map

Attach the Layer 3 and Layer 4 traffic policy to an interface


Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, SIP, and SCCP. You configure regexes in:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists


Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

Create a Layer 7 class map for the inspection of FTP request commands

1. configure

2. class-map type ftp inspect match-any map_name

3. [line_number] match request-method ftp_commands

4. exit

Create and configure a Layer 7 policy map that enables FTP command inspection

5. policy-map type inspect ftp first-match map_name

6. [line_number] match name request-method {appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou | syst}

7. class map_name

8. deny
or
mask-reply

9. exit

Create a Layer 3 and Layer 4 class map to classify network traffic for FTP command inspection

10. class-map match-all map_name

11. [line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

12. exit

Create a Layer 3 and Layer 4 policy map and associate the Layer 7 FTP command inspection policy map

13. policy-map multi-match map_name

14. class map_name

15. inspect ftp [strict policy policy_map]

16. exit

17. exit

Attaches the Layer 3 and Layer 4 traffic policy to an interface

18. interface interface_name

19. service-policy input policy_name

20. exit

21. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

class-map type ftp inspect match-any map_name

Example:
firewall/Admin(config)# class-map type ftp 
inspect match-any FTP_INSPECT_L7CLASS
firewall/Admin(config-cmap-ftp-insp)# 

Creates a Layer 7 class map that is used for the inspection of FTP request commands.

Step 3 

[line_number] match request-method ftp_commands

Example:
firewall/Admin(config-cmap-ftp-insp)# match 
request-method mkdir

Configures the Layer 7 class map to define FTP request command inspection decisions through the VFW application. The match request-method command identifies the FTP commands that you want filtered by the VFW application. Possible ftp_commands include appe, cdup, dele, get, help, mkd, put, rmd, rnfr, rnto, site, stou, and syst.

Step 4 

exit

Example:

firewall/Admin(config-if-mgmt)# exit

firewall/Admin#

Exits class map configuration mode.

Step 5 

policy-map type inspect ftp first-match map_name

Example:
firewall/Admin(config)# policy-map type 
inspect ftp first-match FTP_INSPECT_L7POLICY

Creates and configures a Layer 7 policy map that enables FTP command inspection.

first-match—Specifies that the VFW application executes only the action specified against the first-matching classification.

map_name—Specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Step 6 

[line_number] match name request-method {appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou | syst}

Example:
firewall/Admin(config-pmap-ftp-ins)# match 
FTP_REQUEST_MATCH request-method mkdir

Includes a single inline match criteria in the policy map without specifying a traffic class. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

Note This command replaces the class-map definition and the commands in Step 7 to Step 9.

Step 7 

class map_name

Example:
firewall/Admin(config-pmap-ftp-ins)# class 
FTP_INSPECT_L7CLASS

Associates a class map defined in Step 2 with the Layer 7 policy map, and enters policy map class configuration mode for you to define the actions you want to apply.

Note When a class map is used, the inline match command in Step 6 is not required.

Step 8 

deny
or
mask-reply

Example:
firewall/Admin(config-pmap-ftp-ins-c)# deny

The deny command denies the FTP request commands against the single inline match command or specified in the class map by resetting the FTP session.

The mask-reply command masks the system reply to the FTP SYST command by filtering sensitive information from the command output. This is applicable only to the FTP SYST command and its associated reply.

Step 9 

exit

Example:

firewall/Admin()# exit

firewall/Admin(config-pmap-ftp-ins)#

Exits policy map class configuration mode.

Step 10 

class-map match-all map_name

Example:
firewall/Admin(config)# class-map match-all 
FTP_INSPECT_L4CLASS

firewall/Admin(config-cmap)#

Creates a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application for FTP command inspection.

Step 11 

[line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

Example:
firewall/Admin(config-cmap)# match port tcp eq 
21

Specifies a match command as part of the Layer 3 and Layer 4 class map. Include one or more match commands as required. Refer to "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section for a list of available match commands.

Note For FTP protocol inspection, the class map must have TCP as the configured protocol and a specific port or range of ports.

Step 12 

exit

Example:

firewall/Admin(config-cmap)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 13 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
FTP_STRICT_INSPECT_L4POLICY

Creates a Layer 3 and Layer 4 policy map and associates the Layer 7 FTP command inspection policy map to activate the operation.

Step 14 

class map_name

Example:
firewall/Admin(config-pmap)# class 
FTP_INSPECT_L4CLASS

Associates a class map defined in Step 10 with the Layer 7 FTP command inspection policy map, and enters policy map class configuration mode.

Step 15 

inspect ftp [strict policy policy_map]

Example:
firewall/Admin(config-pmap-c) inspect ftp 
strict policy FTP_INSPECT_L7POLICY

Specifies to examine the FTP protocol to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application.

Step 16 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits class map configuration mode.

Step 17 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 18 

interface interface_name

Example:
firewall/Admin(config)# interface management 
m1

Enters interface configuration mode for an interface.

Step 19 

service-policy input policy_name

Example:
firewall/Admin(config-if)# service-policy 
input FTP_INSPECT_L4POLICY

Attaches the Layer 3 and Layer 4 traffic policy to the firewall interface and specifies the direction in which the policy is applied.

Step 20 

exit

Example:

firewall/Admin(config-if)# end

firewall/Admin#

Exits interface configuration mode.

Step 21 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring a Layer 7 SIP Inspection Policy

This section describes how to configure Layer 7 SIP inspection class maps and policy maps. The VFW application uses class maps to filter SIP traffic based on a variety of parameters such as the called party, the calling party, content type, SIP URI, and so on. The VFW application uses policy maps to permit or deny that traffic, depending on the actions that you specify.


Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, SIP, and SCCP. You configure regexes in the following:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists


Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

Create a Layer 7 SIP inspection class map

1. configure

2. class-map type sip inspect [match-all | match-any] map_name

3. [line_number] match called-party expression

4. [line_number] match calling-party expression

5. [line_number] match content {length gt number | type sdp}

6. [line_number] match im-subscriber expression

7. [line_number] match message-path expression

8. [line_number] match third-party-registration expression

9. [line_number] request-method method_name

10. [line_number] match uri {sip | tel} length gt value

11. exit

Create and configure a Layer 7 SIP policy map

12. policy-map type inspect sip all-match map_name

13. [line_number] match name {called-party expression | calling-party expression | content {length gt number | type sdp} | im-subscriber expression | message-path expression | request-method method_name | third-party-registration expression | uri {sip | tel} length gt value}
or

14. class map_name

15. drop
or
permit
or
reset

16. exit

Create a Layer 3 and Layer 4 class map to classify network traffic for command inspection

17. class-map match-all map_name

18. [line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

19. exit

Create a Layer 3 and Layer 4 policy map and associate the Layer 7 SIP inspection policy map

20. policy-map multi-match map_name

21. class map_name

22. inspect sip [sec-param param_map | policy policy_map]

23. exit

Attach the Layer 3 and Layer 4 traffic policy to an interface

24. interface interface_name

25. service-policy input policy_name

26. exit

27. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

class-map type sip inspect [match-all | match-any] map_name

Example:
firewall/Admin(config)# class-map type sip 
inspect match-any SIP_INSPECT_L7CLASS
firewall/Admin(config-cmap-sip-insp)# 

Creates a Layer 7 SIP inspection class map. Options are as follows:

match-all—(Default) Specifies that network traffic needs to satisfy all the match criteria (implicit AND) to match the Layer 7 SIP inspection class map. The match-all keyword is applicable only for match statements of different SIP inspection types. For example, specifying a match-all condition for SIP URI, SIP header, and SIP content statements in the same class map is valid. However, specifying a match-all condition for multiple SIP headers with the same names or multiple URLs in the same class map is invalid.

match-any—Specifies that network traffic needs to satisfy only one of the match criteria (implicit OR) to match the Layer 7 SIP inspection class map. The match-any keyword is applicable only for match statements of the same Layer 7 SIP inspection type. For example, the VFW application allows you to specify a match-any condition for SIP URI, SIP header, and SIP content statements in the same class map and allows you to specify a match-any condition for multiple URLs, multiple SIP headers, or multiple SIP content statements in the same class map, as long as the statements are logical. For example, you could not have two match uri sip length statements in the same class map, but you could have one match uri sip length and one match uri tel length statement in one class map.

map_name—Name assigned to the class map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Note Include one or more of the match commands listed in Step 3 though Step 6 as part of the Layer 7 SIP packet inspection class map.

Step 3 

[line_number] match called-party expression

Example:
firewall/Admin(config-cmap-sip-insp)# match 
called-party sip:some-user@somenetwork.com 

(Optional) Filters SIP traffic based on the called party (callee or destination) as specified in the URI of the SIP To header. The range of the expression argument is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 4 

[line_number] match calling-party expression

Example:
firewall/Admin(config-cmap-sip-insp)# match 
calling-party 
sip:this-user@thisnetwork.com;tag=745g8

(Optional) Filters SIP traffic based on the calling party (caller or source) as specified in the URI of the SIP From header. The range of the expression argument is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 5 

[line_number] match content {length gt number | type sdp}

Example:
firewall/Admin(config-cmap-sip-insp)# match 
content length gt 200

(Optional) Configures SIP content checks based on the content length or the content type. By default, the VFW application allows all content types. Options are as follows:

length gt number—Specifies a maximum allowable size for the SIP message body length. The number argument is an integer from 0 to 65534 bytes. If the message body length is greater than the configured value, the VFW application performs the action that you configure in the policy map.

type sdp—Specifies that the traffic must be of type Session Description Protocol (SDP) to match the class map.

Step 6 

[line_number] match im-subscriber expression

Example:
firewall/Admin(config-cmap-sip-insp)# match 
im-subscriber John_Q_Public 

(Optional) Filters SIP traffic based on the IM subscriber. The range of the expression argument is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 7 

[line_number] match message-path expression

Example:
firewall/Admin(config-cmap-sip-insp)# match 
message-path 192.168.12.3:5060

(Optional) Filters messages coming from or transiting through certain SIP proxy servers. The VFW application maintains a list of unauthorized SIP proxy IP addresses or URIs in the form of regular expressions. The VFW application checks this list against the VIA header field in each SIP packet. The default action is to drop SIP packets with VIA fields that match the regex list.

The range of the expression argument is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 8 

[line_number] match third-party-registration expression

Example:
firewall/Admin(config-cmap-sip-insp)# match 
third-party-registration USER1 

(Optional) Filters SIP traffic based on third-party registrations or deregistrations. The expression argument specifies a privileged user that is authorized for third-party registrations. The range of the expression argument is from 1 to 255 alphanumeric characters. See Table 11 for a list of the supported characters that you can use in regular expressions.

Step 9 

[line_number] request-method method_name

Example:
firewall/Admin(config-cmap-sip-insp)# match 
request-method invite 

(Optional) Filters SIP traffic based on the request method. The method_name argument specifies the supported SIP method using one of the following keywords:

ack

bye

cancel

info

invite

message

notify

options

prack

refer

register

subscribe

unknown

update

Note Use the unknown keyword to permit or deny unknown or unsupported SIP methods.

Step 10 

[line_number] match uri {sip | tel} length gt value

Example:
firewall/Admin(config-cmap-sip-insp)# match 
uri sip length gt 100 

(Optional) Filters SIP traffic based on URIs. The keywords, arguments, and options are as follows:

sip—Specifies that the VFW application validates the length of a SIP URI.

tel— Specifies that the VFW application validates the length of a Tel URI.

length—Specifies the length of the SIP or Tel URI.

gt—Greater than operator.

value—Maximum value for the length of the SIP URI or Tel URI in bytes. Enter an integer from 0 to 254 bytes.

Step 11 

exit

Example:

firewall/Admin(config-cmap-sip-insp)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 12 

policy-map type inspect sip all-match map_name

Example:
firewall/Admin(config)# policy-map type 
inspect sip all-match SIP_INSPECT_L7POLICY

Creates and configures a Layer 7 SIP policy map.

all-match—Specifies the policy map that initiates the inspection of the SIP protocol packets by the VFW application. The VFW application attempts to match all specified conditions against the matching classification and executes the actions of all matching classes until it encounters a deny for a match request.

map_name—Name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Step 13 

[line_number] match name {called-party expression | calling-party expression | content {length gt number | type sdp} | im-subscriber expression | message-path expression | request-method method_name | third-party-registration expression | uri {sip | tel} length gt value}

Example:
firewall/Admin(config-pmap-sip-ins)# match 
SIP_REQUEST_MATCH request-method invite

Includes a single inline match criteria in the policy map without specifying a traffic class. The inline Layer 7 policy map match commands function the same as with the Layer 7 class map match commands. However, when you use an inline match command, you can specify an action for only a single match statement in the Layer 7 policy map.

Note This command replaces the class-map definition and the commands in Step 14.

Step 14 

class map_name

Example:
firewall/Admin(config-pmap-sip-ins)# class 
SIP_INSPECT_L7CLASS

Associates the Layer 7 SIP inspection class map defined in Step 2 with the Layer 7 SIP inspection policy map and enters policy map class configuration mode for you to define the actions you want to apply.

Note When a class map is used, the inline match command in Step 13 is not required.

Step 15 

drop
or
permit
or
reset

Example:
firewall/Admin(config-pmap-sip-ins-c)# drop

Specifies the action to take if the specified SIP traffic matches the classification. By default, the VFW application allows all SIP packets to pass.

drop—Drops the SIP packet that matches the class map or the single inline match command.

permit—(Default) Allows SIP traffic that matches the class map or the single inline match command to pass through the VFW application.

reset—Denies SIP traffic that matches the class map or the single inline match command and resets the connection using the TCP RESET message.

Step 16 

exit

Example:

firewall/Admin(config-pmap-sip-ins-c)# exit

firewall/Admin(config)#

Exits policy map class configuration mode.

Step 17 

class-map match-all map_name

Example:
firewall/Admin(config)# class-map match-all 
SIP_INSPECT_L4CLASS

firewall/Admin(config-cmap)#

Creates a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application for SIP command inspection.

Step 18 

[line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

Example:
firewall/Admin(config-cmap)# match port tcp eq 
124

Specifies a match command as part of the Layer 3 and Layer 4 class map. Include one or more match commands as required. Refer to "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section for a list of available match commands.

Note For SIP protocol inspection, the class map must have TCP or UDP as the configured protocol and a specific port or range of ports.

Step 19 

exit

Example:

firewall/Admin(config-cmap)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 20 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
SIP_STRICT_INSPECT_L4POLICY

Creates a Layer 3 and Layer 4 policy map and associates the Layer 7 SIP inspection policy map to activate the operation.

Step 21 

class map_name

Example:
firewall/Admin(config-pmap)# class 
SIP_INSPECT_L4CLASS

Associates a class map defined in Step 17 with the Layer 7 SIP inspection policy map, and enters policy map class configuration mode.

Step 22 

inspect sip [sec-param param_map | policy policy_map]

Example:
firewall/Admin(config-pmap-c) inspect sip 
policy SIP_INSPECT_L7POLICY

Enables Session Initiation Protocol (SIP) inspection. SIP is used for call handling sessions and instant messaging. The VFW application inspects signaling messages for media connection addresses, media ports, and embryonic connections. The VFW application also performs Network Address Translations (NATs) on IP addresses that are embedded in the user-data portion of the packet.

sec-param param_map—(Optional) Specifies the name of a previously created connection parameter map used to define parameters for SIP inspection.

policy policy_map—(Optional) Specifies the name of a previously created Layer 7 SIP application inspection policy map to implement packet inspection of Layer 7 SIP application traffic by the VFW application. The inspection checks are based on configured parameters in an existing Layer 7 policy map and internal RFC compliance checks performed by the VFW application. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Step 23 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 24 

interface interface_name

Example:
firewall/Admin(config)# interface int1

Enters interface configuration mode for an interface.

Step 25 

service-policy input policy_name

Example:
firewall/Admin(config-if)# service-policy 
input SIP_INSPECT_L4POLICY

Attaches the Layer 3 and Layer 4 traffic policy to the firewall interface and specifies the direction in which the policy is applied.

Step 26 

exit

Example:

firewall/Admin(config-if)# end

firewall/Admin#

Exits interface configuration mode.

Step 27 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring a Layer 7 SCCP Inspection Policy

This section describes how to configure a Layer 7 SCCP inspection policy map. Throughout the CLI, SCCP is referred to as "skinny." A Layer 7 class map is not required for this feature. The VFW application uses the SCCP inspection policy to filter traffic based on the message ID and to perform user-configurable actions on that traffic.


Note You can associate a maximum of 1024 instances of the same type of regular expression (regex) with a Layer 4 policy map. This limit applies to all Layer 7 policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, SIP, and SCCP. You configure regexes in the following:

Match statements in Layer 7 class maps

Inline match statements in Layer 7 policy maps

Header insertion and rewrite (including SSL URL rewrite) expressions in Layer 7 action lists


Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. policy-map type inspect skinny map_name

3. [line_number] match name message-id {number | range number1 number2} [insert-before map_name]

4. reset

5. exit

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

policy-map type inspect skinny map_name

Example:
firewall/Admin(config)# policy-map type 
inspect skinny SCCP_INSPECT_L7POLICY

Creates and configures a Layer 7 SCCP policy map.

map_name—Specifies the name assigned to the policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.

Step 3 

[line_number] match name message-id {number | range number1 number2} [insert-before map_name]

Example:
firewall/Admin(config-pmap-ins-skinny)# match 
SCCP_MESSAGE message-id 4321

Includes a single inline match criteria in the policy map without specifying a traffic class.

name—Name assigned to the inline match command. Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).

number—Numerical identifier of the SCCP message. Enter an integer from 0 to 65535.

range {number1 number2}—Specifies a range of SCCP message IDs. Enter an integer from 0 to 65535 for the lower limits and the upper limits of the range. The upper limit must be greater than or equal to the lower limit.

insert-before map_name—(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.

Step 4 

reset

Example:
firewall/Admin(config-pmap-ins-skinny-m)# 
reset

(Optional) Explicitly drops SCCP traffic matched by the inline match statement. By default, the VFW application allows all SCCP packets to pass.

Step 5 

exit

Example:

firewall/Admin(config-pmap-ins-skinny-m)# exit

firewall/Admin(config-pmap-ins-skinny)#

Exits policy map class match configuration mode.

Step 6 

exit

Example:

firewall/Admin(config-pmap-ins-skinny)# exit

firewall/Admin(config)#

Exits policy map class configuration mode.

What to Do Next

You must configure a Layer 3 and Layer 4 policy map and associate it with the Layer 7 SCCP packet inspection policy map that you created in this task. See "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section.


Note For skinny protocol inspection, the class map must have TCP as the configured protocol and a specific port or range of ports.


Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy

This section describes how to create a Layer 3 and Layer 4 class map and policy map to classify network traffic passing through the VFW application to perform an applicable application protocol inspection traffic policy. The Layer 3 and Layer 4 traffic policy defines the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions. Application inspection involves the examination of protocols such as DNS, FTP, HTTP, ICMP, ILS, RTSP, SCCP, and SIP to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application.

Limitations on Application Protocol Inspection Due to Strict Error Checks

Because the Cisco IOS XR Software Release 3.8.0 VFW application software has strict error checks for application protocol inspection configurations, be sure that your inspection configurations meet the guidelines in this section. The error-checking process in the software denies misconfigurations in inspection classifications (class maps) and displays appropriate error messages. If such misconfigurations exist in your startup-configuration file or running-configuration file before you load the software, the standby VFW application in a redundant configuration may boot up to the STANDBY_COLD state. For information about redundancy states, see Configuring High Availability on the Virtual Firewall.

If the class map for the inspection traffic is generic (match . . . any or class-default is configured) so that noninspection traffic is also matched, the VFW application displays an error message and does not accept the inspection configuration. For example:

firewall/Admin(config)# class-map match-all TCP_ANY 
firewall/Admin(config-cmap)# match port tcp any 
 
firewall/Admin(config)# policy-map multi-match FTP_POLICY 
firewall/Admin(config-pmap)# class TCP_ANY 
firewall/Admin(config-pmap-c)# inspect ftp 
Error: This class doesn't have tcp protocol and a specific port
 
   

The following examples show some of the generic class-map match statements and an ACL that are not allowed in inspection configurations:

match port tcp any

match port udp any

match port tcp range 0 65535

match port udp range 0 65535

match virtual-address 192.168.12.15 255.255.255.0 any

match virtual-address 192.168.12.15 255.255.255.0 tcp any

access-list acl1 line 10 extended permit ip any any

For application protocol inspection, the class map must have a specific protocol (related to the inspection type) configured and a specific port or range of port numbers.

For HTTP, FTP, RTSP, Skinny, and ILS protocol inspection, the class map must have TCP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

firewall/Admin(config)# class-map match-all L4_CLASS
firewall/Admin(config-cmap)# match port tcp eq www
 
   

For SIP protocol inspection, the class map must have TCP or UDP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

firewall/Admin(config)# class-map match-all L4_CLASS
firewall/Admin(config-cmap)# match port tcp eq 124
 
   

or

firewall/Admin(config-cmap)# match port udp eq 135
 
   

For DNS inspection, the class map must have UDP as the configured protocol and a specific port or range of ports. For example, enter the following commands:

firewall/Admin(config)# class-map match-all L4_CLASS
firewall/Admin(config-cmap)# match port udp eq domain
 
   

For ICMP protocol inspection, the class map must have ICMP as the configured protocol. For example, enter the following commands:

firewall/Admin(config)# access-list ACL1 extended permit icmp 192.168.12.15 255.255.255.0 
192.168.16.25 255.255.255.0 echo
 
   
firewall/Admin(config)# class-map match-all L4_CLASS
firewall/Admin(config-cmap)# match access-list ACL1
 
   

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. class-map [match-all | match-any] map_name

3. [line_number] match access-list identifier

4. [line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

5. exit

6. policy-map multi-match map_name

7. class map_name

8. inspect dns [maximum-length bytes]
or
inspect ftp [strict policy policy_map | sec-param param_map]
or
inspect http [policy policy_map | url-logging]
or
inspect icmp [error]
or
inspect ils
or
inspect rtsp [policy policy_map | sec-param param_map]
or
inspect skinny [policy policy_map | sec-param param_map]
or
inspect sip [policy policy_map | sec-param param_map]

9. exit

10. exit

11. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

class-map [match-all | match-any] map_name

Example:
firewall/Admin(config)# class-map match-all 
DNS_INSPECT_L4CLASS
firewall/Admin(config-cmap)# 

Creates a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application for DNS, FTP, HTTP, ICMP, and RTSP application protocol inspection.

match-all (default)—Specifies to match all the criteria listed in the class map. This is typically used match commands of different types.

match-any—Specifies that only one match criteria from the class map is required to match. This is typically used to match commands of the same type.

Step 3 

[line_number] match access-list identifier

Example:
firewall/Admin(config-cmap)# match access-list 
INBOUND_ACL1

(Optional) Configures the class map to filter Layer 3 and Layer 4 network traffic on a per-flow basis by using a predefined access control list. When a packet matches an entry in an access list, and if it is a permit entry, the VFW application allows the matching result. If it is a deny entry, the VFW application blocks the matching result. Refer to "Configuring Security Access Control Lists on the Virtual Firewall" for details about the creating access control lists.

Step 4 

[line_number] match port {tcp | udp} {any | eq port_number | range port1 port2}

Example:
firewall/Admin(config-cmap)# match port udp eq 
domain

Specifies a TCP or UDP port number or port range as the Layer 3 and Layer 4 network traffic matching criteria. Keywords and arguments are:

tcp | udp —Specifies the protocol, TCP or UDP.

any—Wildcard value for the TCP or UDP port number. With any used in place of either the eq or range values, packets from any incoming port match.

eq port_number—Specifies that the TCP or UDP port number must match the specified value. Enter an integer from 0 to 65535. A value of 0 instructs the VFW application to include all ports. Alternatively, you can enter the name of a well-known TCP port as listed in Table 13 or a well-known UDP port as listed in Table 14.

range port1 port2—Specifies a port range to use for the TCP or UDP port. Valid port ranges are 0 to 65535. A value of 0 instructs the VFW application to match all ports.

Step 5 

exit

Example:

firewall/Admin(config-cmap)# exit

firewall/Admin(config)#

Exits class map configuration mode.

Step 6 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
DNS_INSPECT_L4POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 7 

class map_name

Example:
firewall/Admin(config-pmap)# class 
DNS_INSPECT_L4CLASS

Associates a class map defined in Step 2 with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 8 

inspect dns [maximum-length bytes]

or

inspect ftp [strict policy policy_map]

or

inspect http [policy policy_map | url-logging]

or

inspect icmp [error]

or

inspect ils

or

inspect rtsp

or

inspect skinny policy_map

or

inspect sip [sec-param param_map | policy policy_map]

Example:
firewall/Admin(config-pmap-c)# inspect dns 
maximum-length 1000

Specifies to examine DNS, FTP, HTTP, ICMP, ILS, RTSP, SCCP, or SIP protocols to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application.

Refer to the "Configuration Tips: Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions" section for more information.

Step 9 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits class map configuration mode.

Step 10 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 11 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Table 13 lists the well-known TCP port numbers and key words.

Table 13 Well-Known TCP Ports and Keywords 

Port
Port Number
Description

domain

53

Specifies Domain Name System

ftp

21

Specifies File Transfer Protocol

ftp-data

20

Specifies File Transfer Protocol Data

http

80

Specifies Hyper Text Transfer Protocol

https

443

Specifies HTTP over SSL protocol

irc

194

Specifies Internet Relay Chat protocol

matip-a

350

Specifies Matip Type A protocol

nntp

119

Specifies Network News Transport Protocol

pop2

109

Specifies Post Office Protocol v2

pop3

110

Specifies Post Office Protocol v3

rtsp

554

Specifies Real Time Stream Control Protocol

smtp

25

Specifies Simple Mail Transfer Protocol

telnet

23

Specifies Telnet protocol

www

80

Specifies World Wide Web


Table 14 lists the well-known UDP port numbers and key words.

Table 14 Well-Known UDP Port Numbers and Key Words 

Key Word
Port Number
Description

domain

53

Domain Name System

wsp

9200

Connectionless Wireless Session Protocol (WSP)

wsp-wtls

9202

Secure Connectionless WSP

wsp-wtp

9201

Connection-based WSP

wsp-wtp-wtls

9203

Secure Connection-based WSP


Configuration Tips: Defining Layer 3 and Layer 4 Application Protocol Inspection Policy Actions

Use the inspect command in policy map class configuration mode to define the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions. Application inspection involves the examination of protocols such as DNS, FTP, HTTP, ICMP, ILS, RTSP, SCCP, and SIP to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application.

If you intend to perform Layer 7 application inspection of network traffic, first create a Layer 7 policy as described below:

To perform the deep packet inspection of Layer 7 HTTP application traffic by the VFW application, first create a Layer 7 policy using the policy-map type inspect http command (see the "Configuring a Layer 7 HTTP Deep Packet Inspection Policy Map" section). You nest the Layer 7 HTTP inspection policy using the Layer 3 and Layer 4 inspect http command.

To perform the request inspection of FTP commands, first create a Layer 7 policy using the policy-map type inspect ftp command (see the "Configuring a Layer 7 FTP Command Inspection Policy" section). You nest the Layer 7 FTP inspection policy using the Layer 3 and Layer 4 inspect ftp command.

You associate the Layer 7 policy map within the appropriate Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be applied to an interface or applied globally to all interfaces in the same context; a Layer 7 policy map cannot be directly applied on an interface.


Note If you do not specify a Layer 7 HTTP or FTP policy map, the VFW application performs a general set of Layer 3 and Layer 4 HTTP or FTP protocol fixup actions. For example, the VFW application performs strict HTTP.


Applying a Traffic Policy to an Interface

After you have created a traffic policy, you must attach it to a single interface or globally to all interfaces. This task describes how to attach the traffic policy to an interface.

Prerequisites

You must have created a Layer 3 and Layer 4 traffic policy as described in "Configuring a Layer 3 and Layer 4 Application Protocol Inspection Traffic Policy" section.

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. interface interface_name

3. service-policy input policy_name

4. end

5. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

interface interface_name

Example:
firewall/Admin(config)# interface i1

Enters interface configuration mode for a firewall interface.

Step 3 

service-policy input policy_name

Example:
firewall/Admin(config-if)# service-policy 
input HTTP_INSPECT_L4POLICY

Attaches the Layer 3 and Layer 4 traffic policy to an interface.

Step 4 

end

Example:

firewall/Admin(config-if)# end

firewall/Admin#

Exits configuration mode.

Step 5 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Displaying Application Protocol Inspection Statistics and Service Policy Information

This task illustrates how to use the show commands that display application protocol inspection statistics and service policy configuration information. There is no particular order to the steps in this procedure.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. show stats inspect [ftp | http | rtsp]

2. clear stats inspect [ftp | http | rtsp]

3. show service-policy name

4. clear service-policy name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

show stats inspect [ftp | http | rtsp]

Example:
firewall/Admin# show stats inspect http

(Optional) Displays the specified protocol inspection statistics.

Step 2 

clear stats inspect [ftp | http | rtsp]

Example:

firewall/Admin# clear stats inspect http

(Optional) Clears the specified protocol inspection statistics.

Step 3 

show service-policy name

Example:

firewall/Admin# show service-policy HTTP_INSPECT_L4POLICY

(Optional) Displays service policy statistics. The statistics that appear in the output are dependent on the configuration of the associated Layer 3 and Layer 4 policy map. The following information is displayed:

Interface to which the policy is applied

Class map associated with the policy

Status of any load-balancing operations

Note The VFW application updates the counters that the show service-policy command displays after the applicable connections are closed.

Step 4 

clear service-policy name

Example:

firewall/Admin# clear service-policy HTTP_INSPECT_L4POLICY

(Optional) Clears the service policy statistics.

Examples

The following example illustrates sample output from the show stats inspect http command.

firewall/Admin# show stats inspect http
+------------------------------------------+
+--------- HTTP Inspect statistics --------+
+------------------------------------------+
 Total request/response   : 0
 Total allow decisions    : 0
 Total drop decisions     : 0
 Total logging decisions  : 0
 
   

The following example displays service policy statistics for the HTTP_INSPECT_L4POLICY policy map:

firewall/Admin# show service-policy HTTP_INSPECT_L4POLICY
 
   
Status     : ACTIVE
Description: HTTP protocol deep inspection of incoming traffic
-----------------------------------------
Interface: management ctx1
  service-policy: HTTP_INSPECT_L4POLICY
    class: HTTP_INSPECT_L4CLASS
      inspect http:
        curr conns       : 0         , hit count        : 0         
        dropped conns    : 0         
        client pkt count : 0         , client byte count: 0                   
        server pkt count : 0         , server byte count: 0                   
        L4 policy stats:
          TotalReq/Resp: 0          TotalAllowed: 0         
          TotalDropped : 0          TotalLogged : 0         
        L7 policy: HTTP_INSPECT_L7POLICY, url logging: disabled
        L7 policy stats: Total number of L7 rules 1
          L7 class/match HTTP_INSPECT_L7CLASS: reset
            TotalInspected     : 0          TotalMatched: 0         
            TotalDroppedOnError: 0          TotalLogged : 0 
 
   

The following example displays service policy statistics for the FTP_INSPECT_L4POLICY policy map:

firewall/Admin# show service-policy FTP_INSPECT_L4POLICY
 
   
Status     : ACTIVE
Description: FTP command inspection of incoming traffic
-----------------------------------------
Context Global Policy:
  service-policy: FTP_INSPECT_L4POLICY
    class: class-default
      inspect ftp:
        strict ftp: ENABLED
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        L7 policy: FTP_INSPECT_L4POLICY
            TotalReplyMasked : 0          TotalDropped: 0
 
   

The following example displays service policy statistics for a policy map:

firewall/Admin# show service-policy APP_INSPECT_L4POLICY
 
   
Status     : ACTIVE
-----------------------------------------
Context Global Policy:
  service-policy: APP_INSPECT_L4POLICY
    class: APP_INSPECT_L4CLASS
      inspect dns:
        max length: 0
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0

How to Configure a Parameter Map for Use in a Layer 3 and Layer 4 Policy Map

A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 deep packet inspection policy map. You reference this parameter map in the appl-parameter command in policy map class configuration mode. This section describes the following tasks:

Configuring a DNS Parameter Map

Configuring an HTTP Parameter Map

Configuring a SCCP Parameter Map

Configuring a SIP Parameter Map

Configuring a DNS Parameter Map

This task describes how to configure a DNS parameter map.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. parameter-map type dns name

3. timeout query seconds

4. exit

5. policy-map multi-match map_name

6. class map_name

7. appl-parameter dns advanced-options name

8. exit

9. exit

10. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

parameter-map type dns name

Example:
firewall/Admin(config)# parameter-map type dns 
DNS_PARAMMAP
firewall/Admin(config-parammap-dns)#

Configures DNS actions for DNS packet inspection.

Step 3 

timeout query seconds

Example:
firewall/Admin(config-parammap-dns)# timeout 
query 20

Configures the DNS query timeout. This is the time after which a DNS query hash entry is removed from the hash table when no response is received from the DNS server. Values can be from 2 to 120 seconds. The default is 10 seconds.

Step 4 

exit

Example:

firewall/Admin(config-parammap-dns)# exit

firewall/Admin(config)#

Exits parameter-map configuration mode.

Step 5 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
HTTP_INSPECT_L4POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 6 

class map_name

Example:
firewall/Admin(config-pmap)# class 
DNS_INSPECT_L4CLASS

Associates a previously defined class map with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 7 

appl-parameter dns advanced-options name

Example:

firewall/Admin(config-pmap-c)# appl-parameter dns advanced-options DNS_PARAMMAP

Associates a DNS parameter map with a Layer 3 and Layer 4 policy map.

Step 8 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits parameter map configuration mode.

Step 9 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 10 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring an HTTP Parameter Map

This task describes how to configure an HTTP parameter map.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. parameter-map type http name

3. case-insensitive

4. set header-maxparse-length bytes

5. set content-maxparse-length bytes

6. exit

7. policy-map multi-match map_name

8. class map_name

9. appl-parameter http advanced-options name

10. exit

11. exit

12. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

parameter-map type http name

Example:
firewall/Admin(config)# parameter-map type 
http HTTP_PARAM_MAP1
firewall/Admin(config-parammap-http)#

Configures advanced HTTP behavior for HTTP deep packet inspection.

Step 3 

case-insensitive

Example:
firewall/Admin(config-parammap-http)# 
case-insensitive

Enables case-insensitive HTTP matching. With case-insensitive matching enabled, uppercase and lowercase letters are considered the same. When case sensitivity is disabled, it applies to:

HTTP header names and values

URL strings

HTTP content inspection

Step 4 

set header-maxparse-length bytes

Example:
firewall/Admin(config-parammap-http)# set 
header-maxparse-length 8192

Configures the maximum number of bytes to parse in HTTP headers. Enter an integer from 1 to 65535. The default is 2048 bytes.

Step 5 

set content-maxparse-length bytes

Example:
firewall/Admin(config-parammap-http)# set 
content-maxparse-length 8192

Configures the maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.

Step 6 

exit

Example:

firewall/Admin(config-parammap-http)# exit

firewall/Admin(config)#

Exits parameter-map configuration mode.

Step 7 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
HTTP_INSPECT_L4POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 8 

class map_name

Example:
firewall/Admin(config-pmap)# class 
HTTP_INSPECT_L4CLASS

Associates a previously defined class map with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 9 

appl-parameter http advanced-options name

Example:

firewall/Admin(config-pmap-c)# appl-parameter http advanced-options HTTP_PARAM_MAP1

Associates an HTTP parameter map with a Layer 3 and Layer 4 policy map.

Step 10 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits parameter map configuration mode.

Step 11 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 12 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring a SCCP Parameter Map

This task describes how to configure a Skinny Client Control Protocol (SCCP) parameter map.

SCCP Inspection Configuration Considerations

Be aware of the following considerations when you configure SCCP inspection on the VFW application:

If the VFW application resides between the Cisco CallManager (CCM) and the IP phones, then explicit security ACLs are required to permit TFTP traffic between the CCM and the phones because the VFW application does not support TFTP fixup.

If the IP address of an internal CCM is configured for NAT or PAT to a different IP address or port, registrations for external Cisco IP phones fail, because the VFW application does not support NAT or PAT of the file content transferred over TFTP. Although the VFW application supports NAT of TFTP messages, it does not open a secure port for TFTP. In addition, the VFW application cannot translate the CCM IP address and port that are embedded in the Cisco IP phone configuration files. The configuration files are transferred using TFTP during phone registration.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. parameter-map type skinny name

3. enforce-registration

4. message-id max number

5. sccp-prefix-len {max number | min number}

6. exit

7. policy-map multi-match map_name

8. class map_name

9. appl-parameter skinny advanced-options name

10. exit

11. exit

12. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

parameter-map type skinny name

Example:
firewall/Admin(config)# parameter-map type 
skinny SCCP_PARAMMAP
firewall/Admin(config-parammap-skinny)#

Configures a parameter map for SCCP packet inspection.

Step 3 

enforce-registration

Example:
firewall/Admin(config-parammap-skinny)# 
enforce-registration

Specifies that only skinny clients can make calls.

Step 4 

message-id max number

Example:
firewall/Admin(config-parammap-skinny)# 
message-id max 3000

Specifies the maximum SCCP StationMessageID that the VFW application allows. The number argument is the largest value for the station message ID in hexadecimal that the VFW application accepts. Enter a hexadecimal value from 0 to 4000. If a packet arrives with a station message ID greater than the maximum configured value or greater than the default value, the VFW application drops the packet and generates a syslog message.

Step 5 

sccp-prefix-len {max number | min number}

Example:
firewall/Admin(config-parammap-skinny)# 
sccp-prefix-len min 4

Configures the VFW application to check for a specific minimum and maximum prefix length. By default, the VFW application drops SCCP messages that have an SCCP prefix length that is less than the message ID, and there is no check for maximum prefix length check. The number argument is an integer from 4 to 4000 bytes. The default maximum value is 4 bytes.

Step 6 

exit

Example:

firewall/Admin(config-parammap-skinny)# exit

firewall/Admin(config)#

Exits parameter-map configuration mode.

Step 7 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
SCCP_INSPECT_L4POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 8 

class map_name

Example:
firewall/Admin(config-pmap)# class 
SCCP_INSPECT_L4CLASS

Associates a previously defined class map with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 9 

appl-parameter skinny advanced-options name

Example:

firewall/Admin(config-pmap-c)# appl-parameter skinny advanced-options SCCP_PARAMMAP

Associates a skinny parameter map with a Layer 3 and Layer 4 policy map.

Step 10 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits parameter map configuration mode.

Step 11 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 12 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuring a SIP Parameter Map

This task describes how to configure a SIP parameter map.

SIP Inspection Configuration Considerations

Be aware of the following considerations when you configure SIP inspection on the VFW application:

If the IP address in the owner field (o=) is different from the IP address in the connection field (c=) of the Session Description Protocol (SDP) portion of a SIP packet, the VFW application may not translate the IP address correctly. This incorrect IP address translation is caused by a limitation of the SIP protocol, which does not provide a port value in the owner field (o=).

If a remote endpoint attempts to register with a SIP proxy server on a network protected by the VFW application, the registration fails under the following conditions:

PAT is configured on the remote endpoint.

The SIP registration server is on the outside network.

The port value is missing in the contact field of the REGISTER message that the endpoint sends to the proxy server.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. configure

2. parameter-map type sip name

3. timeout sip-media seconds

4. im

5. max-forward-validation {drop | reset}

6. software-version {mask | log}

7. strict-header-validation {drop | log | reset}

8. uri-non-sip {mask | log}

9. exit

10. policy-map multi-match map_name

11. class map_name

12. appl-parameter sip advanced-options name

13. exit

14. exit

15. copy running-config startup-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

firewall/Admin# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/Admin(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 2 

parameter-map type sip name

Example:
firewall/Admin(config)# parameter-map type sip 
SIP_PARAMMAP
firewall/Admin(config-parammap-sip)#

Configures a SIP parameter map.

Step 3 

timeout sip-media seconds

Example:
firewall/Admin(config-parammap-sip)# timeout 
sip-media 3600

Configures a timeout value for the temporary secure port (pinhole) setup to stream media to a SIP client. Enter an integer from 1 to 65535 seconds. The default is 5 seconds. Be sure to provide a timeout value that is large enough for streaming media applications to finish.

Step 4 

im

Example:
firewall/Admin(config-parammap-sip)# im

Enables instant messaging (IM) over SIP after it has been disabled. By default, IM is enabled.

Step 5 

max-forward-validation {drop | reset}

Example:
firewall/Admin(config-parammap-sip)# 
max-forward-validation drop

Configures the action that the VFW application takes when the Max-Forwards header field reaches zero before the request reaches its destination.

drop—Specifies that the VFW application drop the SIP message.

reset—Specifies that the VFW application reset the SIP connection.

Step 6 

software-version {mask | log}

Example:
firewall/Admin(config-parammap-sip)# 
software-version mask

Logs or masks the software version of a user agent (UA) to protect the UA from attacks.

Step 7 

strict-header-validation {drop | log | reset}

Example:
firewall/Admin(config-parammap-sip)# 
strict-header-validation drop

Enables strict header validation and specifies the action that the VFW application takes if the SIP header does not meet the validation requirements.

drop—Specifies that the VFW application drop the SIP message.

log—Specifies that the VFW application log the header validation event.

reset—Specifies that the VFW application reset the connection.

Step 8 

uri-non-sip {mask | log}

Example:
firewall/Admin(config-parammap-sip)# 
uri-non-sip mask

Enables detection of non-SIP URIs in SIP messages.

log—Specifies that the VFW application log the non-SIP URI.

mask—Specifies that the VFW application mask the non-SIP URI.

Step 9 

exit

Example:

firewall/Admin(config-parammap-sip)# exit

firewall/Admin(config)#

Exits parameter-map configuration mode.

Step 10 

policy-map multi-match map_name

Example:
firewall/Admin(config)# policy-map multi-match 
SIP_INSPECT_L4POLICY

Creates and configures a Layer 3 and Layer 4 policy map.

Step 11 

class map_name

Example:
firewall/Admin(config-pmap)# class 
SIP_INSPECT_L4CLASS

Associates a previously defined class map with the Layer 3 and Layer 4 policy map, and enters policy map class configuration mode.

Step 12 

appl-parameter sip advanced-options name

Example:

firewall/Admin(config-pmap-c)# appl-parameter sip advanced-options SIP_PARAMMAP

Associates a SIP parameter map with a Layer 3 and Layer 4 policy map.

Step 13 

exit

Example:

firewall/Admin(config-pmap-c)# exit

firewall/Admin(config-pmap)#

Exits parameter map configuration mode.

Step 14 

exit

Example:

firewall/Admin(config-pmap)# exit

firewall/Admin(config)#

Exits policy map configuration mode.

Step 15 

copy running-config startup-config

Example:

firewall/Admin# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Configuration Examples for Application Protocol Inspection

This section provides the following configuration examples:

Layer 7 HTTP Deep Inspection Policy Configuration: Example

Layer 7 FTP Inspection Policy Configuration: Example

Layer 3 and Layer 4 Application Protocol Inspection for DNS Inspection: Example

Layer 7 HTTP Deep Inspection Policy Configuration: Example

Create a Layer 7 class map that is used for the deep packet inspection of HTTP traffic

firewall/Admin# configure 
firewall/Admin(config)# class-map type http inspect match-any HTTP_INSPECT_L7CLASS 
firewall/Admin(config-cmap-http-insp)# match header length request eq 200 
firewall/Admin(config-cmap-http-insp)# match header Host header-value 
.*mycompanyexample.com 
firewall/Admin(config-cmap-http-insp)# match url length eq 10000 
firewall/Admin(config-cmap-http-insp)# match url .*.gif 

Create and configure a Layer 7 policy map that enables deep packet inspection of the HTTP protocol

firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICY 
firewall/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS 
firewall/Admin(config-pmap-ins-http-c)# permit 
firewall/Admin(config-pmap-ins-http-c)# exit 
firewall/Admin(config-pmap-ins-http)# exit 
firewall/Admin(config)# 

Configure Layer 3 and Layer 4 class map to classify network traffic for HTTP deep packet inspection

firewall/Admin(config)# class-map match-all HTTP_INSPECT_L4CLASS 
firewall/Admin(config-cmap)# description HTTP protocol deep inspection of incoming traffic
firewall/Admin(config-cmap)# match port tcp eq 80
firewall/Admin(config-cmap)# exit
firewall/Admin(config)# 

Create a Layer 3 and Layer 4 policy map and associate the Layer 7 HTTP deep packet inspection policy map

firewall/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICY
firewall/Admin(config-pmap)# class HTTP_INSPECT_L4CLASS
firewall/Admin(config-pmap-c)# inspect http policy HTTP_INSPECT_L7POLICY
firewall/Admin(config-pmap-c)# exit
firewall/Admin(config-pmap)# exit
firewall/Admin(config)# 

Attach the Layer 3 and Layer 4 traffic policy to an interface

firewall/Adminhost1/Admin(config)# interface interface_name
firewall/Admin(config-if)# service-policy input HTTP_INSPECT_L4POLICY

Layer 7 FTP Inspection Policy Configuration: Example

Create a Layer 7 class map for the inspection of FTP request commands

firewall/Admin# configure 
firewall/Admin(config)# class-map type ftp inspect match-any FTP_INSPECT_L7CLASS
firewall/Admin(config-cmap-ftp-insp)# match request-method mkdir
firewall/Admin(config-cmap-ftp-insp)# exit
firewall/Admin(config)# 

Create and configure a Layer 7 policy map that enables FTP command inspection

firewall/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICY
firewall/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
firewall/Admin(config-pmap-ftp-ins-c)# deny
firewall/Admin(config-pmap-ftp-ins-c)# exit
firewall/Admin(config)#

Create a Layer 3 and Layer 4 class map to classify network traffic passing through the VFW application for FTP command inspection

firewall/Admin(config)# class-map match-all FTP_INSPECT_L4CLASS
firewall/Admin(config-cmap)# description FTP command inspection of incoming traffic
firewall/Admin(config-cmap)# match port tcp eq 21
firewall/Admin(config-cmap)# exit
firewall/Admin(config)# 

Create a Layer 3 and Layer 4 policy map and associate the Layer 7 FTP command inspection policy map

firewall/Admin(config)# policy-map multi-match FTP_STRICT_INSPECT_L4POLICY
firewall/Admin(config-pmap)# class FTP_INSPECT_L4CLASS
firewall/Admin(config-pmap-c) inspect ftp strict policy FTP_INSPECT_L7POLICY
firewall/Admin(config-pmap-c) #exit
firewall/Admin(config) #

Attach the Layer 3 and Layer 4 traffic policy to an interface

firewall/Admin(config)# interface interface_name
firewall/Admin(config-if)# service-policy input FTP_INSPECT_L4POLICY
 
   

Layer 3 and Layer 4 Application Protocol Inspection for DNS Inspection: Example

In the following application protocol inspection configuration, the VFW application performs DNS query inspection using a Layer 3 and Layer 4 policy map. DNS requires application inspection so that DNS queries are not subject to the generic UDP handling based on activity timeouts. The VFW application performs the reassembly of DNS packets to verify that the packet length is less than the configured maximum length of a DNS reply.

firewall/Admin(config)# access-list ACL1 line 10 extended permit ip any any 
 
   
firewall/Admin(config)# class-map match-any L4_DNS-INSPECT_CLASS 
firewall/Admin(config-cmap)# description DNS application protocol inspection of incoming 
traffic 
firewall/Admin(config-cmap)# match port udp eq domain 
firewall/Admin(config-cmap)# exit 
firewall/Admin(config)# 
 
   
firewall/Admin(config)# policy-map multi-match L4_DNS-INSPECT_POLICY 
firewall/Admin(config-pmap)# class L4_DNS-INSPECT_CLASS 
firewall/Admin(config-pmap-c)# inspect dns maximum length 1000 
firewall/Admin(config-cmap)# exit 
firewall/Admin(config)# 
 
   
firewall/Admin(config)# interface INT1 
firewall/Admin(config-if)# ip address 192.168.2.1 255.255.255.0 
firewall/Admin(config-if)# access-group input ACL1 
firewall/Admin(config-if)# service-policy input L4_DNS-INSPECT_POLICY 
firewall/Admin(config-if)# no shutdown 

Additional References

The following sections provide references related to application protocol inspection.

Related Documents

Related Topic
Document Title

Virtual firewall class map command syntax

Class Map Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference

Virtual firewall policy map command syntax

Policy Map Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport