ASDM 5.2 User Guide
Global Objects
Downloads: This chapterpdf (PDF - 1.17MB) The complete bookPDF (PDF - 11.14MB) | Feedback

Global Objects

Table Of Contents

Global Objects

Using Network Objects and Groups

Network Object Overview

Configuring a Network Object

Configuring a Network Object Group

Using Network Objects and Groups in a Rule

Viewing the Usage of a Network Object or Group

Configuring Service Groups

Service Groups

Add/Edit Service Group

Browse Service Groups

Configuring Class Maps

DNS Class Map

Add/Edit DNS Traffic Class Map

Add/Edit DNS Match Criterion

Manage Regular Expressions

Manage Regular Expression Class Maps

FTP Class Map

Add/Edit FTP Traffic Class Map

Add/Edit FTP Match Criterion

H.323 Class Map

Add/Edit H.323 Traffic Class Map

Add/Edit H.323 Match Criterion

HTTP Class Map

Add/Edit HTTP Traffic Class Map

Add/Edit HTTP Match Criterion

IM Class Map

Add/Edit IM Traffic Class Map

Add/Edit IM Match Criterion

SIP Class Map

Add/Edit SIP Traffic Class Map

Add/Edit SIP Match Criterion

Configuring Inspect Maps

DCERPC Inspect Map

Customize Security Level

DCERPC Inspect Map Basic/Advanced Viewl

DNS Inspect Map

Customize Security Level

DNS Inspect Map Basic View

DNS Inspect Map Advanced View

Add/Edit DNS Inspect

Manage Class Maps

ESMTP Inspect Map

Customize Security Level

MIME File Type Filtering

ESMTP Inspect Map Basic View

ESMTP Inspect Map Advanced View

Add/Edit ESMTP Inspect

FTP Inspect Map

Customize Security Level

File Type Filtering

FTP Inspect Map Basic View

FTP Inspect Map Advanced View

Add/Edit FTP Map

GTP Inspect Map

Customize Security Level

IMSI Prefix Filtering

GTP Inspect Map Basic View

GTP Inspect Map Advanced View

Add/Edit GTP Map

H.323 Inspect Map

Customize Security Level

Phone Number Filtering

H.323 Inspect Map Basic View

H.323 Inspect Map Advanced View

Add/Edit HSI Group

Add/Edit H.323 Map

HTTP Inspect Map

Customize Security Level

URI Filtering

HTTP Inspect Map Basic View

HTTP Inspect Map Advanced View

Add/Edit HTTP Map

Instant Messaging (IM) Inspect Map

Instant Messaging (IM) Inspect Map View

Add/Edit IM Map

IPSec Pass Through Inspect Map

Customize Security Level

IPSec Pass Through Inspect Map Basic View

IPSec Pass Through Inspect Map Advanced View

MGCP Inspect Map

Gateways and Call Agents

MGCP Inspect Map View

Add/Edit MGCP Group

NetBIOS Inspect Map

NetBIOS Inspect Map View

RADIUS Inspect Map

RADIUS Inspect Map Host

RADIUS Inspect Map Other

SCCP (Skinny) Inspect Map

Customize Security Level

Message ID Filtering

SCCP (Skinny) Inspect Map Basic View

SCCP (Skinny) Inspect Map Advanced View

Add/Edit Message ID Filter

SIP Inspect Map

Customize Security Level

SIP Inspect Map Basic View

SIP Inspect Map Advanced View

Add/Edit SIP Inspect

SNMP Inspect Map

Add/Edit SNMP Map

Configuring Regular Expressions

Regular Expressions

Add/Edit Regular Expression

Build Regular Expression

Test Regular Expression

Add/Edit Regular Expression Class Map

TCP Maps

Add/Edit TCP Map

Configuring Time Ranges

Add/Edit Time Range

Add/Edit Periodic Time Range


Global Objects


The Global Objects pane provides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. For example, once you define the hosts and networks that are covered by your security policy, you can select the host or network to which a feature applies, instead of having to redefine it every time. This saves time and ensures consistency and accuracy of your security policy. When you need to add or delete a host or network, you can use the Global Objects pane to change it in a single place.

This chapter includes the following sections:

Using Network Objects and Groups

Configuring Service Groups

Configuring Class Maps

Configuring Inspect Maps

Configuring Regular Expressions

TCP Maps

Configuring Time Ranges

Using Network Objects and Groups

This section describes how to use network objects and groups, and includes the following topics:

Network Object Overview

Configuring a Network Object

Configuring a Network Object Group

Using Network Objects and Groups in a Rule

Viewing the Usage of a Network Object or Group

Network Object Overview

Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

You can add network objects manually, or you can let ASDM automatically create objects from existing configuration, such as access rules and AAA rules. If you edit one of these derived objects, it persists even if you later delete the rule that used it. Otherwise, derived objects only reflect the current configuration if you refresh.

A network object group is a group containing multiple hosts and networks together. A network object group can also contain other network object groups. You can then specify the network object group as the source address or destination address in an access rule.

When you are configuring rules, the ASDM window includes an Addresses side pane at the right that shows available network objects and network object groups; you can add, edit, or delete objects directly in the Addresses pane. You can also drag additional network objects and groups from the Addresses pane to the source or destination of a selected access rule.

Configuring a Network Object

To configure a network object, perform the following steps:


Step 1 In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object to add a new object, or choose an object and click Edit.

You can also add or edit network objects from the Addresses side pane in a rules window, or when you are adding a rule.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

The Add/Edit Network Object dialog box appears.

Step 2 Fill in the following values:

Name—(Optional) The object name. Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less.

IP Address—The IP address, either a host or network address.

Netmask—The subnet mask for the IP address.

Description—(Optional) The description of the network object.

Step 3 Click OK.

You can now use this network object when you create a rule. For an edited object, the change is inherited automatically by any rules using the object.



Note You cannot delete a network object that is in use.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring a Network Object Group

To configure a network object group, perform the following steps:


Step 1 In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object Group to add a new object group, or choose an object group and click Edit.

You can also add or edit network object groups from the Addresses side pane in a rules window, or when you are adding a rule.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

The Add/Edit Network Object Group dialog box appears.

Step 2 In the Group Name field, enter a group name.

Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less.

Step 3 (Optional) In the Description field, enter a description up to 200 characters in length.

Step 4 You can add existing objects or groups to the new group (nested groups are allowed), or you can create a new address to add to the group:

To add an existing network object or group to the new group, double-click the object in the Existing Network Objects/Groups pane.

You can also select the object, and then click Add. The object or group is added to the right-hand Members in Group pane.

To add a new address, fill in the values under the Create New Network Object Member area, and click Add.

The object or group is added to the right-hand Members in Group pane. This address is also added to the network object list.

To remove an object, double-click it in the Members in Group pane, or click Remove.

Step 5 After you add all the member objects, click OK.

You can now use this network object group when you create a rule. For an edited object group, the change is inherited automatically by any rules using the group.



Note You cannot delete a network object group that is in use.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Using Network Objects and Groups in a Rule

When you create a rule, you can enter an IP address manually, or you can browse for a network object or group to use in the rule.

To use a network object or group in a rule, perform the following steps:


Step 1 From the rule dialog box, click the ... browse button next to the source or destination address field.

The Browse Source Address or Browse Destination Address dialog box appears.

Step 2 You can either add a new network object or group, or choose an existing network object or group by double-clicking it.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

To add a new network object, see the "Configuring a Network Object" section.

To add a new network object group, see the "Configuring a Network Object Group" section.

After you add a new object or double-click an existing object, it appears in the Selected Source/Destination field. For access rules, you can add multiple objects and groups in the field, separated by commas.

Step 3 Click OK.

You return to the rule dialog box.


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Viewing the Usage of a Network Object or Group

To view what rules use a network object or group, in the Configuration > Global Objects > Network Objects/Group pane, click the magnifying glass Find icon.

The Usages dialog box appears listing all the rules currently using the network object or group. This dialog box also lists any Network Objects/Groups that contain the object.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Service Groups

This section describes how to configure service groups, and includes the following topics:

Service Groups

Add/Edit Service Group

Browse Service Groups

Service Groups

The Service Groups pane lets you associate multiple services into a named group. You can create service groups for each of the following types:

TCP ports

UDP ports

TCP-UDP ports

ICMP types

IP protocols

Multiple service groups can be nested into a "group of groups" and used as a single group.

You can use a service group for most configurations that require you to identify a port, ICMP type, or protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a side pane at the right that shows available service groups and other global objects; you can add, edit, or delete objects directly in the side pane.

Fields

Add—Adds a service group. Choose the type of service groups you want to add from the drop-down list.

Edit—Edits a service group.

Delete—Deletes a service group. When a service group is deleted, it is removed from all service groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty.

Find—Filters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.

Filter field—Enter the name of the service group. The wildcard characters asterisk (*) and question mark (?) are allowed.

Filter—Runs the filter.

Clear—Clears the Filter field.

Type—Lets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all service groups, choose All.

Name—Lists the service group names. Click the plus (+) icon next to the name to expand the service group so you can view the services. Click the minus (-) icon to collapse the service group.

Description—Lists the service group descriptions.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Service Group

The Add/Edit Service Group dialog box lets you assign services to a service group. This dialog box name matches the type of service group you are adding; for example, if you are adding a TCP service group, the name is "Add/Edit TCP Service Group."

Fields

Group Name—Enter the group name, up to 64 characters in length. The name must be unique for all object groups. A service group name cannot share a name with a network object group.

Description—Enter a description of this service group, up to 200 characters in length.

Members Not in Group—Identifies items that can be added to the service group.

Service/Service Group, ICMP Type/ICMP Group, or Protocol/Protocol Group—The title of this table depends on the type of service group you are adding. Choose from already defined service groups, or choose from a list of commonly used port, type, or protocol names.

Name—Lists the already defined service groups and commonly used ports, types, or protocols.

Port #, ICMP #, or Protocol #—The title of this table depends on the type of service group you are adding. Lets you add a new item, either by number or name. For TCP, UDP, and TCP-UDP service groups, you can enter a range of ports numbers.

Members in Group—Shows items that are already added to the service group.

Add—Adds the selected item to the service group.

Remove—Removes the selected item from the service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Browse Service Groups

The Browse Service Groups dialog box lets you choose a service group. This dialog box is used in multiple configuration screens and is named appropriately for your current task. For example, from the Add/Edit Access Rule dialog box, this dialog box is named "Browse Source Port" or "Browse Destination Port."

Fields

Add—Adds a service group.

Edit—Edits the selected service group.

Delete—Deletes the selected service group.

Find—Filters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.

Filter field—Enter the name of the service group. The wildcard characters asterisk (*) and question mark (?) are allowed.

Filter—Runs the filter.

Clear—Clears the Filter field.

Type—Lets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all types, choose All. Typically, the type of rule you configure can only use one type of service group; you cannot select a UDP service group for a TCP access rule.

Name—Shows the name of the service group. Click the plus (+) icon next to the name of an item to expand it. Click the minus (-) icon to collapse the item.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Class Maps

An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

This section describes how to configure inspection class maps, and includes the following topics:

DNS Class Map

FTP Class Map

H.323 Class Map

HTTP Class Map

IM Class Map

SIP Class Map

DNS Class Map

The DNS Class Map panel lets you configure DNS class maps for DNS inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the DNS class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the DNS class map.

Value—Shows the value to match in the DNS class map.

Description—Shows the description of the class map.

Add—Adds match conditions for the DNS class map.

Edit—Edits match conditions for the DNS class map.

Delete—Deletes match conditions for the DNS class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit DNS Traffic Class Map

The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map.

Fields

Name—Enter the name of the DNS class map, up to 40 characters in length.

Description—Enter the description of the DNS class map.

Add—Adds a DNS class map.

Edit—Edits a DNS class map.

Delete—Deletes a DNS class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit DNS Match Criterion

The Add/Edit DNS Match Criterion dialog box lets you define the match criterion and value for the DNS class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of DNS traffic to match.

Header Flag—Match a DNS flag in the header.

Type—Match a DNS query or resource record type.

Class—Match a DNS query or resource record class.

Question—Match a DNS question.

Resource Record—Match a DNS resource record.

Domain Name—Match a domain name from a DNS query or resource record.

Header Flag Criterion Values—Specifies the value details for the DNS header flag match.

Match Option—Specifies either an exact match or match all bits (bit mask match).

Match Value—Specifies to match either the header flag name or the header flag value.

Header Flag Name—Lets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match.

Type Criterion Values—Specifies the value details for the DNS type match.

DNS Type Field Name—Lists the DNS types to select.

A—IPv4 address

NS—Authoritative name server

CNAME—Canonical name

SOA—Start of a zone of authority

TSIG—Transaction signature

IXFR—Incremental (zone) transfer

AXFR—Full (zone) transfer

DNS Type Field Value—Specifies to match either a DNS type field value or a DNS type field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Class Criterion Values—Specifies the value details for the DNS class match.

DNS Class Field Name—Specifies to match on internet, the DNS class field name.

DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Question Criterion Values—Specifies to match on the DNS question section.

Resource Record Criterion Values—Specifies to match on the DNS resource record section.

Resource Record— Lists the sections to match.

Additional—DNS additional resource record

Answer—DNS answer resource record

Authority—DNS authority resource record

Domain Name Criterion Values—Specifies to match on the DNS domain name.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Manage Regular Expressions

The Manage Regular Expressions dialog box lets you configure Regular Expressions for use in pattern matching. Regular expressions that start with "_default" are default regular expressions and cannot be modified or deleted.

Fields

Name—Shows the regular expression names.

Value—Shows the regular expression definitions.

Add—Adds a regular expression.

Edit—Edits a regular expression.

Delete—Deletes a regular expression.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Manage Regular Expression Class Maps

The Manage Regular Expression Class Maps dialog box lets you configure regular expression class maps. See Regular Expressions for more information.

Fields

Name—Shows the regular expression class map name.

Match Conditions—Shows the match type and regular expressions in the class map.

Match Type—Shows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with "OR" next it, to indicate that this class map is a "match any" class map; traffic matches the class map if only one regular expression is matched.

Regular Expression—Lists the regular expressions included in each class map.

Description—Shows the description of the class map.

Add—Adds a regular expression class map.

Edit—Edits a regular expression class map.

Delete—Deletes a regular expression class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


FTP Class Map

The FTP Class Map panel lets you configure FTP class maps for FTP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the FTP class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the FTP class map.

Value—Shows the value to match in the FTP class map.

Description—Shows the description of the class map.

Add—Adds an FTP class map.

Edit—Edits an FTP class map.

Delete—Deletes an FTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit FTP Traffic Class Map

The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.

Fields

Name—Enter the name of the FTP class map, up to 40 characters in length.

Description—Enter the description of the FTP class map.

Add—Adds an FTP class map.

Edit—Edits an FTP class map.

Delete—Deletes an FTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit FTP Match Criterion

The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of FTP traffic to match.

Request-Command—Match an FTP request command.

File Name—Match a filename for FTP transfer.

File Type—Match a file type for FTP transfer.

Server—Match an FTP server.

User Name—Match an FTP user.

Request-Command Criterion Values—Specifies the value details for the FTP request command match.

Request Command—Lets you select one or more request commands to match.

APPE—Append to a file.

CDUP—Change to the parent of the current directory.

DELE—Delete a file at the server site.

GET—FTP client command for the retr (retrieve a file) command.

HELP—Help information from the server.

MKD—Create a directory.

PUT—FTP client command for the stor (store a file) command.

RMD—Remove a directory.

RNFR—Rename from.

RNTO—Rename to.

SITE—Specify a server specific command.

STOU—Store a file with a unique name.

File Name Criterion Values—Specifies to match on the FTP transfer filename.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

File Type Criterion Values—Specifies to match on the FTP transfer file type.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Server Criterion Values—Specifies to match on the FTP server.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

User Name Criterion Values—Specifies to match on the FTP user.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


H.323 Class Map

The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the H.323 class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the H.323 class map.

Value—Shows the value to match in the H.323 class map.

Description—Shows the description of the class map.

Add—Adds an H.323 class map.

Edit—Edits an H.323 class map.

Delete—Deletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit H.323 Traffic Class Map

The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map.

Fields

Name—Enter the name of the H.323 class map, up to 40 characters in length.

Description—Enter the description of the H.323 class map.

Add—Adds an H.323 class map.

Edit—Edits an H.323 class map.

Delete—Deletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit H.323 Match Criterion

The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of H.323 traffic to match.

Called Party—Match the called party.

Calling Party—Match the calling party.

Media Type—Match the media type.

Called Party Criterion Values—Specifies to match on the H.323 called party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Calling Party Criterion Values—Specifies to match on the H.323 calling party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Media Type Criterion Values—Specifies which media type to match.

Audio—Match audio type.

Video—Match video type.

Data—Match data type.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


HTTP Class Map

The HTTP Class Map panel lets you configure HTTP class maps for HTTP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the HTTP class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the HTTP class map.

Value—Shows the value to match in the HTTP class map.

Description—Shows the description of the class map.

Add—Adds an HTTP class map.

Edit—Edits an HTTP class map.

Delete—Deletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit HTTP Traffic Class Map

The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map.

Fields

Name—Enter the name of the HTTP class map, up to 40 characters in length.

Description—Enter the description of the HTTP class map.

Add—Adds an HTTP class map.

Edit—Edits an HTTP class map.

Delete—Deletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit HTTP Match Criterion

The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of HTTP traffic to match.

Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

Request Arguments—Applies the regular expression match to the arguments of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Body—Applies the regular expression match to the body of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Header Field—Applies the regular expression match to the header of the request.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Request Header non-ASCII—Matches non-ASCII characters in the header of the request.

Request Method—Applies the regular expression match to the method of the request.

Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.

Greater Than Length—Enter a URI length value in bytes.

Request URI—Applies the regular expression match to the URI of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Body—Applies the regex match to the body of the response.

ActiveX—Specifies to match on ActiveX.

Java Applet—Specifies to match on a Java Applet.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field—Applies the regular expression match to the header of the response.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Response Header non-ASCII—Matches non-ASCII characters in the header of the response.

Response Status Line—Applies the regular expression match to the status line.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


IM Class Map

The IM Class Map panel lets you configure IM class maps for IM inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the IM class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the IM class map.

Value—Shows the value to match in the IM class map.

Description—Shows the description of the class map.

Add—Adds an IM class map.

Edit—Edits an IM class map.

Delete—Deletes an IM class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit IM Traffic Class Map

The Add/Edit IM Traffic Class Map dialog box lets you define a IM class map.

Fields

Name—Enter the name of the IM class map, up to 40 characters in length.

Description—Enter the description of the IM class map.

Add—Adds an IM class map.

Edit—Edits an IM class map.

Delete—Deletes an IM class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit IM Match Criterion

The Add/Edit IM Match Criterion dialog box lets you define the match criterion and value for the IM class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of IM traffic to match.

Protocol—Match IM protocols.

Service—Match IM services.

Version—Match IM file transfer service version.

Client Login Name—Match client login name from IM service.

Client Peer Login Name—Match client peer login name from IM service.

Source IP Address—Match source IP address.

Destination IP Address—Match destination IP address.

Filename—Match filename form IM file transfer service.

Protocol Criterion Values—Specifies which IM protocols to match.

Yahoo! Messenger—Specifies to match Yahoo! Messenger instant messages.

MSN Messenger—Specifies to match MSN Messenger instant messages.

Service Criterion Values—Specifies which IM services to match.

Chat—Specifies to match IM message chat service.

Conference—Specifies to match IM conference service.

File Transfer—Specifies to match IM file transfer service.

Games—Specifies to match IM gaming service.

Voice Chat—Specifies to match IM voice chat service (not available for Yahoo IM)

Web Cam—Specifies to match IM webcam service.

Version Criterion Values—Specifies to match the version from the IM file transfer service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Client Login Name Criterion Values—Specifies to match the client login name from the IM service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Client Peer Login Name Criterion Values—Specifies to match the client peer login name from the IM service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Source IP Address Criterion Values—Specifies to match the source IP address of the IM service.

IP Address—Enter the source IP address of the IM service.

IP Mask—Mask of the source IP address.

Destination IP Address Criterion Values—Specifies to match the destination IP address of the IM service.

IP Address—Enter the destination IP address of the IM service.

IP Mask—Mask of the destination IP address.

Filename Criterion Values—Specifies to match the filename from the IM file transfer service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SIP Class Map

The SIP Class Map panel lets you configure SIP class maps for SIP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

Name—Shows the SIP class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the SIP class map.

Value—Shows the value to match in the SIP class map.

Description—Shows the description of the class map.

Add—Adds a SIP class map.

Edit—Edits a SIP class map.

Delete—Deletes a SIP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit SIP Traffic Class Map

The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map.

Fields

Name—Enter the name of the SIP class map, up to 40 characters in length.

Description—Enter the description of the SIP class map.

Add—Adds a SIP class map.

Edit—Edits a SIP class map.

Delete—Deletes a SIP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit SIP Match Criterion

The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map.

Fields

Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of SIP traffic to match.

Called Party—Match the called party as specified in the To header.

Calling Party—Match the calling party as specified in the From header.

Content Length—Match the Content Length header, between 0 and 65536.

Content Type—Match the Content Type header.

IM Subscriber—Match the SIP IM subscriber.

Message Path—Match the SIP Via header.

Request Method—Match the SIP request method.

Third-Party Registration—Match the requester of a third-party registration.

URI Length—Match a URI in the SIP headers, between 0 and 65536.

Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified.

Greater Than Length—Enter a header length value in bytes.

Content Type Criterion Values—Specifies to match a SIP content header type.

SDP—Match an SDP SIP content header type.

Regular Expression—Match a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Method Criterion Values—Specifies to match a SIP request method.

Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

URI Length Criterion Values—Specifies to match a URI of a selected type and greater than the specified length in the SIP headers.

URI type—Specifies to match either SIP URI or TEL URI.

Greater Than Length—Length in bytes.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Inspect Maps

This section describes how to configure inspect maps, and includes the following topics:

DCERPC Inspect Map

DNS Inspect Map

ESMTP Inspect Map

FTP Inspect Map

GTP Inspect Map

H.323 Inspect Map

HTTP Inspect Map

Instant Messaging (IM) Inspect Map

IPSec Pass Through Inspect Map

MGCP Inspect Map

NetBIOS Inspect Map

RADIUS Inspect Map

SCCP (Skinny) Inspect Map

SIP Inspect Map

SNMP Inspect Map

The algorithm the security appliance uses for stateful application inspection ensures the security of applications and services. Some applications require special handling, and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports.

Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.

Each application inspection engine also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

In addition, stateful application inspection audits the validity of the commands and responses within the protocol being inspected. The security appliance helps to prevent attacks by verifying that traffic conforms to the RFC specifications for each protocol that is inspected.

The Inspect Maps feature lets you create inspect maps for specific protocol inspection engines. You use an inspect map to store the configuration for a protocol inspection engine. You then enable the configuration settings in the inspect map by associating the map with a specific type of traffic using a global security policy or a security policy for a specific interface.

Use the Service Policy Rules tab on the Security Policy pane to apply the inspect map to traffic matching the criteria specified in the service policy. A service policy can apply to a specific interface or to all the interfaces on the security appliance.

DCERPC

The DCERPC inspection lets you create, view, and manage DCERPC inspect maps. You can use a DCERPC map to inspect DCERPC messages between a client and endpoint mapper, and to apply NAT for the secondary connection, if needed. DCERPC is a specification for a remote procedure call mechanism.

DNS

The DNS inspection lets you create, view, and manage DNS inspect maps. You can use a DNS map to have more control over DNS messages and to protect against DNS spoofing and cache poisoning. DNS is used to resolve information about domain names, including IP addresses and mail servers.

ESMTP

The ESMTP inspection lets you create, view, and manage ESMTP inspect maps. You can use an ESMTP map for application security and protocol conformance to protect against attacks, to block senders and receivers, and to block mail relay. Extended SMTP defines protocol extensions to the SMTP standard.

FTP

The FTP inspection lets you create, view, and manage FTP inspect maps. FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.

GTP

The GTP inspection lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.

H.323

The H.323 inspection lets you create, view, and manage H.323 inspect maps. You can use an H.323 map to inspect RAS, H.225, and H.245 VoIP protocols, and for state tracking and filtering.

HTTP

The HTTP inspection lets you create, view, and manage HTTP inspect maps. HTTP is the protocol used for communication between Worldwide Web clients and servers. You can use an HTTP map to enforce RFC compliance and HTTP payload content type. You can also block specific HTTP methods and prevent the use of certain tunneled applications that use HTTP as the transport.

IM

The IM inspection lets you create, view, and manage IM inspect maps. You can use an IM map to control the network usage and stop leakage of confidential data and other network threats from IM applications.

IPSec Pass Through

The IPSec Pass Through inspection lets you create, view, and manage IPSec Pass Through inspect maps. You can use an IPSec Pass Through map to permit certain flows without using an access list.

MGCP

The MGCP inspection lets you create, view, and manage MGCP inspect maps. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.

NetBIOS

The NetBIOS inspection lets you create, view, and manage NetBIOS inspect maps. You can use a NetBIOS map to enforce NetBIOS protocol conformance including field count and length consistency, and message checks.

RADIUS Accounting

The RADIUS Accounting inspection lets you create, view, and manage RADIUS Accounting inspect maps. You can use a RADIUS map to protect against an overbilling attack.

SCCP (Skinny)

The SCCP (Skinny) inspection lets you create, view, and manage SCCP (Skinny) inspect maps. You can use an SCCP map to perform protocol conformance checks and basic state tracking.

SIP

The SIP inspection lets you create, view, and manage SIP inspect maps. You can use a SIP map for application security and protocol conformance to protect against SIP-based attacks. SIP is a protocol widely used for internet conferencing, telephony, presence, events notification, and instant messaging.

SNMP

The SNMP inspection lets you create, view, and manage SNMP inspect maps. SNMP is a protocol used for communication between network management devices and network management stations. You can use an SNMP map to block a specific SNMP version, including SNMP v1, 2, 2c and 3.


DCERPC Inspect Map

The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low

Pinhole timeout: 00:02:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: enabled

Endpoint mapper service lookup timeout: 00:05:00

Medium—Default.

Pinhole timeout: 00:01:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: disabled.

High

Pinhole timeout: 00:01:00

Endpoint mapper service: enforced

Endpoint mapper service lookup: disabled

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

DCERPC Inspect Maps—Table that lists the defined DCERPC inspect maps. The defined inspect maps are also listed in the DCERPC area of the Inspect Maps tree.

Add—Adds the new DCERPC inspect map to the defined list in the DCERPC Inspect Maps table and to the DCERPC area of the Inspect Maps tree. To configure the new DCERPC map, select the DCERPC entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the DCERPC Inspect Maps table and from the DCERPC area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured DCERPC application inspection maps.

Fields

Settings—Specifies the pinhole timeout and endpoint mapper security settings.

Pinhole Timeout—Sets the pinhole timeout. Since a client may use the server information returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.

Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.

Enforce endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper service. If disabled, the pinhole timeout is used.

Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.

Reset to Predefined Security Level—Resets the security level settings to the predefined levels of high, medium, or low.

Reset To—Resets the security level to high, medium, or low.

Reset—Resets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


DCERPC Inspect Map Basic/Advanced Viewl

The DCERPC map pane lets you configure basic and advanced settings for previously configured DCERPC application inspection maps.

Fields

Name—Shows the name of the previously configured DCERPC map.

Description—Enter the description of the DCERPC map, up to 200 characters in length.

Basic View—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure security settings.

Default Level—Sets the security level back to the default level of Medium.

Advanced View—Lets you configure the security settings.

Pinhole Timeout—Sets the pinhole timeout. Since a client may use the server information returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.

Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.

Enforce endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper service. If disabled, the pinhole timeout is used.

Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


DNS Inspect Map

The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets you change the default configuration values used for DNS application inspection.

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example.

The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further.

A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low—Default.

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: disabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: disabled

TSIG resource record: not enforced

Medium

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: not enforced

High

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: enforced

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

DNS Inspect Maps—Table that lists the defined DNS inspect maps. The defined inspect maps are also listed in the DNS area of the Inspect Maps tree.

Add—Adds the new DNS inspect map to the defined list in the DNS Inspect Maps table and to the DNS area of the Inspect Maps tree. To configure the new DNS map, select the DNS entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the DNS Inspect Maps table and from the DNS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured DNS application inspection maps.

Fields

Settings—Specifies DNS security settings and actions.

Enable DNS guard function—As part of protocol conformance, this option performs a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

Enable NAT rewrite function—As part of protocol conformance, this option enables IP address translation in the A record of the DNS response.

Enable protocol enforcement—As part of protocol conformance, this option enables DNS message format check, including domain name, label length, compression, and looped pointer check.

Randomize the DNS identifier for DNS query—As part of protocol conformance, this option randomizes the DNS identifier in the DNS query message.

Drop packets that exceed specified maximum length—As part of filtering, this option drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive instances of DNS identifier mismatches.

Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a system message log is sent.

Time Interval—Enter the time period to monitor (in seconds).

Enforce TSIG record source to be present in DNS message—As part of protocol conformance, this option requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced:

Drop packet—Drops the packet (logging can be either enabled or disabled).

Log—Enables logging.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


DNS Inspect Map Basic View

The DNS Inspect Map Basic View pane shows the configured settings for the DNS inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured DNS map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


DNS Inspect Map Advanced View

The DNS Inspect Map Advanced View pane lets you configure the inspect map settings.

Fields

Name—Shows the name of the previously configured DNS map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.

Enable DNS guard function—Performs a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

Enable NAT re-write function—Enables IP address translation in the A record of the DNS response.

Enable protocol enforcement—Enables DNS message format check, including domain name, label length, compression, and looped pointer check.

Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS query message.

Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced:

Drop packet—Drops the packet (logging can be either enabled or disabled).

Log—Enables logging.

Filtering—Tab that lets you configure the filtering settings for DNS.

Global Settings—Applies settings globally.

Drop packets that exceed specified maximum length (global)—Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Server Settings—Applies settings on the server only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to server that exceed length indicated by the RR—Drops packets sent to the server that exceed the length indicated by the Resource Record.

Client Settings—Applies settings on the client only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to client that exceed length indicated by the RR—Drops packets sent to the client that exceed the length indicated by the Resource Record.

Mismatch Rate—Tab that lets you configure the ID mismatch rate for DNS.

Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive instances of DNS identifier mismatches.

Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a system message log is sent.

Time Interval—Enter the time period to monitor (in seconds).

Inspections—Tab that shows you the DNS inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the DNS inspection.

Value—Shows the value to match in the DNS inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add DNS Inspect dialog box to add a DNS inspection.

Edit—Opens the Edit DNS Inspect dialog box to edit a DNS inspection.

Delete—Deletes a DNS inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit DNS Inspect

The Add/Edit DNS Inspect dialog box lets you define the match criterion and value for the DNS inspect map.

Fields

Single Match—Specifies that the DNS inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of DNS traffic to match.

Header Flag—Match a DNS flag in the header.

Type—Match a DNS query or resource record type.

Class—Match a DNS query or resource record class.

Question—Match a DNS question.

Resource Record—Match a DNS resource record.

Domain Name—Match a domain name from a DNS query or resource record.

Header Flag Criterion Values—Specifies the value details for DNS header flag match.

Match Option—Specifies either an exact match or match all bits (bit mask match).

Match Value—Specifies to match either the header flag name or the header flag value.

Header Flag Name—Lets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match.

Type Criterion Values—Specifies the value details for DNS type match.

DNS Type Field Name—Lists the DNS types to select.

A—IPv4 address

NS—Authoritative name server

CNAME—Canonical name

SOA—Start of a zone of authority

TSIG—Transaction signature

IXFR—Incremental (zone) transfer

AXFR—Full (zone) transfer

DNS Type Field Value—Specifies to match either a DNS type field value or a DNS type field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Class Criterion Values—Specifies the value details for DNS class match.

DNS Class Field Name—Specifies to match on internet, the DNS class field name.

DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

Question Criterion Values—Specifies to match on the DNS question section.

Resource Record Criterion Values—Specifies to match on the DNS resource record section.

Resource Record— Lists the sections to match.

Additional—DNS additional resource record

Answer—DNS answer resource record

Authority—DNS authority resource record

Domain Name Criterion Values—Specifies to match on DNS domain name.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple Matches—Specifies multiple matches for the DNS inspection.

DNS Traffic Class—Specifies the DNS traffic class match.

Manage—Opens the Manage DNS Class Maps dialog box to add, edit, or delete DNS Class Maps.

Actions—Primary action and log settings.

Primary Action—Mask, drop packet, drop connection, none.

Log—Enable or disable.

Enforce TSIG—Do not enforce, drop packet, log, drop packet and log.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Manage Class Maps

The Manage Class Map dialog box lets you configure class maps for inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, Instant Messaging (IM), and SIP.

Fields

Name—Shows the class map name.

Match Conditions—Shows the type, match criterion, and value in the class map.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the class map.

Value—Shows the value to match in the class map.

Description—Shows the description of the class map.

Add—Adds match conditions for the class map.

Edit—Edits match conditions for the class map.

Delete—Deletes match conditions for the class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ESMTP Inspect Map

The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection.

Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high, medium, or low).

Low—Default.

Log if command line length is greater than 512

Log if command recipient count is greater than 100

Log if body line length is greater than 1000

Log if sender address length is greater than 320

Log if MIME file name length is greater than 255

Medium

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections if sender address length is greater than 320

Drop Connections if MIME file name length is greater than 255

High

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections and log if sender address length is greater than 320

Drop Connections and log if MIME file name length is greater than 255

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

ESMTP Inspect Maps—Table that lists the defined ESMTP inspect maps. The defined inspect maps are also listed in the ESMTP area of the Inspect Maps tree.

Add—Adds the new ESMTP inspect map to the defined list in the ESMTP Inspect Maps table and to the ESMTP area of the Inspect Maps tree. To configure the new ESMTP map, select the ESMTP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the ESMTP Inspect Maps table and from the ESMTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured ESMTP application inspection maps.

Fields

Settings—Specifies ESMTP security settings and actions.

Mask server banner—Enforces banner obfuscation.

Configure Mail Relay—Enables ESMTP mail relay.

Domain Name—Specifies a local domain.

Action—Drop connection or log.

Log—Enable or disable.

Check for command line length—Enables command line length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

Check for command recipient count—Enables command recipient count matching at specified count.

Minimum Count—Shows the minimum count configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

Check for body line length—Enables body line length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

Check for sender address length—Enables sender address length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

Check for MIME file name length—Enables MIME file name length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


MIME File Type Filtering

The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter.

Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter.

Delete—Deletes a MIME file type filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ESMTP Inspect Map Basic View

The ESMTP Inspect Map Basic View pane shows the configured settings for the ESMTP inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured ESMTP map.

Description—Enter the description of the ESMTP map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


ESMTP Inspect Map Advanced View

The ESMTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured ESMTP map.

Description—Enter the description of the ESMTP map, up to 200 characters in length.

Parameters—Tab that lets you configure the parameters for the ESMTP inspect map.

Mask server banner—Enforces banner obfuscation.

Encrypted Packet Inspection—Configures encrypted traffic inspection options.

Disable Inspection for encrypted traffic (over TLS) on an ESMTP Session—Disables encrypted traffic inspection.

Enable Logging for encrypted traffic—Enables logging if encrypted traffic inspection is disabled.

Filtering—Tab that lets you configure the parameters for the ESMTP inspect map.

Configure Mail Relay—Enables ESMTP mail relay.

Domain Name—Specifies a local domain.

Action—Drop connection or log.

Log—Enable or disable.

Check for special characters PIPE(`|'), backquote(`''), NUL in sender or recipient address—Checks for PIPE and backquote characters.

Action—Drop connection or log.

Log—Enable or disable.

Inspections—Tab that shows you the ESMTP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the ESMTP inspection.

Value—Shows the value to match in the ESMTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection.

Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection.

Delete—Deletes an ESMTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit ESMTP Inspect

The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.

Fields

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of ESMTP traffic to match.

Body Length—Match body length at specified length in bytes.

Body Line Length—Match body line length matching at specified length in bytes.

Commands—Match commands exchanged in the ESMTP protocol.

Command Recipient Count—Match command recipient count greater than number specified.

Command Line Length—Match command line length greater than length specified in bytes.

EHLO Reply Parameters—Match an ESMTP ehlo reply parameter.

Header Length—Match header length at length specified in bytes.

Header To Fields Count—Match header To fields count greater than number specified.

Invalid Recipients Count—Match invalid recipients count greater than number specified.

MIME File Type—Match MIME file type.

MIME Filename Length—Match MIME filename.

MIME Encoding—Match MIME encoding.

Sender Address—Match sender email address.

Sender Address Length—Match sender email address length.

Body Length Criterion Values—Specifies the value details for body length match.

Greater Than Length—Body length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

Body Line Length Criterion Values—Specifies the value details for body line length match.

Greater Than Length—Body line length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

Commands Criterion Values—Specifies the value details for command match.

Available Commands Table:

AUTH

DATA

EHLO

ETRN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SOML

VRFY

Add—Adds the selected command from the Available Commands table to the Selected Commands table.

Remove—Removes the selected command from the Selected Commands table.

Primary Action—Mask, Reset, Drop Connection, None, Limit Rate (pps).

Log—Enable or disable.

Rate Limit—Do not limit rate, Limit Rate (pps).

Command Recipient Count Criterion Values—Specifies the value details for command recipient count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

Command Line Length Criterion Values—Specifies the value details for command line length.

Greater Than Length—Command line length in bytes.

Action—Reset, drop connection, log.

Log—Enable or disable.

EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters match.

Available Parameters Table:

8bitmime

auth

binarymime

checkpoint

dsn

ecode

etrn

others

pipelining

size

vrfy

Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table.

Remove—Removes the selected command from the Selected Commands table.

Action—Reset, Drop Connection, Mask, Log.

Log—Enable or disable.

Header Length Criterion Values—Specifies the value details for header length match.

Greater Than Length—Header length in bytes.

Action—Reset, Drop Connection, Mask, Log.

Log—Enable or disable.

Header To Fields Count Criterion Values—Specifies the value details for header To fields count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

Invalid Recipients Count Criterion Values—Specifies the value details for invalid recipients count match.

Greater Than Count—Specify command recipient count.

Action—Reset, drop connection, log.

Log—Enable or disable.

MIME File Type Criterion Values—Specifies the value details for MIME file type match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Action—Reset, drop connection, log.

Log—Enable or disable.

MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match.

Greater Than Length—MIME filename length in bytes.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.

Available Encodings table

7bit

8bit

base64

binary

others

quoted-printable

Add—Adds the selected parameter from the Available Encodings table to the Selected Encodings table.

Remove—Removes the selected command from the Selected Commands table.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

Sender Address Criterion Values—Specifies the value details for sender address match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

Sender Address Length Criterion Values—Specifies the value details for sender address length match.

Greater Than Length—Sender address length in bytes.

Action—Reset, Drop Connection, Log.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


FTP Inspect Map

The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection.

FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.

Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (medium or low).

Low

Mask Banner Disabled

Mask Reply Disabled

Medium—Default.

Mask Banner Enabled

Mask Reply Enabled

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

FTP Inspect Maps—Table that lists the defined FTP inspect maps. The defined inspect maps are also listed in the FTP area of the Inspect Maps tree.

Add—Adds the new FTP inspect map to the defined list in the FTP Inspect Maps table and to the FTP area of the Inspect Maps tree. To configure the new FTP map, select the FTP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the FTP Inspect Maps table and from the FTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.

Fields

Settings—Specifies FTP security settings and actions.

Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.

Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is medium.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


File Type Filtering

The File Type Filtering dialog box lets you configure the settings for a file type filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add File Type Filter dialog box to add a file type filter.

Edit—Opens the Edit File Type Filter dialog box to edit a file type filter.

Delete—Deletes a file type filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


FTP Inspect Map Basic View

The FTP Inspect Map Basic View pane shows the configured settings for the FTP inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured FTP map.

Description—Enter the description of the FTP map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


FTP Inspect Map Advanced View

The FTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured FTP map.

Description—Enter the description of the FTP map, up to 200 characters in length.

Parameters—Tab that lets you configure the parameters for the FTP inspect map.

Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.

Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.

Inspections—Tab that shows you the FTP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the FTP inspection.

Value—Shows the value to match in the FTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add FTP Inspect dialog box to add an FTP inspection.

Edit—Opens the Edit FTP Inspect dialog box to edit an FTP inspection.

Delete—Deletes an FTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit FTP Map

The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the DNS inspect map.

Fields

Single Match—Specifies that the FTP inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of FTP traffic to match.

Request Command—Match an FTP request command.

File Name—Match a filename for FTP transfer.

File Type—Match a file type for FTP transfer.

Server—Match an FTP server.

User Name—Match an FTP user.

Request Command Criterion Values—Specifies the value details for FTP request command match.

Request Command:

APPE—Command that appends to a file.

CDUP—Command that changes to the parent directory of the current working directory.

DELE—Command that deletes a file.

GET—Command that gets a file.

HELP—Command that provides help information.

MKD—Command that creates a directory.

PUT—Command that sends a file.

RMD—Command that deletes a directory.

RNFR—Command that specifies rename-from filename.

RNTO—Command that specifies rename-to filename.

SITE—Commands that are specific to the server system. Usually used for remote administration.

STOU—Command that stores a file using a unique filename.

File Name Criterion Values—Specifies the value details for FTP filename match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

File Type Criterion Values—Specifies the value details for FTP file type match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Server Criterion Values—Specifies the value details for FTP server match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

User Name Criterion Values—Specifies the value details for FTP user name match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple Matches—Specifies multiple matches for the FTP inspection.

FTP Traffic Class—Specifies the FTP traffic class match.

Manage—Opens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class Maps.

Action—Reset.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


GTP Inspect Map

The GTP pane lets you view previously configured GTP application inspection maps. A GTP map lets you change the default configuration values used for GTP application inspection.

GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.


Note GTP inspection is not available without a special license.


Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Security level low only.

Do not Permit Errors

Maximum Number of Tunnels: 500

GSN timeout: 00:30:00

Pdp-Context timeout: 00:30:00

Request timeout: 00:01:00

Signaling timeout: 00:30:00.

Tunnel timeout: 01:00:00.

T3-response timeout: 00:00:20.

Drop and log unknown message IDs.

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default.

IMSI Prefix Filtering—Opens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters.

GTP Inspect Maps—Table that lists the defined GTP inspect maps. The defined inspect maps are also listed in the GTP area of the Inspect Maps tree.

Add—Adds the new GTP inspect map to the defined list in the GTP Inspect Maps table and to the GTP area of the Inspect Maps tree. To configure the new GTP map, select the GTP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the GTP Inspect Maps table and from the GTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.

Fields

Permit Errors—Lets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

Drop and Log unknown message IDs—Drops and logs all message IDs that are unknown.

Maximum Number of Requests—Lets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.

Maximum Number of Tunnels—Lets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.

Timeouts

GSN timeout—Lets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

PDP-Context timeout—Lets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Request Queue—Lets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Signaling—Lets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Tunnel—Lets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeout—Specifies the GTP Request idle timeout.

T3-Response timeout—Specifies the maximum wait time for a response before removing the connection.

Reset to—Specifies low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


IMSI Prefix Filtering

The IMSI Prefix tab lets you define the IMSI prefix to allow within GTP requests.

Fields

Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value.

Mobile Network Code—Defines the two or three-digit value identifying the network code.

Add—Add the specified country code and network code to the IMSI Prefix table.

Delete—Deletes the specified country code and network code from the IMSI Prefix table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


GTP Inspect Map Basic View

The GTP Inspect Map Basic View pane shows the configured settings for the GTP inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured GTP map.

Description—Enter the description of the GTP map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

IMSI Prefix Filtering—Opens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


GTP Inspect Map Advanced View

The GTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured GTP map.

Description—Enter the description of the GTP map, up to 200 characters in length.

Permit Parameters—Tab that lets you configure the permit parameters for the GTP inspect map.

Object Groups to Add

From object group—Specify an object group or use the browse button to open the Add Network Object Group dialog box.

To object group—Specify an object group or use the browse button to open the Add Network Object Group dialog box.

Add—Add the specified country code and network code to the IMSI Prefix table.

Delete—Deletes the specified country code and network code from the IMSI Prefix table.

Permit Errors—Lets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

General Parameters—Tab that lets you configure the general parameters for the GTP inspect map.

Maximum Number of Requests—Lets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.

Maximum Number of Tunnels—Lets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.

Timeouts

GSN timeout—Lets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

PDP-Context timeout—Lets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Request Queue—Lets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Signaling—Lets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Tunnel—Lets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeout—Specifies the GTP Request idle timeout.

T3-Response timeout—Specifies the maximum wait time for a response before removing the connection.

IMSI Prefix Filtering—Tab that lets you configure the IMSI prefix filtering for the GTP inspect map.

Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value.

Mobile Network Code—Defines the two or three-digit value identifying the network code.

Add—Add the specified country code and network code to the IMSI Prefix table.

Delete—Deletes the specified country code and network code from the IMSI Prefix table.

Inspections—Tab that lets you configure the GTP inspect maps.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the GTP inspection.

Value—Shows the value to match in the GTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add GTP Inspect dialog box to add an GTP inspection.

Edit—Opens the Edit GTP Inspect dialog box to edit an GTP inspection.

Delete—Deletes an GTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit GTP Map

The Add/Edit GTP Inspect dialog box lets you define the match criterion and value for the GTP inspect map.

Fields

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of GTP traffic to match.

Access Point Name—Match on access point name.

Message ID—Match on the message ID.

Message Length—Match on the message length

Version—Match on the version.

Access Point Name Criterion Values—Specifies an access point name to be matched. By default, all messages with valid APNs are inspected, and any APN is allowed.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Action—Drop.

Log—Enable or disable.

Message ID Criterion Values—Specifies the numeric identifier for the message that you want to match. The valid range is 1 to 255. By default, all valid message IDs are allowed.

Value—Specifies whether value is an exact match or a range.

Equals—Enter a value.

Range—Enter a range of values.

Action—Drop packet or limit rate (pps).

Log—Enable or disable.

Message Length Criterion Values—Lets you change the default for the maximum message length for the UDP payload that is allowed.

Minimum value—Specifies the minimum number of bytes in the UDP payload. The range is from 1 to 65536.

Maximum value—Specifies the maximum number of bytes in the UDP payload. The range is from 1 to 65536.

Action—Drop packet.

Log—Enable or disable.

Version Criterion Values—Specifies the GTP version for messages that you want to match. The valid range is 0-255. Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 3386, while Version 1 uses port 2123. By default all GTP versions are allowed.

Value—Specifies whether value is an exact match or a range.

Equals—Enter a value.

Range—Enter a range of values.

Action—Drop packet.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


H.323 Inspect Map

The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection.

H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, protocol state tracking, H.323 call duration enforcement, and audio/video control.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (low, medium, or high).

Low—Default.

State Checking h225 Disabled

State Checking ras Disabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance not enforced

Medium

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: no

High

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Enabled

Call duration Limit 1:00:00

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: yes

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters.

H.323 Inspect Maps—Table that lists the defined H.323 inspect maps. The defined inspect maps are also listed in the H.323 area of the Inspect Maps tree.

Add—Adds the new H.323 inspect map to the defined list in the H.323 Inspect Maps table and to the H.323 area of the Inspect Maps tree. To configure the new H.323 map, select the H.323 entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the H.323 Inspect Maps table and from the H.323 area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured H.323 application inspection maps.

Fields

Settings—Specifies H.323 security settings and actions.

Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages.

Check state transition of RAS messages—Enforces H.323 state checking on RAS messages.

Enforce call duration limit—Enforces the absolute limit on a call.

Call Duration Limit—Time limit for the call (hh:mm:ss).

Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup.

Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Phone Number Filtering

The Phone Number Filtering dialog box lets you configure the settings for a phone number filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add Phone Number Filter dialog box to add a phone number filter.

Edit—Opens the Edit Phone Number Filter dialog box to edit a phone number filter.

Delete—Deletes a phone number filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


H.323 Inspect Map Basic View

The H323 Inspect Map Basic View pane shows the configured settings for the H323 inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured H323 map.

Description—Enter the description of the H323 map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

Phone Number Filtering—Opens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


H.323 Inspect Map Advanced View

The H.323 Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured H.323 map.

Description—Enter the description of the H.323 map, up to 200 characters in length.

State Checking—Tab that lets you configure state checking parameters for the H.323 inspect map.

Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages.

Check state transition of RAS messages—Enforces H.323 state checking on RAS messages.

Call Attributes—Tab that lets you configure call attributes parameters for the H.323 inspect map.

Enforce call duration limit—Enforces the absolute limit on a call.

Call Duration Limit—Time limit for the call (hh:mm:ss).

Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup.

Tunneling and Protocol Conformance—Tab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map.

Check for H.245 tunneling—Allows H.245 tunneling.

Action—Drop connection or log.

Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange.

HSI Group Parameters—Tab that lets you configure an HSI group.

HSI Group ID—Shows the HSI Group ID.

IP Address—Shows the HSI Group IP address.

Endpoints—Shows the HSI Group endpoints.

Add—Opens the Add HSI Group dialog box to add an HSI group.

Edit—Opens the Edit HSI Group dialog box to edit an HSI group.

Delete—Deletes an HSI group.

Inspections—Tab that shows you the H.323 inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the H.323 inspection.

Value—Shows the value to match in the H.323 inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add H.323 Inspect dialog box to add an H.323 inspection.

Edit—Opens the Edit H.323 Inspect dialog box to edit an H.323 inspection.

Delete—Deletes an H.323 inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit HSI Group

The Add/Edit HSI Group dialog box lets you configure HSI Groups.

Fields

Group ID—Enter the HSI group ID.

IP Address—Enter the HSI IP address.

Endpoints—Lets you configure the IP address and interface of the endpoints.

IP Address—Enter an endpoint IP address.

Interface—Specifies an endpoint interface.

Add—Adds the HSI group defined.

Delete—Deletes the selected HSI group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit H.323 Map

The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map.

Fields

Single Match—Specifies that the H.323 inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of H.323 traffic to match.

Called Party—Match the called party.

Calling Party—Match the calling party.

Media Type—Match the media type.

Called Party Criterion Values—Specifies to match on the H.323 called party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Calling Party Criterion Values—Specifies to match on the H.323 calling party.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Media Type Criterion Values—Specifies which media type to match.

Audio—Match audio type.

Video—Match video type.

Data—Match data type.

Multiple Matches—Specifies multiple matches for the H.323 inspection.

H323 Traffic Class—Specifies the H.323 traffic class match.

Manage—Opens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class Maps.

Action—Drop packet, drop connection, or reset.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


HTTP Inspect Map

The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection.

HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance.

HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (low, medium, or high).

Low—Default.

Protocol violation action: Drop connection

Drop connections for unsafe methods: Disabled

Drop connections for requests with non-ASCII headers: Disabled

URI filtering: Not configured

Advanced inspections: Not configured

Medium

Protocol violation action: Drop connection

Drop connections for unsafe methods: Allow only GET, HEAD, and POST

Drop connections for requests with non-ASCII headers: Disabled

URI filtering: Not configured

Advanced inspections: Not configured

High

Protocol violation action: Drop connection and log

Drop connections for unsafe methods: Allow only GET and HEAD.

Drop connections for requests with non-ASCII headers: Enabled

URI filtering: Not configured

Advanced inspections: Not configured

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Medium.

URI Filtering—Opens the URI Filtering dialog box to configure URI filters.

HTTP Inspect Maps—Table that lists the defined HTTP inspect maps. The defined inspect maps are also listed in the HTTP area of the Inspect Maps tree.

Add—Adds the new HTTP inspect map to the defined list in the HTTP Inspect Maps table and to the HTTP area of the Inspect Maps tree. To configure the new HTTP map, select the HTTP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the HTTP Inspect Maps table and from the HTTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured HTTP application inspection maps.

Fields

Settings—Specifies HTTP security settings and actions.

Check for protocol violations—Checks for HTTP protocol violations.

Action—Drop Connection, Reset, Log.

Log—Enable or disable.

Drop connections for unsafe methods—Checks for unsafe methods and drops the connection.

Allow Only—GET and HEAD, GET, HEAD, and POST.

Drop connections for requests with non-ASCII headers—Checks for non-ASCII characters in the message header.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


URI Filtering

The URI Filtering dialog box lets you configure the settings for an URI filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add URI Filtering dialog box to add a URI filter.

Edit—Opens the Edit URI Filtering dialog box to edit a URI filter.

Delete—Deletes an URI filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


HTTP Inspect Map Basic View

The HTTP Inspect Map Basic View pane shows the configured settings for the HTTP inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured HTTP map.

Description—Enter the description of the HTTP map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

URI Filtering—Opens the URI Filtering dialog box which lets you configure the settings for an URI filter.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


HTTP Inspect Map Advanced View

The HTTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured HTTP map.

Description—Enter the description of the HTTP map, up to 200 characters in length.

Parameters—Tab that lets you configure the parameters for the HTTP inspect map.

Check for protocol violations—Checks for HTTP protocol violations.

Action—Drop Connection, Reset, Log.

Log—Enable or disable.

Spoof server string—Replaces the server HTTP header value with the specified string.

Spoof String—Enter a string to substitute for the server header field. Maximum is 82 characters.

Body Match Maximum—The maximum number of characters in the body of an HTTP message that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance.

Inspections—Tab that shows you the HTTP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the HTTP inspection.

Value—Shows the value to match in the HTTP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add HTTP Inspect dialog box to add an HTTP inspection.

Edit—Opens the Edit HTTP Inspect dialog box to edit an HTTP inspection.

Delete—Deletes an HTTP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit HTTP Map

The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.

Fields

Single Match—Specifies that the HTTP inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of HTTP traffic to match.

Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

Request Arguments—Applies the regular expression match to the arguments of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Body—Applies the regular expression match to the body of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

Request Header Field—Applies the regular expression match to the header of the request.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Request Header non-ASCII—Matches non-ASCII characters in the header of the request.

Request Method—Applies the regular expression match to the method of the request.

Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.

Greater Than Length—Enter a URI length value in bytes.

Request URI—Applies the regular expression match to the URI of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Body—Applies the regex match to the body of the response.

ActiveX—Specifies to match on ActiveX.

Java Applet—Specifies to match on a Java Applet.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

Response Header Field—Applies the regular expression match to the header of the response.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

Response Header non-ASCII—Matches non-ASCII characters in the header of the response.

Response Status Line—Applies the regular expression match to the status line.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple Matches—Specifies multiple matches for the HTTP inspection.

H323 Traffic Class—Specifies the HTTP traffic class match.

Manage—Opens the Manage HTTP Class Maps dialog box to add, edit, or delete HTTP Class Maps.

Action—Drop connection, reset, or log.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Instant Messaging (IM) Inspect Map

The IM pane lets you view previously configured Instant Messaging (IM) application inspection maps. An Instant Messaging (IM) map lets you change the default configuration values used for Instant Messaging (IM) application inspection.

Instant Messaging (IM) application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and propagations of network threats. A regular expression database search representing various patterns for Instant Messaging (IM) protocols to be filtered is applied. A syslog is generated if the flow is not recognized.

The scope can be limited by using an access list to specify any traffic streams to be inspected. For UDP messages, a corresponding UDP port number is also configurable. Inspection of Yahoo! Messenger and MSN Messenger instant messages are supported.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

IM Inspect Maps—Table that lists the defined IM inspect maps. The defined inspect maps are also listed in the IM area of the Inspect Maps tree.

Add—Adds the new IM inspect map to the defined list in the IM Inspect Maps table and to the IM area of the Inspect Maps tree. To configure the new IM map, select the IM entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the IM Inspect Maps table and from the IM area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Instant Messaging (IM) Inspect Map View

The IM Inspect Map View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured IM map.

Description—Enter the description of the IM map, up to 200 characters in length.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the IM inspection.

Value—Shows the value to match in the IM inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add IM Inspect dialog box to add an IM inspection.

Edit—Opens the Edit IM Inspect dialog box to edit an IM inspection.

Delete—Deletes an IM inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit IM Map

The Add/Edit IM Inspect dialog box lets you define the match criterion and value for the IM inspect map.

Fields

Single Match—Specifies that the IM inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of IM traffic to match.

Protocol—Match IM protocols.

Service—Match IM services.

Source IP Address—Match source IP address.

Destination IP Address—Match destination IP address.

Version—Match IM file transfer service version.

Client Login Name—Match client login name from IM service.

Client Peer Login Name—Match client peer login name from IM service.

Filename—Match filename form IM file transfer service.

Protocol Criterion Values—Specifies which IM protocols to match.

Yahoo! Messenger—Specifies to match Yahoo! Messenger instant messages.

MSN Messenger—Specifies to match MSN Messenger instant messages.

Service Criterion Values—Specifies which IM services to match.

Chat—Specifies to match IM message chat service.

Conference—Specifies to match IM conference service.

File Transfer—Specifies to match IM file transfer service.

Games—Specifies to match IM gaming service.

Voice Chat—Specifies to match IM voice chat service (not available for Yahoo IM)

Web Cam—Specifies to match IM webcam service.

Source IP Address Criterion Values—Specifies to match the source IP address of the IM service.

IP Address—Enter the source IP address of the IM service.

IP Mask—Mask of the source IP address.

Destination IP Address Criterion Values—Specifies to match the destination IP address of the IM service.

IP Address—Enter the destination IP address of the IM service.

IP Mask—Mask of the destination IP address.

Version Criterion Values—Specifies to match the version from the IM file transfer service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Client Login Name Criterion Values—Specifies to match the client login name from the IM service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Client Peer Login Name Criterion Values—Specifies to match the client peer login name from the IM service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Filename Criterion Values—Specifies to match the filename from the IM file transfer service. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Multiple Matches—Specifies multiple matches for the IM inspection.

IM Traffic Class—Specifies the IM traffic class match.

Manage—Opens the Manage IM Class Maps dialog box to add, edit, or delete IM Class Maps.

Action—Drop connection, reset, or log.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


IPSec Pass Through Inspect Map

The IPSec Pass Through pane lets you view previously configured IPSec Pass Through application inspection maps. An IPSec Pass Through map lets you change the default configuration values used for IPSec Pass Through application inspection. You can use an IPSec Pass Through map to permit certain flows without using an access list.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high or low).

Low—Default.

Maximum ESP flows per client: Unlimited.

ESP idle timeout: 00:10:00.

Maximum AH flows per client: Unlimited.

AH idle timeout: 00:10:00.

High

Maximum ESP flows per client:10.

ESP idle timeout: 00:00:30.

Maximum AH flows per client: 10.

AH idle timeout: 00:00:30.

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

IPSec Pass Through Inspect Maps—Table that lists the defined IPSec Pass Through inspect maps. The defined inspect maps are also listed in the IPSec Pass Through area of the Inspect Maps tree.

Add—Adds the new IPSec Pass Through inspect map to the defined list in the IPSec Pass Through Inspect Maps table and to the IPSec Pass Through area of the Inspect Maps tree. To configure the new IPSec Pass Through map, select the IPSec Pass Through entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the IPSec Pass Through Inspect Maps table and from the IPSec Pass Through area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured IPSec Pass Through application inspection maps.

Fields

Settings—Specifies IPSec Pass Through security settings and actions.

Limit ESP flows per client—Limits ESP flows per client.

Maximum—Specify maximum limit.

Apply ESP idle timeout—Applies ESP idle timeout.

Timeout—Specify timeout.

Limit AH flows per client—Limits AH flows per client.

Maximum—Specify maximum limit.

Apply AH idle timeout—Applies AH idle timeout.

Timeout—Specify timeout.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


IPSec Pass Through Inspect Map Basic View

The IPSec Pass Through Inspect Map Basic View pane lets you configure basic settings for the inspect map.

Fields

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high or low).

Low—Default.

Maximum ESP flows per client: Unlimited.

ESP idle timeout: 00:10:00.

Maximum AH flows per client: Unlimited.

AH idle timeout: 00:10:00.

High

Maximum ESP flows per client:10.

ESP idle timeout: 00:00:30.

Maximum AH flows per client: 10.

AH idle timeout: 00:00:30.

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


IPSec Pass Through Inspect Map Advanced View

The IPSec Pass Through Inspect Map Advanced View pane lets you configure advanced settings for the inspect map.

Fields

Name—Shows the name of the previously configured IPSec Pass Through map.

Description—Enter the description of the IPSec Pass Through map, up to 200 characters in length.

Limit ESP flows per client—Limits ESP flows per client.

Maximum—Specify maximum limit.

Apply ESP idle timeout—Applies ESP idle timeout.

Timeout—Specify timeout.

Limit AH flows per client—Limits AH flows per client.

Maximum—Specify maximum limit.

Apply AH idle timeout—Applies AH idle timeout.

Timeout—Specify timeout.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


MGCP Inspect Map

The MGCP pane lets you view previously configured MGCP application inspection maps. An MGCP map lets you change the default configuration values used for MGCP application inspection. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Command Queue Size—Specifies the maximum number of commands to queue. The valid range is from 1 to 2147483647.

Gateways and Call Agents—Opens the Gateways and Call Agents dialog box to add an MGCP map.

MGCP Inspect Maps—Table that lists the defined MGCP inspect maps. The defined inspect maps are also listed in the MGCP area of the Inspect Maps tree.

Add—Adds the new MGCP inspect map to the defined list in the MGCP Inspect Maps table and to the MGCP area of the Inspect Maps tree. To configure the new MGCP map, select the MGCP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the MGCP Inspect Maps table and from the MGCP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Gateways and Call Agents

The Gateways and Call Agents dialog box lets you configure groups of gateways and call agents for the map.

Fields

Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection.

Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.

Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.

Add—Displays the Add MGCP dialog box, which you can use to define a new application inspection map.

Edit—Displays the Edit MGCP dialog box, which you can use to modify the application inspection map selected in the application inspection map table.

Delete—Deletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


MGCP Inspect Map View

The MGCP Inspect Map View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured MGCP map.

Description—Enter the description of the MGCP map, up to 200 characters in length.

Command Queue—Tab that lets you specify the permitted queue size for MGCP commands.

Command Queue Size—Specifies the maximum number of commands to queue. The valid range is from 1 to 2147483647.

Gateways and Call Agents—Tab that lets you configure groups of gateways and call agents for this map.

Group ID—Identifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The gateway IP address can only be associated with one group ID. You cannot use the same gateway with different group IDs. The valid range is from 0 to 2147483647Criterion—Shows the criterion of the inspection.

Gateways—Identifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.

Call Agents—Identifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.

Add—Displays the Add MGCP Group dialog box, which you can use to define a new MGCP group of gateways and call agents.

Edit—Displays the Edit MGCP dialog box, which you can use to modify the MGCP group selected in the Gateways and Call Agents table.

Delete—Deletes the MGCP group selected in the Gateways and Call Agents table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit MGCP Group

The Add/Edit MGCP Group dialog box lets you define the configuration of an MGCP group that will be used when MGCP application inspection is enabled.

Fields

Group ID—Specifies the ID of the call agent group. A call agent group associates one or more call agents with one or more MGCP media gateways. The valid range is from 0 to 2147483647.

Gateways area

Gateway to Be Added—Specifies the IP address of the media gateway that is controlled by the associated call agent. A media gateway is typically a network element that provides conversion between the audio signals carried on telephone circuits and data packets carried over the Internet or over other packet networks. Normally, a gateway sends commands to the default MGCP port for call agents, 2727.

Add—Adds the specified IP address to the IP address table.

Delete—Deletes the selected IP address from the IP address table.

IP Address—Lists the IP addresses of the gateways in the call agent group.

Call Agents

Call Agent to Be Added—Specifies the IP address of a call agent that controls the MGCP media gateways in the call agent group. Normally, a call agent sends commands to the default MGCP port for gateways, 2427.

Add—Adds the specified IP address to the IP address table.

Delete—Deletes the selected IP address from the IP address table.

IP Address—Lists the IP addresses of the call agents in the call agent group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


NetBIOS Inspect Map

The NetBIOS pane lets you view previously configured NetBIOS application inspection maps. A NetBIOS map lets you change the default configuration values used for NetBIOS application inspection.

NetBIOS application inspection performs NAT for the embedded IP address in the NetBIOS name service packets and NetBIOS datagram services packets. It also enforces protocol conformance, checking the various count and length fields for consistency.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Check for protocol violations—Checks for protocol violations and executes specified action.

Action—Drop packet or log.

Log—Enable or disable.

NetBIOS Inspect Maps—Table that lists the defined NetBIOS inspect maps. The defined inspect maps are also listed in the NetBIOS area of the Inspect Maps tree.

Add—Adds the new NetBIOS inspect map to the defined list in the NetBIOS Inspect Maps table and to the NetBIOS area of the Inspect Maps tree. To configure the new NetBIOS map, select the NetBIOS entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the NetBIOS Inspect Maps table and from the NetBIOS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


NetBIOS Inspect Map View

The NetBIOS Inspect Map View pane lets you configure the settings for the inspect map.

Fields

Name—Shows the name of the previously configured NetBIOS map.

Description—Enter the description of the NetBIOS map, up to 200 characters in length.

Check for protocol violations—Checks for protocol violations and executes specified action.

Action—Drop packet or log.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


RADIUS Inspect Map

The RADIUS pane lets you view previously configured RADIUS application inspection maps. A RADIUS map lets you change the default configuration values used for RADIUS application inspection. ou can use a RADIUS map to protect against an overbilling attack.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

RADIUS Inspect Maps—Table that lists the defined RADIUS inspect maps. The defined inspect maps are also listed in the RADIUS area of the Inspect Maps tree.

Add—Adds the new RADIUS inspect map to the defined list in the RADIUS Inspect Maps table and to the RADIUS area of the Inspect Maps tree. To configure the new RADIUS map, select the RADIUS entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the RADIUS Inspect Maps table and from the RADIUS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


RADIUS Inspect Map Host

The RADIUS Inspect Map Host Parameters pane lets you configure the host parameter settings for the inspect map.

Fields

Name—Shows the name of the previously configured RADIUS accounting map.

Description—Enter the description of the RADIUS accounting map, up to 200 characters in length.

Host Parameters—Lets you configure host parameters.

Host IP Address—Specify the IP address of the host that is sending the RADIUS messages.

Key: (optional)—Specify the key.

Add—Adds the host entry to the Host table.

Delete—Deletes the host entry from the Host table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


RADIUS Inspect Map Other

The RADIUS Inspect Map Other Parameters pane lets you configure additional parameter settings for the inspect map.

Fields

Name—Shows the name of the previously configured RADIUS accounting map.

Description—Enter the description of the RADIUS accounting map, up to 200 characters in length.

Other Parameters—Lets you configure additional parameters.

Attribute Number—Specify the attribute number to validate when an Accounting Start is received.

Add—Adds the entry to the Attribute table.

Delete—Deletes the entry from the Attribute table.

Send response to the originator of the RADIUS message—Sends a message back to the host from which the RADIUS message was sent.

Enforce timeout—Enables the timeout for users.

Users Timeout—Timeout for the users in the database (hh:mm:ss).

Enable detection of GPRS accounting—Enables detection of GPRS accounting. This option is only available when GTP/GPRS license is enabled.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SCCP (Skinny) Inspect Map

The SCCP (Skinny) pane lets you view previously configured SCCP (Skinny) application inspection maps. An SCCP (Skinny) map lets you change the default configuration values used for SCCP (Skinny) application inspection.

Skinny application inspection performs translation of embedded IP address and port numbers within the packet data, and dynamic opening of pinholes. It also performs additional protocol conformance checks and basic state tracking.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high or low).

Low—Default.

Registration: Not enforced.

Maximum message ID: 0x181.

Minimum prefix length: 4

Media timeout: 00:05:00

Signaling timeout: 01:00:00.

RTP conformance: Not enforced.

Medium

Registration: Not enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No.

High

Registration: Enforced.

Maximum message ID: 0x141.

Minimum prefix length: 4.

Maximum prefix length: 65536.

Media timeout: 00:01:00.

Signaling timeout: 00:05:00.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes.

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters.

SCCP (Skinny) Inspect Maps—Table that lists the defined SCCP (Skinny) inspect maps. The defined inspect maps are also listed in the SCCP (Skinny) area of the Inspect Maps tree.

Add—Adds the new SCCP (Skinny) inspect map to the defined list in the SCCP (Skinny) Inspect Maps table and to the SCCP (Skinny) area of the Inspect Maps tree. To configure the new SCCP (Skinny) map, select the SCCP (Skinny) entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the SCCP (Skinny) Inspect Maps table and from the SCCP (Skinny) area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured SCCP (Skinny) application inspection maps.

Fields

Settings—Specifies SCCP (Skinny) security settings and actions.

Enforce endpoint registration—Enforce that Skinny endpoints are registered before placing or receiving calls.

Maximum Message ID—Specify value of maximum SCCP message ID allowed (0x0 to 0xffff).

SCCP Prefix Length—Specifies prefix length value in Skinny messages (4 to 4,294,967,295).

Minimum Prefix Length—Specify minimum value of SCCP prefix length allowed.

Maximum Prefix Length—Specify maximum value of SCCP prefix length allowed.

Enable media timeout—Enables media timeout.

Media Timeout—Specify timeout value for media connections (0:0:01 to 1993:0:0).

Enable signaling timeout—Enables signaling timeout.

Signaling Timeout—Specify timeout value for signaling connections (0:0:01 to 1993:0:0).

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio/video based on the signaling exchange.

Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

Reset to—Specifies high, medium, or low security setting.

Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Message ID Filtering

The Message ID Filtering dialog box lets you configure the settings for a message ID filter.

Fields

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add Message ID Filtering dialog box to add a message ID filter.

Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter.

Delete—Deletes a message ID filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SCCP (Skinny) Inspect Map Basic View

The SCCP (Skinny) Inspect Map Basic View pane shows the configured settings for the SCCP (Skinny) inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured SCCP (Skinny) map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

Message ID Filtering—Opens the Messaging ID Filtering dialog box for configuring message ID filters.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SCCP (Skinny) Inspect Map Advanced View

The SCCP (Skinny) Inspect Map Advanced View pane lets you configure the inspect map settings.

Fields

Name—Shows the name of the previously configured SCCP (Skinny) map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Parameters—Tab that lets you configure the parameter settings for SCCP (Skinny).

Enforce endpoint registration—Enforce that Skinny endpoints are registered before placing or receiving calls.

Maximum Message ID—Specify value of maximum SCCP message ID allowed.

SCCP Prefix Length—Specifies prefix length value in Skinny messages.

Minimum Prefix Length—Specify minimum value of SCCP prefix length allowed.

Maximum Prefix Length—Specify maximum value of SCCP prefix length allowed.

Media Timeout—Specify timeout value for media connections.

Signaling Timeout—Specify timeout value for signaling connections.

RTP Conformance—Tab that lets you configure the RTP conformance settings for SCCP (Skinny).

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio/video based on the signaling exchange.

Message ID Filtering—Tab that lets you configure the message ID filtering settings for SCCP (Skinny).

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the inspection.

Value—Shows the value to match in the inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add Message ID Filtering dialog box to add a message ID filter.

Edit—Opens the Edit Message ID Filtering dialog box to edit a message ID filter.

Delete—Deletes a message ID filter.

Move Up—Moves an entry up in the list.

Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Message ID Filter

The Add Message ID Filter dialog box lets you configure message ID filters.

Fields

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of SCCP (Skinny) traffic to match.

Message ID—Match specified message ID.

Message ID—Specify value of maximum SCCP message ID allowed.

Message ID Range—Match specified message ID range.

Lower Message ID—Specify lower value of SCCP message ID allowed.

Upper Message ID—Specify upper value of SCCP message ID allowed.

Action—Drop packet.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SIP Inspect Map

The SIP pane lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection.

SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats.

SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.

Fields

Name—Enter the name of the inspect map, up to 40 characters in length.

Description—Enter the description of the inspect map, up to 200 characters in length.

Security Level—Select the security level (high or low).

Low—Default.

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server's and endpoint's IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Not enforced.

SIP conformance: Do not perform state checking and header validation.

Medium

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Permitted.

Hide server's and endpoint's IP addresses: Disabled.

Mask software version and non-SIP URIs: Disabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: No

SIP conformance: Drop packets that fail state checking.

High

SIP instant messaging (IM) extensions: Enabled.

Non-SIP traffic on SIP port: Denied.

Hide server's and endpoint's IP addresses: Disabled.

Mask software version and non-SIP URIs: Enabled.

Ensure that the number of hops to destination is greater than 0: Enabled.

RTP conformance: Enforced.

Limit payload to audio or video, based on the signaling exchange: Yes

SIP conformance: Drop packets that fail state checking and packets that fail header validation.

Customize—Opens the Customize Security Level dialog box for additional settings.

Default Level—Sets the security level back to the default level of Low.

SIP Inspect Maps—Table that lists the defined SIP inspect maps. The defined inspect maps are also listed in the SIP area of the Inspect Maps tree.

Add—Adds the new SIP inspect map to the defined list in the SIP Inspect Maps table and to the SIP area of the Inspect Maps tree. To configure the new SIP map, select the SIP entry in Inspect Maps tree.

Delete—Deletes the application inspection map selected in the SIP Inspect Maps table and from the SIP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured SIP application inspection maps.

Fields

Settings—Lets you configure additional SIP settings, including RTP and SIP conformance.

Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled.

Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default.

Hide server's and endpoint's IP addresses—Enables IP address privacy. Disabled by default.

Mask software version and non-SIP URIs—Enables non-SIP URI inspection in Alert-Info and Call-Info headers.

Ensure that number of hops to destination is greater than 0—Enables check for the value of Max-Forwards header is zero.

RTP Conformance

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces payload type to be audio/video based on the signaling exchange.

SIP Conformance

Do not perform state checking and header validation—Disables SIP state checking.

Drop packets that fail state checking—Drops packets that fail state checking.

Drop connections that fail state checking and packets that fail header validation—Drops connections that fail state checking and packets that fail header validation of SIP messages.

Reset to Predefined Security Level—Resets the security level settings to the predefined levels of high, medium, or low.

Reset To—Resets the security level to high, medium, or low.

Reset—Resets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.Criterion—Specifies which criterion of SIP traffic to match.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SIP Inspect Map Basic View

The SIP Inspect Map Basic View pane shows the configured settings for the SIP inspect map. The Advanced View lets you configure the settings.

Fields

Name—Shows the name of the previously configured SIP map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Security Level—Shows the current security settings.

Customize—Opens the Customize Security Level dialog box to configure the security settings.

Default Level—Sets the security level back to the default.

Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SIP Inspect Map Advanced View

The SIP Inspect Map Advanced View pane lets you configure the inspect map settings.

Fields

Name—Shows the name of the previously configured SIP map.

Description—Enter the description of the DNS map, up to 200 characters in length.

Filtering—Tab that lets you configure the filtering settings for SIP.

Enable SIP instant messaging (IM) extensions—Enables Instant Messaging extensions. Default is enabled.

Permit non-SIP traffic on SIP port—Permits non-SIP traffic on SIP port. Permitted by default.

IP Address Privacy—Tab that lets you configure the IP address privacy settings for SIP.

Hide server's and endpoint's IP addresses—Enables IP address privacy. Disabled by default.

Hop Count—Tab that lets you configure the hop count settings for SIP.

Ensure that number of hops to destination is greater than 0—Enables check for the value of Max-Forwards header is zero.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

RTP Conformance—Tab that lets you configure the RTP conformance settings for SIP.

Check RTP packets for protocol conformance—Checks RTP/RTCP packets flowing on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces payload type to be audio/video based on the signaling exchange.

SIP Conformance—Tab that lets you configure the SIP conformance settings for SIP.

Enable state transition checking—Enables SIP state checking.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

Enable strict validation of header fields—Enables validation of SIP header fields.

Action—Drop packet, Drop Connection, Reset, Log.

Log—Enable or Disable.

Field Masking—Tab that lets you configure the field masking settings for SIP.

Inspect non-SIP URIs—Enables non-SIP URI inspection in Alert-Info and Call-Info headers.

Action—Mask or Log.

Log—Enable or Disable.

Inspect server's and endpoint's software version—Inspects SIP endpoint software version in User-Agent and Server headers.

Action—Mask or Log.

Log—Enable or Disable.

Inspections—Tab that shows you the SIP inspection configuration and lets you add or edit.

Match Type—Shows the match type, which can be a positive or negative match.

Criterion—Shows the criterion of the SIP inspection.

Value—Shows the value to match in the SIP inspection.

Action—Shows the action if the match condition is met.

Log—Shows the log state.

Add—Opens the Add SIP Inspect dialog box to add a SIP inspection.

Edit—Opens the Edit SIP Inspect dialog box to edit a SIP inspection.

Delete—Deletes a SIP inspection.

Move Up—Moves an inspection up in the list.

Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit SIP Inspect

The Add/Edit SIP Inspect dialog box lets you define the match criterion and value for the SIP inspect map.

Fields

Single Match—Specifies that the SIP inspect has only one match statement.

Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

Criterion—Specifies which criterion of SIP traffic to match.

Called Party—Match a called party as specified in the To header.

Calling Party—Match a calling party as specified in the From header.

Content Length—Match a content length header.

Content Type—Match a content type header.

IM Subscriber—Match a SIP IM subscriber.

Message Path—Match a SIP Via header.

Request Method—Match a SIP request method.

Third-Party Registration—Match the requester of a third-party registration.

URI Length—Match a URI in the SIP headers.

Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified.

Greater Than Length—Enter a header length value in bytes.

Content Type Criterion Values—Specifies to match a SIP content header type.

SDP—Match an SDP SIP content header type.

Regular Expression—Match a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Request Method Criterion Values—Specifies to match a SIP request method.

Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update.

Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

URI Length Criterion Values—Specifies to match a URI in the SIP headers greater than specified length.

URI type—Specifies to match either SIP URI or TEL URI.

Greater Than Length—Length in bytes.

Multiple Matches—Specifies multiple matches for the SIP inspection.

SIP Traffic Class—Specifies the SIP traffic class match.

Manage—Opens the Manage SIP Class Maps dialog box to add, edit, or delete SIP Class Maps.

Actions—Primary action and log settings.

Action—Drop packet, drop connection, reset, log. Note: Limit rate (pps) action is available for request methods invite and register.

Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SNMP Inspect Map

The SNMP pane lets you view previously configured SNMP application inspection maps. An SNMP map lets you change the default configuration values used for SNMP application inspection.

Fields

Map Name—Lists previously configured application inspection maps. Check a map and click Edit to view or change an existing map.

Disallowed SNMP Versions—Identifies the SNMP versions that have been disallowed for a specific SNMP application inspection map.

Add—Displays the Add SNMP dialog box, which you can use to define a new application inspection map.

Edit—Displays the Edit SNMP dialog box, which you can use to modify the application inspection map selected in the application inspection map table.

Delete—Deletes the application inspection map selected in the application inspection map table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit SNMP Map

The Add/Edit SNMP Map dialog box lets you create a new SNMP map for controlling SNMP application inspection.

Fields

SNMP Map Name—Defines the name of the application inspection map.

SNMP version 1—Enables application inspection for SNMP version 1.

SNMP version 2 (party based)—Enables application inspection for SNMP version 2.

SNMP version 2c (community based)—Enables application inspection for SNMP version 2c.

SNMP version 3—Enables application inspection for SNMP version 3.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Regular Expressions

This section describes how to configure regular expressions, and includes the following topics:

Regular Expressions

Add/Edit Regular Expression

Build Regular Expression

Test Regular Expression

Add/Edit Regular Expression Class Map

Regular Expressions

Some Configuring Class Maps and Configuring Inspect Maps can specify regular expressions to match text inside a packet. Be sure to create the regular expressions before you configure the class map or inspect map, either singly or grouped together in a regular expression class map.

A regular expression matches text strings either literally as an exact string, or by using metacharacters so you can match multiple variants of a text string. You can use a regular expression to match the content of certain application traffic; for example, you can match body text inside an HTTP packet.

Fields

Regular Expressions—Shows the regular expressions

Name—Shows the regular expression names.

Value—Shows the regular expression definitions.

Add—Adds a regular expression.

Edit—Edits a regular expression.

Delete—Deletes a regular expression.

Regular Expression Classes—Shows the regular expression class maps.

Name—Shows the regular expression class map name.

Match Conditions—Shows the match type and regular expressions in the class map.

Match Type—Shows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with "OR" next it, to indicate that this class map is a "match any" class map; traffic matches the class map if only one regular expression is matched.

Regular Expression—Lists the regular expressions included in each class map.

Description—Shows the description of the class map.

Add—Adds a regular expression class map.

Edit—Edits a regular expression class map.

Delete—Deletes a regular expression class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Regular Expression

The Add/Edit Regular Expression dialog box lets you define and test a regular expression.

Fields

Name—Enter the name of the regular expression, up to 40 characters in length.

Value—Enter the regular expression, up to 100 characters in length. You can enter the text manually, using the metacharacters in Table 6-1, or you can click Build to use the Build Regular Expression dialog box.

Table 6-1 lists the metacharacters that have special meanings.

Table 6-1 regex Metacharacters 

Character
Description
Notes

.

Dot

Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.

(exp)

Subexpression

A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.

|

Alternation

Matches either expression it separates. For example, dog|cat matches dog or cat.

?

Question mark

A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.

Note You must enter Ctrl+V and then the question mark or else the help function is invoked.

*

Asterisk

A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc.

+

Plus

A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.

{x}

Repeat quantifier

Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz.

{x,}

Minimum repeat quantifier

Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc.

[abc]

Character class

Matches any character in the brackets. For example, [abc] matches a, b, or c.

[^abc]

Negated character class

Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter.

[a-c]

Character range class

Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].

The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc].

""

Quotation marks

Preserves trailing or leading spaces in the string. For example, " test" preserves the leading space when it looks for a match.

^

Caret

Specifies the beginning of a line.

\

Escape character

When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket.

char

Character

When character is not a metacharacter, matches the literal character.

\r

Carriage return

Matches a carriage return 0x0d.

\n

Newline

Matches a new line 0x0a.

\t

Tab

Matches a tab 0x09.

\f

Formfeed

Matches a form feed 0x0c.

\xNN

Escaped hexadecimal number

Matches an ASCII character using hexadecimal (exactly two digits).

\NNN

Escaped octal number

Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space.


Build—Helps you build a regular expression using the Build Regular Expression dialog box.

Test—Tests a regular expression against some sample text.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Build Regular Expression

The Build Regular Expression dialog box lets you construct a regular expression out of characters and metacharacters. Fields that insert metacharacters include the metacharacter in parentheses in the field name.

Fields

Build Snippet—This area lets you build text snippets of regular text or lets you insert a metacharacter into the Regular Expression field.

Starts at the beginning of the line (^)—Indicates that the snippet should start at the beginning of a line, using the caret (^) metacharacter. Be sure to insert any snippet with this option at the beginning of the regular expression.

Specify Character String—Enter a text string manually.

Character String—Enter a text string.

Escape Special Characters—If you entered any metacharacters in your text string that you want to be used literally, check this box to add the backslash (\) escape character before them. for example, if you enter "example.com," this option converts it to "example\.com".

Ignore Case—If you want to match upper and lower case characters, this check box automatically adds text to match both upper and lower case. For example, entering "cats" is converted to "[cC][aA][tT][sS]".

Specify Character—Lets you specify a metacharacter to insert in the regular expression.

Negate the character—Specifies not to match the character you identify.

Any character (.)—Inserts the period (.) metacharacter to match any character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.

Character set—Inserts a character set. Text can match any character in the set. Sets include:

[0-9A-Za-z]

[0-9]

[A-Z]

[a-z]

[aeiou]

[\n\f\r\t] (which matches a new line, form feed, carriage return, or a tab)

For example, if you specify [0-9A-Za-z], then this snippet will match any character from A to Z (upper or lower case) or any digit 0 through 9.

Special character—Inserts a character that requires an escape, including \, ?, *, +, |, ., [, (, or ^. The escape character is the backslash (\), which is auatomatically entered when you choose this option.

Whitespace character—Whitespace characters include \n (new line), \f (form feed), \r (carriage return), or \t (tab).

Three digit octal number—Matches an ASCII character as octal (up to three digits). For example, the character \040 represents a space. The backslash (\) is entered automatically.

Two digit hexadecimal number—Matches an ASCII character using hexadecimal (exactly two digits). The backslash (\) is entered automatically.

Specified character—Enter any single character.

Snippet Preview—Display only. Shows the snippet as it will be entered in the regular expression.

Append Snippet—Adds the snippet to the end of the regular expression.

Append Snippet as Alternate—Adds the snippet to the end of the regular expression separated by a pipe (|), which matches either expression it separates. For example, dog|cat matches dog or cat.

Insert Snippet at Cursor—Inserts the snippet at the cursor.

Regular Expression—This area includes regular expression text that you can enter manually and build with snippets. You can then select text in the Regular Expression field and apply a quantifier to the selection.

Selection Occurrances—Select text in the Regular Expression field, click one of the following options, and then click Apply to Selection. For example, if the regular expression is "test me," and you select "me" and apply One or more times, then the regular expression changes to "test (me)+".

Zero or one times (?)—A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.

One or more times (+)—A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.

Any number of times (*)—A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc.

At least—Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc.

Exactly—Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz.

Apply to Selection—Applies the quantifier to the selection.

Test—Tests a regular expression against some sample text.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Test Regular Expression

The Test Regular Expression dialog box lets you test input text against a regular expression to make sure it matches as you intended.

Fields

Regular Expression—Enter ther regular expression you want to test. By default, the regular expression you entered in the Add/Edit Regular Expression or Build Regular Expression dialog box is input into this field. If you change the regular expression during your testing, and click OK, the changes are inherited by the Add/Edit Regular Expression or Build Regular Expression dialog boxes. Click Cancel to dismiss your changes.

Test String—Enter a text string that you expect to match the regular expression.

Test—Tests the Text String against the Regular Expression,

Test Result—Display only. Shows if the test succeeded or failed.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Regular Expression Class Map

The Add/Edit Regular Expression Class Map dialog box groups regular expressions together. A regular expression class map can be used by inspection class maps and inspection policy maps.

Fields

Name—Enter a name for the class map, up to 40 characters in length. The name "class-default" is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map.

Description—Enter a description, up to 200 characters in length.

Available Regular Expressions—Lists the regular expressions that are not yet assigned to the class map.

Edit—Edits the selected regular expression.

New—Creates a new regular expression.

Add—Adds the selected regular expression to the class map.

Remove—Removes the selected regular expression from the class map.

Configured Match Conditions—Shows the regular expressions in this class map, along with the match type.

Match Type—Shows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with "OR" next it, to indicate that this class map is a "match any" class map; traffic matches the class map if only one regular expression is matched.

Regular Expression—Lists the regular expression names in this class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


TCP Maps

Use the TCP Maps option to create a reusable component that defines the TCP normalization settings for different traffic flows. After creating a TCP map, you can associate these TCP normalization settings with traffic of a specific type using a security policy. You use the Service Policy Rules option on the Security Policy pane to define the traffic criteria and to associate the service policy rule with a specific interface or to apply it to all the interfaces on the security appliance.

Fields

Map Name—Lists a TCP map name used to apply a TCP map.

Urgent Flag—Lists whether the URG pointer is cleared or allowed through the security appliance.

Window Variation—Lists whether a connection that has changed its window size unexpectedly is allowed or dropped.

Exceed MSS—Lists whether packets that exceed MSS set by peer are allowed or dropped.

Check Retransmission—Lists whether the retransmit data check is enabled or disabled.

Past-window Sequence Data—Lists whether a connection with past-window sequence numbers is dropped (namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window). This action is only allowed if the Queue Limit is set to 0 (disabled).

SYN Data—Lists whether SYN packets with data are allowed or dropped.

SYNACK Data—Lists whether SYNDATA packets with data are allowed or dropped.

Invalid Ack—Lists whether packets with an invalid ACK are allowed or dropped.

TTL Evasion Protection—Lists whether the TTL evasion protection offered by the security appliance is enabled or disabled.

Verify Checksum—Lists whether checksum verification is enabled or disabled.

Reserved Bits—Lists the status of the reserved flags policy.

TCP Options—Lists the behavior of packets with TCP option value configured. The default action is to clear the options and allow the packets.

Selective Ack—Lists whether the selective-ack TCP option is allowed or cleared.

Time Stamp—Lists whether the TCP timestamp option is allowed or cleared.

Window Scale—Lists whether the window scale timestamp option is allowed or cleared.

Range—Lists the valid TCP options ranges, which should fall within 6-7 and 9-255. The lower bound should be less than or equal to the upper bound.

Queue Size—Lists the maximum number of out-of-order packets that can be queued for a TCP connection. Default is 0.

Queue Timeout—Lists the out-of-order packet buffer timeout. The default is 4 seconds.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit TCP Map

The Add/Edit TCP Maps dialog box lets you define the class of traffic and customize the TCP inspection with TCP maps. Apply the TCP map using policy map and activate TCP inspection using service policy.

Fields

TCP Map Name—Specifies a TCP map name.

Queue Limit—Sets the maximum number of out-of-order packets that can be buffered and put in order for a TCP connection, between 1 and 250 packets. The default is 0, which means this setting is disabled and the default system queue limit is used depending on the type of traffic:

Connections for application inspection, IPS, and TCP check-retransmission have a queue limit of 3 packets. If the security appliance receives a TCP packet with a different window size, then the queue limit is dynamically changed to match the advertized setting.

For other TCP connections, out-of-order packets are passed through untouched.

If you set the Queue Limit to be 1 or above, then the number of out-of-order packets allowed for all TCP traffic matches this setting. For application inspection, IPS, and TCP check-retransmission traffic, any advertized settings are ignored. For other TCP traffic, out-of-order packets are now buffered and put in order instead of passed through untouched.

Timeout—Sets the maximum amount of time that out-of-order packets can remain in the buffer, between 1 and 20 seconds; if they are not put in order and passed on within the timeout period, then they are dropped. The default is 4 seconds. You cannot change the timeout for any traffic if the Queue Limit is set to 0; you need to set the limit to be 1 or above for the timeout to take effect.

Clear Urgent Flag—Clears the URG pointer through the security appliance.

Drop Connection on Window Variation—Drops a connection that has changed its window size unexpectedly.

Drop Packets that Exceed Maximum Segment Size—Drops packets that exceed MSS set by peer.

Check if transmitted data is the same as original—Disables the retransmit data checks.

Drop Packets which have past-window sequence—Drops packets that have past-window sequence numbers, namely the sequence number of a received TCP packet is greater than the right edge of the TCP receiving window. This action is only allowed if the Queue Limit is set to 0 (disabled).

Drop SYN packets with data—Drops SYN packets with data.

Drop SYNACK packets with data—Drops SYNACK packets with data.

Drop packets with invalid ACK—Drops packets with an invalid ACK. You might see invalid ACKs in the following instances:

In the TCP connection SYN-ACK-received status, if the ACK number of a received TCP packet is not exactly same as the sequence number of the next TCP packet sending out, it is an invalid ACK.

Whenever the ACK number of a received TCP packet is greater than the sequence number of the next TCP packet sending out, it is an invalid ACK.


Note TCP packets with an invalid ACK are automatically allowed for WAAS connections.


Enable TTL Evasion Protection—Enables or disables the TTL evasion protection offered by the security appliance.

Verify TCP Checksum—Enables and disables checksum verification.

Reserved Bits—Sets the reserved flags policy in the security appliance.

Clear and allow

Allow only

Drop

TCP Options—Configures the behavior of packets with a TCP option value configured.

Clear Selective Ack—Clears the selective-ack TCP options.

Clear TCP Timestamp—Clears the TCP timestamp option.

Clear Window Scale—Clears the window scale timestamp option.

Range—Sets the action for a range of TCP option numbers.

Range—Valid TCP options ranges should fall within 6-7 and 9-255. The lower bound should be less than or equal to the upper bound.

Action—Allow or Drop.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Configuring Time Ranges

Use the Time Ranges option to create a reusable component that defines starting and ending times that can be applied to various security features. Once you have defined a time range, you can select the time range and apply it to different options that require scheduling.

The time range feature lets you define a time range that you can attach to traffic rules, or an action. For example, you can attach an access list to a time range to restrict access to the security appliance.

A time range consists of a start time, an end time, and optional periodic entries.


Note Creating a time range does not restrict access to the device. This pane defines the time range only.


Fields

Name—Specifies the name of the time range.

Start Time—Specifies when the time range begins.

End Time—Specifies when the time range ends.

Periodic Entries—Specifies further constraints of active time of the range within the start and stop time specified.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Time Range

The Add/Edit Time Range pane lets you define specific times and dates that you can attach to an action. For example, you can attach an access list to a time range to restrict access to the security appliance. The time range relies on the system clock of the security appliance; however, the feature works best with NTP synchronization.


Note Creating a time range does not restrict access to the device. This pane defines the time range only.


Fields

Time Range Name—Specifies the name of the time range. The name cannot contain a space or quotation mark, and must begin with a letter or number.

Start now/Started—Specifies either that the time range begin immediately or that the time range has begun already. The button label changes based on the Add/Edit state of the time range configuration. If you are adding a new time range, the button displays "Start Now." If you are editing a time range for which a fixed start time has already been defined, the button displays "Start Now." When editing a time range for which there is no fixed start time, the button displays "Started."

Start at—Specifies when the time range begins.

Month—Specifies the month, in the range of January through December.

Day—Specifies the day, in the range of 01 through 31.

Year—Specifies the year, in the range of 1993 through 2035.

Hour—Specifies the hour, in the range of 00 through 23.

Minute—Specifies the minute, in the range of 00 through 59.

Never end—Specifies that there is no end to the time range.

End at (inclusive)—Specifies when the time range ends. The end time specified is inclusive. For example, if you specified that the time range expire at 11:30, the time range is active through 11:30 and 59 seconds. In this case, the time range expires when 11:31 begins.

Month—Specifies the month, in the range of January through December.

Day—Specifies the day, in the range of 01 through 31.

Year—Specifies the year, in the range of 1993 through 2035.

Hour—Specifies the hour, in the range of 00 through 23.

Minute—Specifies the minute, in the range of 00 through 59.

Periodic Time Ranges—Configures daily or weekly time ranges.

Add—Adds a periodic time range.

Edit—Edits the selected periodic time range.

Delete—Deletes the selected periodic time range.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Add/Edit Periodic Time Range

The Add/Edit Periodic Time Range pane lets you fine time ranges further by letting you configure them on a daily or weekly basis.


Note Creating a time range does not restrict access to the device. This pane defines the time range only.


Fields

Days of the week

Every day—Specifies every day of the week.

Weekdays—Specifies Monday through Friday.

Weekends—Specifies Saturday and Sunday.

On these days of the week—Lets you choose specific days of the week.

Daily Start Time—Specifies the hour and the minute that the time range begins.

Daily End Time (inclusive) area—Specifies the hour and the minute that the time range ends. The end time specified is inclusive.

Weekly Interval

From—Lists the day of the week, Monday through Sunday.

Through—Lists the day of the week, Monday through Sunday.

Hour—Lists the hour, in the range of 00 through 23.

Minute—Lists the minute, in the range of 00 through 59.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System