User Guide for Cisco Security Manager 4.0.1
Managing Firewall Inspection Rules
Downloads: This chapterpdf (PDF - 849.0KB) The complete bookPDF (PDF - 24.15MB) | Feedback

Managing Firewall Inspection Rules

Table Of Contents

Managing Firewall Inspection Rules

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Inspection Rules Page

Add or Edit Inspect/Application FW Rule Wizard

Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page

Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes

Configure DNS Dialog Box

Configure SMTP Dialog Box

Configure ESMTP Dialog Box

Configure Fragments Dialog Box

Configure IMAP or POP3 Dialog Boxes

Configure RPC Dialog Box

Custom Protocol Dialog Box

Configure Dialog Box

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Configuring DCE/RPC Maps

Configuring DNS Maps

DNS Map Protocol Conformance Tab

DNS Map Filtering Tab

DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Configuring ESMTP Maps

ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Configuring FTP Maps

FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Configuring GTP Maps

Add and Edit Country Network Codes Dialog Boxes

Add and Edit Permit Response Dialog Boxes

GTP Map Timeouts Dialog Box

GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Configuring H.323 Maps

Add or Edit HSI Group Dialog Boxes

Add or Edit HSI Endpoint IP Address Dialog Boxes

H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices

HTTP Map General Tab

HTTP Map Entity Length Tab

HTTP Map RFC Request Method Tab

HTTP Map Extension Request Method Tab

HTTP Map Port Misuse Tab

HTTP Map Transfer Encoding Tab

Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices

HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices

IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Configuring IM Maps for IOS Devices

Configuring IP Options Maps

Configuring IPsec Pass Through Maps

Configuring NetBIOS Maps

Configuring SIP Maps

SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Configuring Skinny Maps

Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Configuring SNMP Maps

Configuring Regular Expression Groups

Configuring Regular Expressions for Inspection Maps

Metacharacters Used to Build Regular Expressions

Configuring Settings for Inspection Rules for IOS Devices


Managing Firewall Inspection Rules


Inspection rules configure protocol inspection on a device. Inspection opens temporary holes in your access rules to allow return traffic for connections initiated within your trusted network. When traffic is inspected, the device also implements additional controls to eliminate mal-formed packets based on the inspected protocols.

The device commands generated for inspection rules vary based on device type. For devices running ASA, PIX 7.0+, and FWSM 3.x+, access-list, policy-map, and class-map commands are used. For older FWSM and PIX 6.3 devices, fix-up commands are used. For IOS devices, ip-inspect commands are used.

The following topics will help you work with inspection rules:

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Inspection Rules Page

Configuring Protocols and Maps for Inspection

Configuring Settings for Inspection Rules for IOS Devices

The following topics can help you with general rule table usage:

Adding and Removing Rules, page 12-8

Editing Rules, page 12-9

Enabling and Disabling Rules, page 12-17

Moving Rules and the Importance of Rule Order, page 12-16

Understanding Inspection Rules

Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.

CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered inspection when exiting through the firewall.

Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information.

For all protocols, when you inspect the protocol, the device provides the following functions:

Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an access rule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets.

These temporary access lists are created dynamically and are removed at the end of a session.

Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.

Uses time-out and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential Denial of Service (DoS) attacks.

The following topics provide more information about inspection:

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Protocols and Maps for Inspection

Configuring Inspection Rules

Configuring Settings for Inspection Rules for IOS Devices

Choosing the Interfaces for Inspection Rules

Configure inspection on devices that protect internal networks. Use it with TCP, UDP, or more specific protocols. Inspect these applications if you want the application's traffic to be permitted through the device only when the traffic session is initiated from a particular side of the device (usually from the protected internal network).


Tip For IOS devices, you need to configure inspection explicitly, and you can identify the direction of traffic to be inspected. For ASA, PIX, and FWSM devices, you cannot identify the direction, and you need to configure inspection only if you do not want the inspection defaults. In the remaining discussion, statements concerning direction apply only to IOS devices. For ASA, PIX, and FWSM, simply configure inspection on the identified interface.


In many cases, you will configure inspection in one direction only at a single interface, which causes traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid, existing) session. This is a typical configuration for protecting your internal networks from traffic that originates on the Internet.

You can also configure inspection in two directions at one or more interfaces. Configure inspection in two directions when the networks on both sides of the firewall should be protected, such as with extranet or intranet configurations, and to protect against DoS attacks. For example, if the device is situated between two partner companies' networks, you might want to restrict traffic in one direction for certain applications, and restrict traffic in the opposite direction for other applications. If you are protecting a web server in the DMZ zone, you might want to configure deep inspection on HTTP traffic to identify and reset connections that have undesirable characteristics.

You might want to configure your inspection rules on the outbound interfaces of your network, those that connect to the Internet or another uncontrolled network, while allowing unfiltered connections within the trusted network. Thus, your devices use resources for inspection only on sessions that travel over unsecured and therefore potentially dangerous networks.

Related Topics

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Protocols and Maps for Inspection

Configuring Inspection Rules

Selecting Which Protocols To Inspect

You can generically inspect TCP and UDP, which covers all applications that use these protocols. However, you can also inspect more specific protocols. In some cases, inspecting a specific protocol provides better service than generic TCP/UDP inspection. TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet.

For example:

Some protocols allow you to configure deep inspection. Deep inspection allows you to configure more specific rules for a traffic stream. For example, you can drop HTTP connections where the content type of the request and response do not match. For information on deep inspection and your configuration options, see Configuring Protocols and Maps for Inspection.

Protocols that negotiate return channels, such as FTP, should be specifically inspected. If you use simple generic TCP inspection of FTP traffic, the negotiated channels are not opened, and the connection will fail. If you want to allow FTP, ensure that you create a specific inspection rule for it.

Multimedia protocols also negotiate return channels and should be specifically inspected. These include H.323, RTSP (Real Time Streaming Protocol), and other application-specific protocols. Some applications also use a generic TCP channel, so you might also need to configure generic TCP inspection. Any generic TCP inspection rule should appear below a more specific inspection rule in the table (that is, any rule that specifies TCP or UDP should appear at the end of the inspection rule table).

Related Topics

Choosing the Interfaces for Inspection Rules

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Understanding Access Rule Requirements for Inspection Rules

Access rules are applied before inspection rules. Therefore, you must ensure that your access rules do not prohibit traffic that you want inspected. Use the following guidelines:

Permit inspected traffic to leave the network through the firewall.

All access rules that evaluate traffic leaving the protected network should permit traffic that will be inspected. For example, if Telnet will be inspected, then Telnet traffic should be permitted on all access rules that apply to traffic leaving the network.

Deny inspected return traffic entering the network through the firewall.

For temporary openings to be created in an access list, the access list should deny inspected return traffic because the inspection engine will open up temporary holes in the access lists for this traffic. (You want traffic to be normally blocked when it enters your network.)

Permit or deny traffic that cannot be inspected, or that you do not want to inspect, as required by your network.

For example, if you do not want to inspect ICMP traffic, but you want to allow some ICMP traffic, configure your access rules to allow the traffic in both directions. Consider permitting at least these ICMP message types: echo reply (for ping commands), time-exceeded (for trace route), packet-too-big (for path MTU discovery), traceroute (for trace route), and unreachable (to notify that a host cannot be found).

Add an access rule entry denying any network traffic from a source address matching an address on the protected network.

This is known as anti-spoofing protection because it prevents traffic from an unprotected network from assuming the identity of a device on the protected network.

Add an entry denying broadcast messages with a source address of 255.255.255.255.

This entry helps to prevent broadcast attacks.

Related Topics

Understanding Access Rules, page 14-1

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Configuring Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides a device with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.

Inspection helps to protect against DoS attacks in other ways. Inspection looks at packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets. You can also configure inspection to drop half-open connections, which require firewall processing and memory resources to maintain. Additionally, inspection can detect unusually high rates of new connections and issue alert messages.

For IOS devices, you can configure several inspection setting parameters to fine-tune your defenses against SYN flooding and half-open connections. Configure the Firewall > Settings > Inspection policy. For details about each setting, see Configuring Settings for Inspection Rules for IOS Devices.

Inspection can also help by protecting against certain DoS attacks involving fragmented IP packets. Even though the firewall prevents an attacker from making actual connections to a given host, the attacker can disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets. To fine-tune fragment inspection, configure an inspection rule for the fragment protocol and configure the maximum number of fragments you want to allow and a time-out value.

Related Topics

Understanding Inspection Rules

Selecting Which Protocols To Inspect

Configuring Protocols and Maps for Inspection

Configuring Inspection Rules

Configuring Inspection Rules

Inspection rules policies identify the traffic that will be inspected through an interface. Inspection tracks permitted sessions and opens temporary holes in your access rules to allow return traffic.

Inspection rules are processed after access rules, so any traffic dropped by an access rule is not inspected. See the following topics for more information about things you should consider when creating inspection rules:

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Protocols and Maps for Inspection

Understanding Map Objects, page 6-60

Before You Begin

You might have a set of inspection rules that you want to apply to all devices. To do this, you can create a shared rule and inherit its rules to each device's inspection rules policy. For more information, see Creating a New Shared Policy, page 5-50 and Inheriting or Uninherting Rules, page 5-42.


Step 1 Do one of the following to open the Inspection Rules Page:

(Device view) Select Firewall > Inspection Rules from the Policy selector.

(Policy view) Select Firewall > Inspection Rules from the Policy Type selector. Select an existing policy or create a new one.

Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and select Add Row. This opens the Add or Edit Inspect/Application FW Rule Wizard.


Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select an existing row and edit either the entire row or specific cells. For more information, see Editing Rules, page 12-9.


Step 3 Select whether to apply the rule to all interfaces on the device or to only the interfaces you specify.

If you elect to specify interfaces, enter the interface name or interface role, or click Select to select it from a list. For IOS devices, you also can select whether the rule applies in the Out direction (traffic leaving the interface). Use the In direction for all other device types.

Step 4 Select the criteria you want to use for matching traffic. This determines what gets inspected based on this rule.

Default Protocol Ports—Select this option if the protocol you are inspecting uses the default ports on your network.

If you want to constrain the inspection based on the source or destination address, also select Limit inspection between source and destination IP addresses (available only for ASA, PIX 7.x+, and FWSM 3.x+ devices). When you click Next, you are prompted for the source and destination addresses. You can specify any for source or destination if you are interested only in configuring the other value.

Custom Destination Ports—Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. When you click Next, you are prompted for the port or port range.

Destination Address and Port (IOS devices only)—Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.10. When you click Next, you are prompted for the destination address and the port information.

Source and Destination Address and Port (PIX 7.x+, ASA, FWSM 3.x+)—Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic. When you click Next, you are prompted for the source and destination addresses and the service port information.


Note For FWSM 2.x and PIX 6.3(x), you can select either Default Inspection Traffic or Custom Destination Ports only.


Step 5 Click Next. If you selected anything other than Default Protocol Ports, fill in the required addressing and port information explained above and click Next. See Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page.

Step 6 On the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select the protocol you want to inspect from the list. Ensure that the Device Type field indicates that inspection is supported for that protocol on the devices to which you are assigning the rule. (If you assign a rule to an unsupported device type, the rule is ignored but you will get a validation warning).

If the protocol you select allows additional configuration, the Configure button becomes active. Click it to view and select your options. For more information, see Configuring Protocols and Maps for Inspection.

For IOS devices only:

If you selected Custom Destination Ports or Destination Address and Port as the traffic match, you can select custom protocol as the protocol name and click Configure to assign a name to the configuration.

You can configure additional alert, audit, and time-out settings that override those set in the inspection settings policy. You can also specify whether to inspect router generated traffic for a limited number of protocols. For more information about inspection settings, see Configuring Settings for Inspection Rules for IOS Devices.

Step 7 Click Finish to save the rule.

Step 8 If you did not select the right row before adding the rule, select the new rule and use the up and down arrow buttons to position the rule appropriately. For more information, see Moving Rules and the Importance of Rule Order, page 12-16.


Inspection Rules Page

Use the Inspection Rules page to configure inspection rules for device interfaces. Inspection examines traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.

Inspection rules are processed after your access rules. Thus, any traffic denied by an access rule is never inspected.

Read the following topics before you configure inspection rules:

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules


Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration, disabled rules are removed from the device. For more information, see Enabling and Disabling Rules, page 12-17.


Navigation Path

To access the Inspection Rules page, do one of the following:

(Device view) Select a device, then select Firewall > Inspection Rules from the Policy selector.

(Policy view) Select Firewall > Inspection Rules from the Policy Type selector. Create a new policy or select an existing one.

(Map view) Right-click a device and select Edit Firewall Policies > Inspection Rules.

Related Topics

Adding and Removing Rules, page 12-8

Editing Rules, page 12-9

Enabling and Disabling Rules, page 12-17

Moving Rules and the Importance of Rule Order, page 12-16

Using Sections to Organize Rules Tables, page 12-17

Using Rules Tables, page 12-7

Filtering Tables, page 1-33

Field Reference

Table 15-1 Inspection Rules Page 

Element
Description

No.

The ordered rule number.

Permit

Whether a rule identifies traffic that should be inspected based on the conditions set:

Permit—Identifies traffic that will be inspected. Shown as a green check mark.

Deny—Exempts the traffic from inspection. Your access rules will determine if the traffic is allowed or blocked. Shown as a red circle with slash.

Source

Destination

The source and destination addresses for the rule. The "any" address does not restrict the rule to specific hosts, networks, or interfaces. These addresses are IP addresses for hosts or networks, network/host objects, interfaces, or interface roles. Multiple entries are displayed as separate subfields within the table cell. See:

Understanding Network/Host Objects, page 6-62

Understanding Interface Role Objects, page 6-55

Traffic Match

The type of matching used in the rule:

default-inspection—The rule inspects traffic based on the default port.

TCP,UDP/port number—The rule inspects traffic based on a custom port number.

Service—The rule inspects traffic based on a service specification or service object. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 6-69.

Interface

The interfaces or interface roles to which the rule is assigned. Global indicates that the rule is assigned to all interfaces. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 6-55.

Dir.

(IOS devices only)

The direction of the traffic to which this rule applies:

In—Packets entering the interface.

Out—Packets exiting the interface.

Inspected Protocol

The protocol to be inspected and possibly some configuration settings for the protocol.

Time Range

The time range policy object assigned to the rule. This object defines the time window within which inspection occurs.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Description

The description of the rule, if any.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 12-24

Find and Replace button (binoculars icon)

Click this button to search for various types of items within the table and to optionally replace them. See Finding and Replacing Items in Rules Tables, page 12-13.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 12-16.

Add Row button

Click this button to add a rule to the table after the selected row using the Add or Edit Inspect/Application FW Rule Wizard. If you do not select a row, the rule is added at the end of the local scope. For more information about adding rules, see Adding and Removing Rules, page 12-8.

Edit Row button

Click this button to edit the selected rule. You can also edit individual cells. For more information, see Editing Rules, page 12-9.

Delete Row button

Click this button to delete the selected rule.


Add or Edit Inspect/Application FW Rule Wizard

Use the Add or Edit Inspect/Application FW Rule wizard to add and edit inspection rules. The wizard steps you through the process of configuring an inspection rule based on your selection in the Match Traffic By group on this page.

Read the following topics before you configure inspection rules:

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Navigation Path

From the Inspection Rules Page, click the Add Row button or select a row and click the Edit Row button.

Related Topics

Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page

Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes

Understanding Interface Role Objects, page 6-55

Editing Rules, page 12-9

Field Reference

Table 15-2 Add and Edit Inspect/Application FW Rule Wizard Step 1, Choose Traffic Match Method 

Element
Description

Enable Rule

Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules, page 12-17.

Apply the Rule to

The interface to which the rule applies:

All Interfaces—Apply the rule to all interfaces. The rule becomes a global rule on ASA, PIX, and FWSM devices. For IOS devices, the rule is configured for each interface in the In direction.

Interface (PIX 7.x+, ASA, FWSM 3.x+, IOS)—Apply the rule only to those interfaces identified in the Interfaces field. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

For IOS devices only, you can select the direction of the traffic to which this rule applies, either traffic entering an interface (In) or exiting it (Out). For other devices, leave In as the direction.

Match Traffic By

How you want to identify the traffic to inspect. If you select something other than Default Protocol Ports (by itself), you are prompted for the other port or address information when you click Next.

Default Protocol Ports

Limit inspection between source and destination IP addresses (PIX 7.x+, ASA, FWSM 3.x+)

Inspect traffic based on the default ports assigned to a protocol.

You can also select Limit inspection between source and destination IP addresses to configure the inspection to occur only between a specified source and destination. Do not select this option if you want to inspect a protocol without applying any constraints to the inspected traffic.

Custom Destination Ports

Inspect traffic based on specified non-default TCP or UDP destination ports. Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic.

Destination Address and Port (IOS)

Inspect traffic on IOS devices based on destination IP address and port. Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.10.

Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)

Inspect traffic on PIX 7.x+, ASA, and FWSM 3.x+ devices based on source and destination IP addresses and services. Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Description

An optional description of the rule (up to 1024 characters).


Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page

Use the Add or Edit Inspect/Application FW Rule wizard's address or port specification page to identify the IP addresses, ports, or services required by your inspection rule. The content of this page differs depending on your selection in the Match Traffic By group on the first page of the wizard (see Add or Edit Inspect/Application FW Rule Wizard). This page does not appear if you select Default Protocol Ports only.

The reference table below indicates the match criteria to which each field applies.

You select the protocol to inspect when you click Next from this page (see Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes).

Navigation Path

From the Add or Edit Inspect/Application FW Rule Wizard, select something other than Default Protocol Ports in the Match Traffic By group and click Next.

Related Topics

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Understanding Interface Role Objects, page 6-55

Editing Rules, page 12-9

Field Reference

Table 15-3 Add and Edit Inspect/Application FW Rule Wizard Step 2, Specify Address and Port Page 

Element
Description

Action

(Available for Limit inspection between source and destination IP addresses and Source and Destination Address and Port matching.)

Whether you are identifying traffic that should be inspected based on the conditions set. Typically, you want to create Permit rules.

Permit—Identifies traffic that will be inspected.

Deny—Exempts the traffic from inspection. Your access rules will determine if the traffic is allowed or blocked.

Sources

Destinations

(Available for Limit inspection between source and destination IP addresses and Source and Destination Address and Port matching. For Destination Address and Port, only the Destinations field is available.)

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 6-68.

Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

Host IP address, for example, 10.10.10.100.

Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 6-63).

Interface role object, except when configuring Destination Address and Port matching. Click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 6-55.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Service

(Available for Source and Destination Address and Port matching.)

The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 6-69.

Time Range

(Available for Limit inspection between source and destination IP addresses and Source and Destination Address and Port matching.)

The name of a time range policy object that defines the times when this rule applies. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock.

Enter the name or click Select to select the object. If the object that you want is not listed, click the Create button to create it.

Protocol

(Available for Custom Destination Ports and Destination Address and Port matching.)

The protocol for the ports you are specifying, either TCP, UDP, or both TCP/UDP.

When configuring Custom Destination Ports for an IOS device, you must select TCP/UDP.

Ports

(Available for Custom Destination Ports and Destination Address and Port matching.)

The port used by the traffic you want to inspect. Values are 1-65535.

Single—Specify one port number only.

Range—Specify a range of ports, for example, 10000-11000.

When configuring custom ports, be aware that port ranges might not be supported on all platforms or OS versions. Any conflicts are identified during policy validation, not while you are editing this rule.

Tip If you specify a port or port range that conflicts with a pre-defined port mapping, the device does not allow the port to be remapped.

Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes

Use the Add or Edit Inspect/Application FW Rule wizard's inspected protocol page, or the Edit Inspected Protocol dialog box, to configure the protocol inspected by an inspection rule.

Navigation Path

Do one of the following:

From the Add or Edit Inspect/Application FW Rule Wizard, click Next until you reach this page.

To access the Edit Inspected Protocols dialog box, right-click the Inspected Protocol cell in an inspection rule and select Edit Inspected Protocol. If you select multiple rows, your changes replace the inspected protocol defined for all selected rules.

Related Topics

Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page

Understanding Inspection Rules

Choosing the Interfaces for Inspection Rules

Selecting Which Protocols To Inspect

Understanding Access Rule Requirements for Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Editing Rules, page 12-9

Filtering Tables, page 1-33

Field Reference

Table 15-4 Inspected Protocols Dialog Box 

Element
Description

Protocols table

Lists the protocols that you can inspect. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type on which you will use the inspection rule policy.

Tip For IOS devices, if you selected Custom Destination Ports or Destination Address and Port for the match type on the first page of the wizard, you can select custom protocol and click Configure to give your protocol a name. For other device types, select the protocol that you associate with the ports previously specified.

The group column provides additional information on the use of some of the protocols.

The option column displays configured options for the selected protocol, if any.

Selected Protocol

Configure button

Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Configuring Protocols and Maps for Inspection.

Rule Settings (IOS)

Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Configuring Settings for Inspection Rules for IOS Devices), are used. These are the settings you can enable or disable:

Alert—Whether to generate stateful packet inspection alert messages on the console.

Audit—Whether audit trail messages are logged to the syslog server or router.

Timeout—Whether to configure the length of time, in seconds, for which a session is managed while there is no activity. If you select Specify Timeout, enter the timeout value; the range is 5-43200 seconds.

Inspect Router Generated Traffic—Whether to inspect traffic that is generated by the device itself. This option is available for a limited number of the protocols.


Configure DNS Dialog Box

Use the Configure DNS dialog box to configure settings for DNS inspection on PIX 7.0+, ASA, FWSM, and IOS devices.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select DNS in the protocols table, and click Configure.

Field Reference

Table 15-5 Configure DNS Dialog Box 

Element
Description

Maximum DNS Packet Length

The maximum DNS packet length. Values are 512 to 65535.

DNS Map

The DNS policy map object that defines traffic match conditions and actions, protocol conformance policies, and filter settings. Enter the object name, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Enable Dynamic Filter Snooping

Whether to allow the security appliance to snoop DNS packets in order to build a database of DNS lookup information. This information is used by botnet traffic filtering to match DNS names to IP addresses.

If you configure a botnet traffic filtering rules policy, select this option. Otherwise, do not select the option. For more information, see Botnet Traffic Filter Rules Page, page 17-9.


Configure SMTP Dialog Box

Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol (SMTP) inspection. SMTP is used to transfer email between servers and clients on the Internet.

SMTP inspection drops any packets with illegal commands. You can configure a maximum data length for packets. Enter a length in the range 0-4294967295.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select SMTP in the protocols table, and click Configure.

Configure ESMTP Dialog Box

Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail Transport Protocol (ESMTP) inspection. You can configure these settings based on platform:

IOS devices—You can configure a maximum data length for packets. Enter a length in the range 0-4294967295.

ASA/PIX 7.x+ devices—You can specify an ESMTP policy map object to define deep inspection parameters. Enter the name of the object or click Select to select it from a list or to create a new object.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select ESMTP in the protocols table, and click Configure.

Configure Fragments Dialog Box

Use the Configure Fragments dialog box to edit settings for fragment inspection on IOS devices.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select fragment in the protocols table, and click Configure.

Field Reference

Table 15-6 Configure Fragments Dialog Box 

Element
Description

Maximum Fragments

The maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. Values are 0-10000 state entries. The default is 256.

Note Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

Timeout (sec)

The number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. Values are 1-1000. The default timeout value is one second.


Configure IMAP or POP3 Dialog Boxes

Use the Configure IMAP or POP3 dialog boxes to edit settings for Internet Message Access Protocol (IMAP) or Post Office Protocol 3 (POP3) inspection on IOS devices.

IMAP is a method for accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a client email program to access remote messages as though they were local.

POP3 is used to receive email that is stored on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select IMAP or POP3, and click Configure.

Field Reference

Table 15-7 Configure IMAP or POP3 Dialog Boxes 

Element
Description

Reset Connection on Invalid IMAP/POP3 packet

Whether to reset, or drop, the connection between the client and server if an invalid packet is encountered. The client will have to repeat the validation process to reconnect to the server.

Enforce Secure Authentication

Whether to require that the client use a secure login to the server, that is, so that passwords are not sent in clear text.


Configure RPC Dialog Box

Use the RPC dialog box to edit settings for RPC inspection on IOS devices. RPC inspection blocks traffic for all RPC programs except for those you specify. To allow more than one RPC program, create a rule for each program number you want to allow.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select RPC in the protocols table, and click Configure.

Field Reference

Table 15-8 Configure RPC Dialog Box 

Element
Description

Program Number

The program number to permit. Values are 1-4294967295.

Wait Time

The number of minutes to keep a hole in the firewall open to allow subsequent connections from the same source address to the same destination address and port. Values are 0-35791 minutes. The default is 0.


Custom Protocol Dialog Box

Use the Custom Protocol dialog box to assign a name to the protocol and port specification you made on the Add or Edit Inspect/Application FW Rule Wizard Specify Address and Port Page for IOS devices.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select custom protocol in the protocols table, and click Configure.

Configure Dialog Box

Use the Configure dialog box to select a policy map object for HTTP or IM inspection. The maps used for these types of inspection differ depending on the operating system version used on the device. Select the desired version and then click Select to select the desired policy map object or to create a new one.

Navigation Path

Go to the Add or Edit Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select HTTP or IM in the protocols table, and click Configure.

Configuring Protocols and Maps for Inspection

When you configure inspection rules for a device, you select the protocols that you want to inspect. Some of these protocols allow additional configuration for deep inspection. Deep inspection allows you to specify additional requirements that packets must meet in order to traverse the device. For example, you can drop HTTP connections where the content type of the request and response do not match. (For a full list of inspectible protocols, click Add Row on the Inspection Rule page and click Next to view the protocols list.)

What you can configure depends not only on the protocol but on the device's operating system and version number. Typically, your ability to fine-tune inspection is higher on an ASA device compared to an IOS device. (If you are configuring an IOS device and you want greater control over inspection, consider configuring zone-based firewall inspection; for more information, see Understanding the Zone-based Firewall Rules, page 18-3.)

Some deep inspection configuration is done directly in the inspection rule. However, for some protocols, you can configure the inspection rule to include a policy map that you create as an independent policy object. (You need to configure policy maps only if you want something other than the default inspection options.) You can configure these maps from the policy object selector dialog box while configuring the policy, or from the Policy Object Manager window (select Tools > Policy Object Manager).

For protocols that use policy maps, you can select the desired policy map, which defines the match conditions for the targeted traffic. For ASA, PIX, and FWSM devices, these policy maps might point to class maps that define the match conditions. To create these policy maps in the Policy Object Manager, select one of the maps listed in the following table in the Maps > Policy Maps > Inspect folder and review the detailed usage information in the references mentioned. For information on creating class maps, which are in the Maps > Class Maps > Inspect folder, see the references to the match criterion dialog boxes and Configuring Class Maps for Inspection Policies.

Table 15-9 Configuring Protocols for Deep Inspection in Inspection Rules 

Protocol
Device Types
Policy Map
Class Map (ASA, PIX, FWSM only)
Description and Match Criteria Reference

DNS

ASA, PIX, FWSM, IOS

DNS

DNS

Inspect traffic based on a wide variety of criteria using the class and policy map, which allow extensive control over DNS packets. In addition, you can configure a maximum length in the inspection rule, and enable dynamic DNS snooping for use with Botnet rules (on ASA devices). See the following topics:

Configuring DNS Maps

DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Configure DNS Dialog Box

FTP Strict

ASA, PIX, FWSM, IOS

FTP

FTP

Inspect traffic based on file name, type, server, user, or FTP command. See Configuring FTP Maps and FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.

GTP

ASA, PIX, FWSM, IOS

GTP

GTP

Inspect traffic based on timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance. See Configuring GTP Maps and GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes.

H.323 H.325

H.323 RAS

ASA, PIX, FWSM

H.323 (ASA, PIX, FWSM)

H.323 (ASA, PIX, FWSM)

Inspect traffic based on a wide variety of criteria, including the H.323 message type, calling party, and called party. See Configuring H.323 Maps and H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.

HTTP

ASA, PIX, FWSM, IOS

HTTP (ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS)

HTTP (ASA 7.2+, PIX 7.2+)

HTTP (ASA, PIX, FWSM)

Inspect traffic based on a wide variety of criteria including the content of the header or body, port misuse, and whether the traffic includes a Java applet. The maps used differ based on the operating system and version.

For ASA/PIX 7.2+, see Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices and HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes.

For ASA/PIX 7.1.x, FWSM 3.x+, and IOS, see Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

SIP

ASA, PIX, FWSM

SIP (ASA, PIX, FWSM)

SIP (ASA, PIX, FWSM)

Inspect traffic based on a wide variety of criteria. See Configuring SIP Maps and SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.

Skinny

ASA, PIX, FWSM, IOS

Skinny

(none)

Inspect traffic based on a wide variety of criteria. See Configuring Skinny Maps and Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes.

SMTP

ASA, PIX 7.x+, FWSM 3.x+, IOS

(none)

(none)

Inspect Simple Mail Transfer Protocol (SMTP) traffic and drop any that use illegal commands. You can configure a maximum data length for packets. See Configure SMTP Dialog Box.

SNMP

ASA, PIX, FWSM 3.x+, IOS

SNMP

(none)

Inspect SNMP traffic based on SNMP version. See Configuring SNMP Maps.

NetBIOS

ASA, PIX 7.x+, FWSM

NetBIOS

(none)

Inspect NetBIOS traffic to translate IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration. You can drop packets that violate the protocol. See Configuring NetBIOS Maps.

IPSec Pass Through

ASA, PIX 7.x+

IPsec Pass Through

(none)

Inspect IPSec traffic and control whether ESP or AH traffic is allowed. See Configuring IPsec Pass Through Maps.

DCE/RPC

ASA 7.2+, PIX 7.2+, FWSM 3.2+

DCE/RPC

(none)

Inspect traffic based on time-outs and enforcing the mapper service. See Configuring DCE/RPC Maps.

IP options

ASA 8.2(2)+

IP Options

(none)

Allow IP packets that have certain options configured in the Options section of the IP header. In routed mode, packets that contain the router-alert option are allowed. Otherwise, if any option is set, packets are dropped. IP options are unnecessary for most communication, but the NOP (no operation) option might be used for padding, so you might want to allow it. See Configuring IP Options Maps.

ESMTP

ASA, PIX 7.x+, FWSM 3.x+, IOS

ESMTP

(none)

Inspect ESMTP traffic. For IOS, you can configure only maximum data length. For ASA, PIX, FWSM, you can inspect traffic based on a wide variety of criteria. See Configuring ESMTP Maps.

Fragment

IOS

(none)

(none)

Inspect traffic based on a maximum allowed number of unassembled packet fragments. See Configure Fragments Dialog Box.

IMAP (Internet Message Access Protocol)

POP3 (Post Office Protocol 3)

IOS

(none)

(none)

Inspect traffic based on invalid commands or clear text logins. See Configure IMAP or POP3 Dialog Boxes.

RPC (Sun Remote Procedure Call)

FWSM 2.x, IOS

(none)

(none)

Inspect traffic based on the RPC protocol number. See Configure RPC Dialog Box.

IM

ASA, PIX 7.x+, IOS

IM (ASA 7.2+, PIX 7.2+)

IM (IOS)

IM (only for ASA, PIX)

Inspect traffic based on a wide variety of criteria. The allowed maps differ based on operating system version.

For ASA, PIX, see Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices and IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes.

For IOS, see Configuring IM Maps for IOS Devices.


Related Topics

Selecting Which Protocols To Inspect

Understanding Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices

Configuring Inspection Rules

Creating Policy Objects, page 6-6

Understanding Map Objects, page 6-60

Configuring Regular Expressions for Inspection Maps

Configuring Regular Expression Groups

Configuring Class Maps for Inspection Policies

Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same type. The name of the dialog box indicates the type of map you are creating.

A class map defines application traffic based on criteria specific to the application. You then select the class map in the corresponding policy map and configure the action to take for the selected traffic. Thus, each class map must contain traffic that you want to handle in the same way (for example, to allow it or to drop it).

When configuring inspection rules for devices running ASA/PIX 7.2 or higher, or FWSM, you can create class maps for the inspection of the following types of traffic: DNS, FTP, H.323, HTTP, IM, and SIP.

You can also define class criteria in the related policy map. However, creating class maps allows you to reuse the map in multiple policy maps.

The following topics describe the available match criteria:

DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Navigation Path

Select Tools > Policy Object Manager, then select DNS, FTP, H.323 (ASA/PIX/FWSM), HTTP (ASA/PIX/FWSM), IM, or SIP (ASA/PIX/FWSM) in the Maps > Class Maps > Inspect folder in the table of contents. Right-click inside the work area, then select New Object, or right-click a row, then select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Understanding Inspection Rules

Field Reference

Table 15-10 Add or Edit Class Maps Dialog Boxes for Inspection Rules 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Match table

Match Type

The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.

To add a criterion, click the Add button and fill in the Match Criterion dialog box. For more information, see the topics referenced above.

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring DCE/RPC Maps

Use the Add or Edit DCE/RPC Map dialog boxes to define a map for DCE/RPC inspection. A DCE/RPC inspection policy map lets you change the default configuration values used for DCE/RPC inspection.

DCE/RPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper listening on a well-known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCE/RPC inspection maps inspect for native TCP communication between the EPM and client on well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable time-outs.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DCE/RPC from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-11 Add and Edit DCE/RPC Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Pinhole Timeout

The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.

Enforce Endpoint Mapper Service

Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.

Enable Endpoint Mapper Service Lookup

Service Lookup Timeout

Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring DNS Maps

Use the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection. A DNS map lets you change the default configuration values used for DNS application inspection.

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. You can configure rules for certain DNS types to be allowed, dropped, or logged, while others are blocked. For example, you can restrict zone transfer between servers.

The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled to avoid spoofing and cache poisoning of servers that either do not support randomization or that use a weak pseudo random number generator. Limiting the domain names that can be queried protects the public server further.

You can configure a DNS mismatch alert as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > DNS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Field Reference

Table 15-12 Add and Edit DNS Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Protocol Conformance Tab

Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab.

Filtering Tab

Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab.

Mismatch Rate Tab

The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:

Threshold—The maximum number of mismatch instances before a system message log is sent. Values are 0 to 4294967295.

Time Interval—The time period to monitor (in seconds). Values are 1 to 31536000.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


DNS Map Protocol Conformance Tab

Use the Protocol Conformance tab to define DNS security settings and actions for a DNS map.

Navigation Path

Click the Protocol Conformance tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-13 DNS Map Protocol Conformance Tab 

Element
Description

Enable DNS Guard Function

Whether to perform a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

Generate Syslog for ID Mismatch

Whether to create syslog entries for excessive instances of DNS identifier mismatches.

Randomize the DNS Identifier for DNS Query

Whether to randomize the DNS identifier in the DNS query message.

Enable NAT Rewrite Function

Whether to enable IP address translation in the A record of the DNS response.

Enable Protocol Enforcement

Whether to enable DNS message format check, including domain name, label length, compression, and looped pointer check.

Require Authentication Between DNS Server (RFC2845)

Action

Whether to require authentication between DNS servers as defined in RFC 2845. If you select this option, select the action to take when there is no authentication.


DNS Map Filtering Tab

Use the Filtering tab to define DNS filtering settings and actions for a DNS map.

Navigation Path

Click the Filtering tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-14 DNS Map Filtering Tab 

Element
Description

Drop Packets that Exceed Specified Length

Maximum Packet Length

Whether to drop packets that exceed the maximum length in bytes that you specify. This is a global setting.

Drop Packets Sent to Server that Exceed Specified Maximum Length

Maximum Length

Whether to drop packets sent to the server that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Server that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the server that exceed the length indicated by the resource record.

Drop Packets Sent to Client that Exceed Specified Length

Maximum Length

Whether to drop packets sent to a client that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Client that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the client that exceed the length indicated by the resource record.


DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for DNS policy maps) dialog boxes to do the following:

Define the match criterion and value for a DNS class map.

Select a DNS class map when creating a DNS policy map.

Define the match criterion, value, and action directly in a DNS policy map.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring DNS Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-15 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing DNS class map or define a new DNS class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing DNS class map policy object. Enter the name of the DNS class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of traffic to match:

DNS Class—Matches a DNS query or resource record class.

DNS Type—Matches a DNS query or resource record type.

Domain Name—Matches a domain name from a DNS query or resource record.

Header Flag—Matches a DNS flag in the header.

Question—Matches a DNS question.

Resource Record—Matches a DNS resource record.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

(for DNS Class criterion)

The DNS class you want to inspect:

Internet—Matches the Internet DNS class.

DNS Class Field Value—Matches the specified number.

DNS Class Field Range—Matches the specified range of numbers.

Value

(for DNS Type criterion)

The DNS type you want to inspect:

DNS Type Field Name—Matches the name of a DNS type:

A—IPv4 address.

AXFR—Full (zone) transfer.

CNAME—Canonical name.

IXFR—Incremental (zone) transfer.

NS—Authoritative name server.

SOA—Start of a zone of authority.

TSIG—Transaction signature.

DNS Type Field Value—Matches the specified number.

DNS Type Field Range—Matches the specified range of numbers.

Value

(for Domain Name criterion)

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Options

Value

(for Header Flag criterion)

The header flag you want to inspect. Use the Options field to indicate whether you want an exact match (Equals) or a partial match (Contains).

Header Flag Name—Matches the selected header flag names:

AA (authoritative answer)

QR (query)

RA (recursion available)

RD (recursion denied)

TC (truncation) flag bits

Header Flag Value—Matches the specified 16-bit hexadecimal value.

Resource Record

Lists the sections to match:

Additional—DNS additional resource record.

Answer—DNS answer resource record.

Authority—DNS authority resource record.


Configuring ESMTP Maps

Use the Add and Edit ESMTP Map dialog boxes to define the match criterion and values for the ESMTP inspect map. An ESMTP policy map lets you change the default configuration values used for ESMTP inspection.

ESMTP inspection detects attacks, including spam, phising, malformed message attacks, and buffer overflow/underflow attacks. It also provides support for application security and protocol conformance, which enforce the sanity of the ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > ESMTP from the Object Type selector. Right-click inside the table, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-16 Add and Edit ESMTP Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

Mask Server Banner

Whether to mask the server banner to prevent the client from discovering server information.

Configure Mail Relay

Domain Name

Action

Whether to have ESMTP inspection detect mail relay. When you select this option, enter the domain name you are inspecting and select the action you want to take when mail relay is detected.

Special Character (ASA7.2.3+/PIX7.2.3+)

Action

Whether you want to detect special characters in sender or receiver email addresses. If you select this option, select the action you want to take when special characters are detected.

Allow TLS (ASA7.2.3+, 8.0.3+/PIX7.2.3)

Action Log

Whether to allow a TLS proxy on the security appliance. If you select this option, you can also select Action Log to create a log entry when TLS is detected.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for an ESMTP policy map.

The fields on this dialog box change based on the criterion you select. You can use the following criteria:

Body Length—Matches the message body length.

Body Line Length—Matches the length of a line in the message body.

Commands—Matches ESMTP commands.

Command Recipient Count—Matches the number of recipient email addresses.

Command Line Length—Matches the number of characters of a command line.

EHLO Reply Parameters—Matches the ESMTP EHLO reply parameters.

Header Length—Matches the number of characters of the header.

Header Line Length—Matches the number of characters of a line in the message header.

To Recipients Count—Matches the number of recipients in the To field of the header.

Invalid Recipients Count—Matches the number of invalid recipients in the header.

MIME File Type—Matches the MIME file type.

MIME Filename Length—Matches the number of characters of the filename.

MIME Encoding—Matches the MIME encoding scheme.

Sender Address—Matches the address of the sender.

Sender Address Length—Matches the number of characters of the sender's address.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit ESMTP Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring ESMTP Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-17 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Criterion

Specifies which criterion of ESMTP traffic to match. The criteria are described above.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

The dialog box indicates the valid range for the length, except for Body Length and Header length, which can be 1 to 4294967295.

Commands

The ESMTP command verbs you want to inspect.

Greater Than Count

The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.

Parameters

The ESMTP EHLO reply parameters you want to inspect.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

MIME Encoding

The type of MIME encoding schemes you want to inspect.


Configuring FTP Maps

Use the Add and Edit FTP Map dialog boxes to define the match criterion and values for an FTP inspect map. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > FTP from the Object Type selector. Right-click inside the table, then select New Object or right-click a row, then select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Field Reference

Table 15-18 Add and Edit FTP Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

Mask Greeting Banner from Server

Whether to mask the greeting banner from the FTP server to prevent the client from discovering server information.

Mask Reply to SYST Command

Whether to mask the reply to the syst command to prevent the client from discovering server information.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.


FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit FTP Match Criterion (for FTP class maps) or Match Condition and Action (for FTP policy maps) dialog boxes to do the following:

Define the match criterion and value for an FTP class map.

Select an FTP class map when creating an FTP policy map.

Define the match criterion, value, and action directly in an FTP policy map.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating an FTP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for FTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating an FTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit FTP Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring FTP Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-19 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing FTP class map or define a new FTP class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing FTP class map policy object. Enter the name of the FTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of FTP traffic to match:

Request Command—Matches an FTP request command.

Filename—Matches a filename for FTP transfer.

File Type—Matches a file type for FTP transfer.

Server—Matches an FTP server name.

Username—Matches an FTP username.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Request Commands

The FTP commands you want to inspect:

Append (APPE)—Appends to a file.

Delete (DELE)—Deletes a file at the server site.

Help (HELP)—Provides help information from the server.

Put (PUT)—FTP client command for the stor (store a file) command.

Rename From (RNFR)—Specifies rename-from filename.

Server Specific Command (SITE)—Specifies commands that are server specific. Usually used for remote administration.

Change to Parent (CDUP)—Changes to the parent directory of the current working directory.

Get (GET)—FTP client command for the retr (retrieve a file) command.

Create Directory (MKD)—Creates a directory.

Remove Directory (RMD)—Removes a directory.

Rename To (RNTO)—Specifies rename-to filename.

Store File with Unique Name (STOU)—Stores a file with a unique filename.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.


Configuring GTP Maps

Use the Add and Edit GTP Map dialog boxes to define the match criterion and values for a GTP inspect map.

The GPRS Tunnel Protocol (GTP) provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. GTP uses a tunneling mechanism to provide a service for carrying user data packets.

A GTP map object lets you change the default configuration values used for GTP application inspection. The GTP protocol is designed to provide security for wireless connections to TCP/IP networks such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.


Tip GTP inspection requires a special license. If you do not have the required license, you will see device errors if you try to deploy a GTP map.


Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > GTP from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-20 Add and Edit GTP Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

Country and Network Codes Table

The three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc) to include in the map. The codes are 000 to 999.

To add codes, click the Add button and fill in the dialog box.

To edit a row, select it and click the Edit button.

To delete a row, select it and click the Delete button.

Permit Response Table

The Network/Host policy objects for which you will allow GTP responses from a GSN that is different from the one to which the response was sent.

To add objects, click the Add button and fill in the dialog box. For more information, see Add and Edit Permit Response Dialog Boxes.

To edit a row, select it and click the Edit button.

To delete a row, select it and click the Delete button.

Request Queue

The maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. The default is 200.

Tunnel Limit

The maximum number of tunnels allowed.

Permit Errors

Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped.

Edit Timeouts button

Click this button to configure time out values for various operations. For more information about the options, see GTP Map Timeouts Dialog Box.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.


Add and Edit Country Network Codes Dialog Boxes

Use the Add and Edit Country Network Codes dialog boxes to add Mobile Country Code (mcc) and Mobile Network Code (mnc) values to the GTP policy map. The codes can be 000 to 999.

Navigation Path

From the Add and Edit GTP Map dialog boxes, click the Add button in the Country and Network codes table, or select a row and click the Edit button. See Configuring GTP Maps.

Add and Edit Permit Response Dialog Boxes

Use the Add and Edit Permit Response dialog boxes to permit GTP responses from a GSN that is different from the one to which the response was sent.

Enter the name of a Network/Host policy object that defines the destination (To Object Group) and source (From Object Group) of the traffic. You can click Select to select the object from a list, where you can also create an new object by clicking the Create button in the Object Selector dialog box.

You cannot use the Network/Host object named "any."

Navigation Path

From the Add and Edit GTP Map dialog boxes, click the Add button in the Permit Response table, or select a row and click the Edit button. See Configuring GTP Maps.

GTP Map Timeouts Dialog Box

Use the GTP Map Timeouts dialog box to set timeout values for a GTP Map.

Navigation Path

From the Add and Edit GTP Map dialog boxes, click the Edit Timeouts button on the Parameters tab. See Configuring GTP Maps.

Field Reference

Table 15-21 GTP Map Timeouts Dialog Box 

Element
Description

GSN Timeout

The period of inactivity (hh:mm:ss) after which a GSN is removed. The default is 30 minutes. Enter 0 to never tear down immediately.

PDP Context Timeout

The maximum period of time allowed (hh:mm:ss) before beginning to receive the PDP context. The default is 30 minutes. Enter 0 to specify no limit.

Request Queue Timeout

The maximum period of time allowed (hh:mm:ss) before beginning to receive the GTP message. The default is 60 seconds. Enter 0 to specify no limit.

Signaling Connections Timeout

The period of inactivity (hh:mm:ss) after which the GTP signaling is removed. The default is 30 minutes. Enter 0 to not remove the signal.

Tunnel Timeout

The period of inactivity (hh:mm:ss) after which the GTP tunnel is torn down. The default is 60 seconds (when a Delete PDP Context Request is not received). Enter 0 to never tear down immediately.

T3 Response Timeout

The maximum wait time for a response before removing the connection.


GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a GTP policy map.

The fields on this dialog box change based on the criterion you select.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit GTP Map dialog box, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring GTP Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-22 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Criterion

Specifies which criterion of GTP traffic to match:

Access Point Name—Matches the access point name so you can define the access points to drop when GTP application inspection is enabled.

Message ID—Matches the numeric identifier for the message that you want to drop. By default, all valid message IDs are allowed.

Message Length—Matches the length of the UDP packet. Use this criterion to change the default for the maximum allowed message length for the UDP payload.

Version—Matches the GTP version.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

The action you want the device to take for traffic that matches the defined criteria.

Drop Packet—By default, all invalid packets or packets that failed during parsing are dropped.

Drop Packet and Log

Rate Limit

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Access Point Name

The access points to act on when GTP application inspection is enabled.

Specified By—An access point name to be dropped. By default, all messages with valid APNs are inspected, and any APN is allowed.

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

ID Type

The numeric identifier of the message that you want to act on.

Value—A single message ID.

Range—A range of message IDs.

Minimum Length

The minimum number of bytes in the UDP payload.

Maximum Length

The maximum number of bytes in the UDP payload.

Version Type

The GTP version as a single value or range of values.

Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 2123, while Version 1 uses port 3386. By default all GTP versions are allowed.


Configuring H.323 Maps

Use the Add and Edit H.323 Map dialog boxes to define the match criterion and values for an H.323 inspect map. An H.323 policy map lets you change the default configuration values used for H.323 inspection.

H.323 inspection supports H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.

With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance. The two major functions of H.323 inspection are as follows:

NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the security appliance uses an ASN.1 decoder to decode the H.323 messages.

Dynamically allocate the negotiated H.245 and RTP/RTCP connections.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > H.323 (ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Field Reference

Table 15-23 Add and Edit H.323 Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

HSI Group table

The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table. Up to five HSI hosts per group, and up to ten end points per HSI group, are allowed.

To add a group, click the Add button and fill in the dialog box (see Add or Edit HSI Group Dialog Boxes).

To edit a group, select it and click the Edit button.

To delete a group, select it and click the Delete button.

Call Duration Limit

The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.

Enforce Presence of Calling and Called Party Numbers

Whether to enforce calling and called party numbers used in call setup.

Check State Transition on H.225 Messages

Whether to enable state checking validation on H.225 messages.

Check State Transition on RAS Messages

Whether to enable state checking validation on RAS messages.

Create Pinholes on Seeing RCF Packets

Whether to enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The device opens pinholes for calls based on Registration Request/Registration Confirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint's IP address is unknown and the device opens a pinhole through source IP address/port 0/0.

This option is available for ASA 8.0(5)+ devices.

Check for H.245 Tunneling

Action

Whether to enforce H.245 tunnel blocking and perform the action you select in the Action list box.

Check RTP Packets for Protocol Conformance

Whether to check RTP packets flowing through the pinholes for protocol conformance.

Payload Type must be Audio or Video based on Signaling Exchange

Whether to enforce the payload type to be audio or video based on the signaling exchange.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Add or Edit HSI Group Dialog Boxes

Use the Add or Edit HSI group dialog boxes to add HSI groups to an H.323 policy inspection map.

Navigation Path

From the Parameters tab on the Add and Edit H.323 Map dialog boxes, click the Add Row button in the HSI group table, or select a row and click the Edit Row button. See Configuring H.323 Maps.

Field Reference

Table 15-24 Add and Edit HSI Group Dialog Boxes 

Element
Description

Group ID

The HSI group ID number (0 to 2147483647).

IP Address

The IP address of the HSI host.

Endpoint table

The end points associated with HSI group. You can add up to 10 end points per group. For each end point, you specify the IP address and interface policy group.

To add an end point, click the Add button and fill in the dialog box (see Add or Edit HSI Endpoint IP Address Dialog Boxes).

To edit an end point, select it and click the Edit button.

To delete an end point, select it and click the Delete button.


Add or Edit HSI Endpoint IP Address Dialog Boxes

Us the Add or Edit HSI Endpoint IP Address dialog box to add end points to an HSI group.

Navigation Path

From the Add and Edit HSI Group dialog boxes, click the Add Row button in the end point table, or select a row and click the Edit Row button. See Configuring H.323 Maps.

Field Reference

Table 15-25 Add and Edit HSI Endpoint IP Address Dialog Boxes 

Element
Description

Network/Host

The IP address of the end point host or network.

Interface

The Interface policy group that identifies the interface connected to the security appliance. Enter the name of a policy group, or click Select to select it from a list, where you can also create new policy groups.


H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit H.323 Match Criterion (for H.323 class maps) or Match Condition and Action (for H.323 policy maps) dialog boxes to do the following:

Define the match criterion and value for an H.323 class map.

Select an H.323 class map when creating an H.323 policy map.

Define the match criterion, value, and action directly in an H.323 policy map.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating an H.323 class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for H.323, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating an H.323 policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit H.323 Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring H.323 Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-26 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing H.323 class map or define a new H.323 class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing H.323 class map policy object. Enter the name of the H.323 class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of H.323 traffic to match:

Called Party—Matches the called party address.

Calling Party—Matches the calling party address.

Media Type—Matches the media type.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Media Type

The type of media you want to inspect, audio, video, or data.


Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices

Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x, and IOS devices.

The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.

When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses the http-map command to configure the map on the device.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.1.x/PIX 7.1.x/FWSM3.x/IOS) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-27 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

General tab

Defines the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the options, see HTTP Map General Tab.

Entity Length tab

Defines the action taken if the length of the HTTP content falls outside of configured targets. For a description of the options, see HTTP Map Entity Length Tab.

RFC Request Method tab

Defines the action that the security appliance should take when specific RFC request methods are used in the HTTP request. For a description of the options, see HTTP Map RFC Request Method Tab.

Extension Request Method tab

Defines the action taken when specific extension request methods are used in the HTTP request. For a description of the options, see HTTP Map Extension Request Method Tab.

Port Misuse tab

Defines the action taken when specific undesirable applications are encountered. For a description of the options, see HTTP Map Port Misuse Tab.

Transfer Encoding tab

Defines the action taken when specific transfer encoding types are used in the HTTP request. For a description of the options, see HTTP Map Transfer Encoding Tab.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


HTTP Map General Tab

Use the General tab to define the action taken when non-compliant HTTP requests are received and to enable verification of content type.

Navigation Path

Click the General tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-28 HTTP Map General Tab 

Element
Description

Take action for non-RFC 2616 compliant traffic

Whether you want to configure the action to be taken for traffic that does not comply with RFC 2616. Possible actions are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

You can also select Generate Syslog to write a message to the syslog if non-compliant traffic is encountered.

Verify Content-type field belongs to the supported internal content-type list.

Whether you want to configure the action to be taken for traffic whose content type does not belong to the supported internal content-type list. Possible actions are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

You can also select these options:

Verify Content-type field for response matches the ACCEPT field of request—To also verify that the content type of the response matches the request.

Generate Syslog—To write a message to the syslog if non-compliant traffic is encountered.

Override Global TCP Idle Timeout (IOS only)

Whether to change the TCP idle timeout default setting. An IOS device terminates a connection if there is no communication activity after this length of time. If you select this option, specify the desired timeout value in seconds.

Override Global Audit Trail Setting (IOS only)

Enable Audit Trail

Whether to change the audit trail setting for IOS devices. If you select this option, you can select Enable Audit Trail to generate audit trail messages.


HTTP Map Entity Length Tab

Use the Entity Length tab to enable inspection based on the length of the HTTP content.

Navigation Path

Click the Entity Length tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-29 HTTP Map Entity Length Tab 

Element
Description

Inspect URI Length

Whether to enable inspection based on the length of the URI. If you select this option, configure the following:

Maximum—The desired maximum length, in bytes, of the URI, from 1 to 65535.

Excessive URI Length Action—The action to take when the length is exceeded:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection—Send a TCP reset message to client and server.

Generate Syslog—Whether to generate a syslog message when a violation occurs.

Inspect Maximum Header Length

Whether to enable inspection based on the length of the HTTP header. If you select this option, configure the following:

Request—The desired maximum length, in bytes, of the request header, from 1 to 65535.

Response—The desired maximum length, in bytes, of the response header, from 1 to 65535.

Excessive Header Length Action—The action to take when the length is exceeded:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection—Send a TCP reset message to client and server.

Generate Syslog—Whether to generate a syslog message when a violation occurs.

Inspect Body Length

Whether to enable inspection based on the length of the message body. If you select this option, configure the following:

Minimum Threshold—The desired minimum length, in bytes, of the message body, from 1 to 65535.

Maximum Threshold—The desired maximum length, in bytes, of the message body, from 1 to 65535.

Body Length Threshold Action—The action to take when the message body falls outside of the configured boundaries:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection—Send a TCP reset message to client and server.

Generate Syslog—Whether to generate a syslog message when a violation occurs.


HTTP Map RFC Request Method Tab

Use the RFC Request Method tab to define the action to take when specific request methods are used in the HTTP request.

Navigation Path

Click the RFC Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-30 HTTP Map RFC Request Method 

Element
Description

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.

The actions you can specify are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


HTTP Map Extension Request Method Tab

Use the Extension Request Method tab to define the action taken when specific extension request methods are used in the HTTP request.

Navigation Path

Click the Extension Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-31 HTTP Map Extension Request Method Tab 

Element
Description

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the extension request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.

The actions you can specify are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


HTTP Map Port Misuse Tab

Use the Port Misuse tab to enable port misuse application firewall inspection. The application categories you can configure are:

IM—Instant Messaging. The applications checked for are Yahoo! Messenger, AIM, and MSN IM.

P2P—Peer-to-peer applications. The Kazaa application is checked.

Tunneling—Tunneling applications. The applications checked for are HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru, and Http-tunnel.com Client.

Navigation Path

Click the Port Misuse tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-32 HTTP Map Port Misuse Tab 

Element
Description

Available and Selected Application Categories

Action

Generate Syslog

The Available Application Categories list contains the categories for which you can define firewall inspection settings.

To configure an action for a category, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected application is encountered. Click the >> button to add it to the Selected Categories list. (To remove a category from the selected list, select it and click the << button.)

Tip You can select multiple categories at a time using Ctrl+click if the action and syslog requests are the same for each.

The actions you can specify are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available categories above.

Whether to define a default action for the categories for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


HTTP Map Transfer Encoding Tab

Use the Transfer Encoding tab to enable inspection based on the transfer encoding type. The encoding types that you can configure are:

Chunked—Identifies the transfer encoding type in which the message body is transferred as a series of chunks.

Compressed—Identifies the transfer encoding type in which the message body is transferred using UNIX file compression.

Deflate—Identifies the transfer encoding type in which the message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

GZIP—Identifies the transfer encoding type in which the message body is transferred using GNU zip (RFC 1952).

Identity—Identifies connections in which no transfer encoding is performed in the message body.

Navigation Path

Click the Transfer Encoding tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-33 HTTP Map Transfer Encoding Tab 

Element
Description

Available and Selected Encoding Types

Action

Generate Syslog

The Available Encoding Types list contains the types of transfer encoding for which you can define firewall inspection settings.

To configure an action for a type, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected type is encountered. Click the >> button to add it to the Selected Encoding Types list. (To remove a type from the selected list, select it and click the << button.)

Tip You can select multiple types at a time using Ctrl+click if the action and syslog requests are the same for each.

The actions you can specify are:

Allow Packet—Allow the message.

Drop Packet—Close the connection.

Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available encoding types above.

Whether to define a default action for the types for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.


Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices

Use the Add and Edit HTTP Map dialog boxes to define the match criterion and values for the HTTP inspect map for ASA and PIX software releases 7.2 and higher.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > HTTP (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Field Reference

Table 15-34 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+) 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

Body Match Maximum

The maximum number of characters in the body of an HTTP message that should be searched in a body match.

Tip A high value can have a significant impact on performance.

Check for protocol violations

Whether to check for protocol violations.

Action

The action to take based on the defined settings. You can drop, reset, or log the connection.

Spoof Server

Enables you to replace the server HTTP header value with the specified string.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Overrides: None

Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Understanding Policy Object Overrides for Individual Devices, page 6-13.

Note Selecting Allow Value Override per Device does not automatically set overrides.


HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit HTTP Match Criterion (for HTTP class maps) or Match Condition and Action (for HTTP policy maps) dialog boxes to do the following:

Define the match criterion and value for an HTTP class map.

Select an HTTP class map when creating an HTTP policy map.

Define the match criterion, value, and action directly in an HTTP policy map.

These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map. You can use the following criteria:

Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

Request Arguments—Applies the regular expression match to the arguments of the request.

Request Body—Applies the regular expression match to the body of the request.

Request Body Length—Specifies that the body length of the request be matched as greater than or less than the specified number of bytes.

Request Header Count—Specifies that the number of headers in the request be matched as greater than or less than the specified number.

Request Header Length—Specifies that the header length of the request be matched as greater than or less than the specified number of bytes.

Request Header Field—Applies the regular expression match to the header of the request.

Request Header Field Count—Applies the regular expression match to the header of the request based on a specified number of header fields.

Request Header Field Length—Applies the regular expression match to the header of the request based on a specified field length.

Request Header Content Type—Specifies the content type to evaluate in the content-type header field of the request.

Request Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the request.

Request Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the request.

Request Method—Specifies the method of the request to match.

Request URI—Applies the regular expression match to the URI of the request.

Request URI Length—Specifies that the URI length of the request be matched as greater than or less than the specified number of bytes.

Response Body ActiveX—Specifies whether there is ActiveX content in the body of the request.

Response Body Java Applet—Specifies whether there is a Java applet in the body of the request.

Response Body—Applies the regular expression match to the body of the response.

Response Body Length—Specifies that the body length of the response be matched as greater than or less than the specified number of bytes.

Response Header Count—Specifies that the number of headers in the response be matched as greater than or less than the specified number.

Response Header Length—Specifies that the header length of the response be matched as greater than or less than the specified number of bytes.

Response Header Field—Applies the regular expression match to the header of the response.

Response Header Field Count—Applies the regular expression match to the header of the response based on a specified number of header fields.

Response Header Field Length—Applies the regular expression match to the header of the response based on a specified field length.

Response Header Content Type—Specifies the content type to evaluate in the content-type header field of the response.

Response Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the response.

Response Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the response.

Response Status Line—Applies the regular expression match to the status line of the response.

Navigation Path

When creating an HTTP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for HTTP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating an HTTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit HTTP Map dialog boxes for ASA/PIX 7.2+ devices, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-35 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing HTTP class map or define a new HTTP class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing HTTP class map policy object. Enter the name of the HTTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of HTTP traffic to match. The criteria are described above.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion. For some criteria, this is the only available option.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria. The types of action depend on the criterion you select.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Field Name

The name of the header field to evaluate. You can select one of the following:

Predefined—The predefined HTTP header fields.

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

When you are evaluating the Request Header Transfer Encoding or Response Header Transfer Encoding criteria, you can also select these options:

Specified By—One of the following predefined types of transfer encoding:

Chunked—The message body is transferred as a series of chunks.

Compressed—The message body is transferred using UNIX file compression.

Deflate—The message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

GZIP—The message body is transferred using GNU zip (RFC 1952).

Identity—No transfer encoding is performed.

Empty—The transfer-encoding field in request header is empty.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

Greater Than Count

The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.

Content Type

The content type to evaluate as specified in the content-type header field. You can select one of the following:

Specified By—A predefined MIME type.

Unknown—The MIME type is not known. Select Unknown when you want to evaluate the item against all known MIME types.

Violation—The magic number in the body must correspond to the MIME type in the content-type header field.

Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Request Method

The specified request method to match. You can select one of the following:

Specified By—The predefined request method.

Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.


Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices

Use the Add and Edit IM Map dialog boxes to define settings for define an Instant Messenger (IM) inspect map for devices running ASA/PIX 7.2 or higher. An IM map lets you change the default configuration values used for IM application inspection.

Instant Messaging causes concern due to its use of clear text when conducting business and the potential for network attacks and the spreading of viruses. Thus, you might want to block certain types of instant messages from occurring, while allowing others.

For ASA and PIX devices, IM application inspection provides detailed access control to control network usage. You can use regular expressions to help stop leakage of confidential data and the propagation of network threats. You can inspect Yahoo! Messenger or MSN Messenger traffic.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (ASA 7.2+/PIX 7.2+) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-36 Add and Edit IM Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit IM Match Criterion (for IM class maps) or Match Condition and Action (for IM policy maps) dialog boxes to do the following:

Define the match criterion and value for an IM class map.

Select an IM class map when creating an IM policy map.

Define the match criterion, value, and action directly in an IM policy map.

These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating an IM class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for IM, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating an IM policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit IM Map dialog boxes for ASA 7.2/PIX 7.2, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-37 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing IM class map or define a new IM class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing IM class map policy object. Enter the name of the IM class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of IM traffic to match. The criteria are:

Filename—Matches the filename from IM file transfer service.

Client IP Address—Matches the source client IP address.

Client Login Name—Matches the client login name from IM service.

Peer IP Address—Matches the peer, or destination, IP address.

Peer Login Name—Matches the peer, or destination, login name from IM service.

Protocol—Matches IM protocols.

Service—Matches IM services.

File Transfer Service Version—Matches the IM file transfer service version.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

IP Address

The IP address you want to match.

Protocol

The IM protocol, either MSN Messenger or Yahoo! Messenger.

Services

The IM services you want to inspect. Select one or more of the listed services.


Configuring IM Maps for IOS Devices

Use the Add and Edit IM Map (IOS) dialog boxes to configure Instant Messaging (IM) inspection policy map objects for IOS devices. An IM map lets you change the default configuration values used for IM application inspection.

Instant Messaging causes concern due to its use of clear text when conducting business and the potential for network attacks and the spreading of viruses. Thus, you might want to block certain types of instant messages from occurring, while allowing others.

IM application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and the propagation of network threats. The scope can be limited by identifying permitted or denied servers. Inspection of Yahoo! Messenger, MSN Messenger, and AOL instant messages are supported.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IM (IOS) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-38 Add and Edit IM Map (IOS) Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Service Tabs

The tabs represent different IM service providers. The settings available on each tab are identical. You must configure the settings separately for each service provider. The descriptions of the following fields apply to each of the services: Yahoo!, MSN, and AOL.

Text Chat

How you want the text chat service to be handled, for example, allowed, denied, logged, or some combination.

Other Services

How you want services other than text chat to be handled, for example, allowed, denied, logged, or some combination. IOS software recognizes all services other than text chat, such as voice-chat, video-chat, file sharing and transferring, and gaming as a single group.

Permit Servers

The servers from which to permit traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Deny Servers

The servers from which to deny traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Alert

Whether you want to enable or disable alerts. The default is to use the default inspection settings.

Audit

Whether you want to enable or disable an audit trail. The default is to use the default inspection settings.

Timeout

A timeout for the service. You can use the default inspection settings, or you can elect to specify a timeout. If you select Specify Timeout, enter the timeout value in seconds.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring IP Options Maps

Use the Add and Edit IP Options Map dialog boxes to define maps for the inspection of the options in an IP packet header on ASA 8.2(2)+ devices. The options field provides for control functions that are required in some situations but unnecessary for most common communications.

If you do not configure IP options inspection, the ASA device drops packets that have any options configured, with one exception. In routed mode, packets that contain the router alert option are allowed. (To disallow router alert packets, create an IP options map with router alert deselected, and configure an inspection rule to inspect IP Options using the policy map.)


Tip Because the no operation (NOP) option might be used as padding to ensure proper packet-header size and alignment, you might want to allow NOP.


For each option, you can select whether to:

Allow—Allow the packet and do not change the IP header options field.

Clear—Allow the packet and clear the option from the IP header options field.

If you do not select an option, the option is prohibited, and packets containing the option are dropped. Any option not listed here also results in a dropped packet; you cannot change this behavior.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IP Options from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-39 Add and Edit IP Options Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 128 characters is allowed.

Description

A description of the policy object.

End of Options List

End of Options List (EOOL), or IP Option 0, contains just a single zero byte and appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.

No operation

No Operation (NOP), or IP Option 1, is used for padding. The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as to align the options on a 32-bit boundary.

Router alert

Router Alert (RTRALT), or IP Option 20, notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packet's delivery path.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring IPsec Pass Through Maps

Use the Add and Edit IPsec Pass Through Map dialog boxes to configure settings for the IPsec Pass Through Map policy object. An IPsec Pass Through policy map lets you change the default configuration values used for IPsec Pass Through inspection.

The IPSec Pass Through inspection engine lets the security appliance pass ESP (IP protocol 50) and AH (IP protocol 51) traffic that is formed between two hosts because of successful IKE (UDP port 500) negotiation without the requirement of specific ESP or AH access lists.

The ESP or AH traffic is permitted by the inspection engine with the configured idle timeout if there is an existing control flow and it is within the connection limit defined in the MPF framework. A new control flow is created for IKE UDP port 500 traffic with the configured UDP idle timeout if there is not one, or it uses the existing flow.

To ensure that the packet arrives into the inspection engine, a hole is punched for all such traffic (ESP and AH). This inspect is attached to the control flow. The control flow is present as long as there is at least one data flow (ESP or AH) established, but the traffic always flows on the same connection. Because this IKE connection is kept open as long as data flows, a rekey would always succeed. The flows are created irrespective of whether NAT is being used. However, PAT is not supported.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > IPsec Pass Through from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-40 Add and Edit IPsec Pass Through Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Allow ESP

Maximum ESP Tunnels per Client

ESP Idle Timeout

Whether to allow ESP traffic. If you select this option, you can configure the maximum number of ESP tunnels that each client can have and the amount of time that an ESP tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).

Allow AH

Maximum AH Tunnels per Client

AH Idle Timeout

Whether to allow AH traffic. If you select this option, you can configure the maximum number of AH tunnels that each client can have and the amount of time that an AH tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring NetBIOS Maps

Use the Add or Edit NetBIOS Map dialog boxes to define maps for NetBIOS inspection. A NetBIOS policy map lets you change the default configuration values used for NetBIOS inspection.

The NetBIOS inspection engine translates IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > NetBIOS from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-41 Add or Edit NetBIOS Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Check for Protocol Violation

Action

Whether to check for NETBIOS protocol violations. If you select this option, select the action you want to take when violations occur.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring SIP Maps

Use the Add and Edit SIP Map dialog boxes to configure values used for SIP application inspection. A SIP inspection map lets you change the default configuration values used for SIP application inspection.

SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats.

SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SIP (ASA/PIX/FWSM) from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Configuring Class Maps for Inspection Policies

Field Reference

Table 15-42 Add and Edit SIP Map Dialog Box 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Parameters tab

Enable SIP Instant Messaging Extensions

Whether to enable Instant Messaging extensions.

Permit Non-SIP Traffic on SIP Port

Whether to permit non-SIP traffic on the SIP port.

Hide Server's and Endpoint's IP Address

Whether to hide the IP addresses, which enables IP address privacy.

Check RTP Packets for Protocol Conformance

Limit Payload to Audio or Video based on the Signaling Exchange

Whether to check RTP/RTCP packets flowing on the pinholes for protocol conformance. If you select this option, you can also elect to enforce the payload type to be audio/video based on the signaling exchange.

If Number of Hops to Destination is Greater Than 0

Whether to check if the value of Max-Forwards header is zero. When it is greater than zero, the action you select in the Action field is implemented. The default is to drop the packet.

If State Transition is Detected

Whether to check SIP state transitions. When a transition is detected, the action you select in the Action field is implemented. The default is to drop the packet.

If Header Fields Fail Strict Validation

Whether to take the action specified in the Action field if the SIP header fields are invalid. The default is to drop the packet.

Inspect Server's and Endpoint's Software Version

Whether to inspect the SIP endpoint software version in User-Agent and Server headers. The default is to mask the information.

If Non-SIP URI is Detected

Whether to take the action specified in the Action field if a non-SIP URI is detected in the Alert-Info and Call-Info headers. The default is to mask the information.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes

Use the Add or Edit SIP Match Criterion (for SIP class maps) or Match Condition and Action (for SIP policy maps) dialog boxes to do the following:

Define the match criterion and value for a SIP class map.

Select a SIP class map when creating a SIP policy map.

Define the match criterion, value, and action directly in a SIP policy map.

The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.

Navigation Path

When creating a SIP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for SIP, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring Class Maps for Inspection Policies.

When creating a SIP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit SIP Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring SIP Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-43 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Match Type

Class Name

(Policy Map only)

Enables you to use an existing SIP class map or define a new SIP class map.

Use Specified Values—You want to define the class map on this dialog box.

Use Values in Class Map—You want to select an existing SIP class map policy object. Enter the name of the SIP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of SIP traffic to match.

Called Party—Matches the called party as specified in the To header.

Calling Party—Matches the calling party as specified in the From header.

Content Length—Matches the Content Length header.

Content Type—Matches the Content Type header.

IM Subscriber—Matches the SIP Instant Messenger subscriber.

Message Path—Matches the SIP Via header.

Third Party Registration—Matches the requester of a third-party registration.

URI Length—Matches a URI in the SIP headers.

Request Method—Matches the SIP request method.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

URI Type

The type of URI to match, either SIP or TEL.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

Content Type

The content type to evaluate as specified in the content-type header field. You can select one of the following:

SDP—Matches an SDP SIP content header type.

Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Resource Method

The request method you want to inspect:

ack—Confirms that the client has received a final response to an INVITE request.

bye—Terminates a call and can be sent by either the caller or the called party.

cancel—Cancels any pending searches but does not terminate a call that has already been accepted.

info—Communicates mid-session signaling information along the signaling path for the call.

invite—Indicates a user or service is being invited to participate in a call session.

message—Sends instant messages where each message is independent of any other message.

notify—Notifies a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred.

options—Queries the capabilities of servers.

prack—Provisional response acknowledgment.

refer—Requests that the recipient REFER to a resource provided in the request.

register—Registers the address listed in the To header field with a SIP server.

subscribe—Requests notification of an event or set of events at a later time.

unknown—Uses a nonstandard extension that could have unknown security impacts on the network.

update—Permits a client to update parameters of a session but has no impact on the state of a dialog.


Configuring Skinny Maps

Use the Add or Edit Skinny Map dialog boxes to define Skinny maps for Skinny inspection. A Skinny policy map lets you change the default configuration values used for Skinny inspection.

Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals. Application layer functions in the security appliance recognize SCCP version 3.3. There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2.

The security appliance supports all versions through 3.3.2. The security appliance supports PAT and NAT for SCCP. PAT is necessary if you have more IP phones than global IP addresses for the IP phones to use. By supporting NAT and PAT of SCCP Signaling packets, Skinny application inspection ensures that all SCCP signaling and media packets can traverse the security appliance.

Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > Skinny from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row, then select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-44 Add and Edit Skinny Map Dialog Boxes 

Element
Description

Name

The name of the Skinny map. A maximum of 40 characters is allowed.

Description

A description of the Skinny map, up to 200 characters.

Parameters Tab

Enforce Endpoint Registration

Whether to enforce registration before calls can be placed.

Maximum SCCP Station Message ID 0x

The maximum SCCP station message ID allowed, in hexadecimal.

Check RTP Packets for Protocol Conformance

Enforce Payload Type to be Audio or Video based on Signaling Exchange

Whether to check RTP packets flowing through the pinholes for protocol conformance. If you select this option, you can also select whether to enforce the payload type.

Minimum SCCP Prefix Length

The minimum SCCP length allowed.

Maximum SCCP Prefix Length

The maximum SCCP length allowed.

Media Timeout

The timeout value for media connections.

Signaling Timeout

The timeout value for signaling connections.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes).

To edit a criterion, select it and click the Edit button.

To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes

Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a Skinny policy map.

Navigation Path

In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit Skinny Map dialog boxes, right-click inside the table, then select Add Row or right-click a row, then select Edit Row. See Configuring SIP Maps.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-45 Skinny Policy Maps Add and Edit Match Condition and Action Dialog Boxes 

Element
Description

Criterion

Specifies which criterion of Skinny traffic to match.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn't Match is selected on 0xFFFF, then any traffic that has the message ID 0xFFFF is excluded from the map.

Matches—Matches the criterion.

Doesn't Match—Does not match the criterion.

ID Type

The hexadecimal value for the message ID to inspect:

Value—Matches a single hexadecimal value.

Range—Matches a range of values.

Action

The action you want the device to take for traffic that matches the defined criteria.


Configuring SNMP Maps

Use the Add and Edit SNMP Map dialog boxes to define maps for SNMP inspection. An SNMP policy map lets you change the default configuration values used for SNMP application inspection.

SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The security appliance can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by creating an SNMP map. You then apply the SNMP map when you enable SNMP inspection.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Policy Maps > Inspect > SNMP from the Object Type selector. Right-click inside the work area, then select New Object, or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Field Reference

Table 15-46 Add and Edit SNNP Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Disallowed SNMP Versions

The versions of SNMP you want to prohibit.

SNMP Version 1

SNMP Version 2c (Community Based)

SNMP Version 2 (Party Based)

SNMP Version 3

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring Regular Expression Groups

Use the Add and Edit Regular Expression Groups dialog boxes to define regular expression groups, which contain multiple regular expressions. Groups make it possible for you to create modular regular expressions and group them in multiple ways for various uses. The objects can be used in some inspection class maps and inspection policy maps.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Regular Expressions Groups from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Creating Policy Objects, page 6-6

Field Reference

Table 15-47 Add and Edit Regular Expression Class Map Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Regular Expressions

The Regular Expression policy objects that include the expressions you want to include in the group. Enter the name of the objects or click Select to select them from a list or to create a new object.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Configuring Regular Expressions for Inspection Maps

Use the Add and Edit Regular Expression dialog boxes to define regular expressions for use in class and policy inspection maps or in regular expression group policy objects.

A regular expression matches text strings either literally as an exact string or by using metacharacters so you can match multiple variants of a text string. You can use regular expressions in various type of class and policy inspection maps to match various target items, for example, the content of certain application traffic such as the body text inside an HTTP packet.

Navigation Path

Select Tools > Policy Object Manager, then select Maps > Regular Expressions from the Object Type selector. Right-click inside the work area, then select New Object or right-click a row and select Edit Object.

Related Topics

Understanding Map Objects, page 6-60

Configuring Protocols and Maps for Inspection

Creating Policy Objects, page 6-6

Field Reference

Table 15-48 Add and Edit Regular Expression Dialog Boxes 

Element
Description

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Value

The regular expression, up to 100 characters in length. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects, page 6-9.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden, page 6-13 and Understanding Policy Object Overrides for Individual Devices, page 6-13.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.


Metacharacters Used to Build Regular Expressions

The following table explains the metacharacters you can use to build regular expressions in the Add and Edit Regular Expression dialog boxes (see Configuring Regular Expressions for Inspection Maps).

Keep the following tips in mind when creating regular expressions:

If you enter any metacharacters in your text string that you want to be used literally, add the backslash (\) escape character before them. For example, "example\.com".

If you want to match upper and lower case characters, enter text in both upper- and lowercase. For example, "cats" is entered as "[cC][aA][tT][sS]".

Table 15-49 Metacharacters Used to Build Regular Expressions 

Character
Description
Notes

.

Dot

Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.

(exp)

Subexpression

A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.

|

Alternation

Matches either expression it separates. For example, dog|cat matches dog or cat.

?

Question mark

A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.

*

Asterisk

A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc.

+

Plus

A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.

{x}

Repeat Quantifier

Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz.

 

Minimum repeat quantifier

Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc.

[abc]

Character class

Matches any character in the brackets. For example, [abc] matches a, b, or c.

[^abc]

Negated character class

Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter.

[a-c]

Character range class

Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].

The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc].

""

Quotation marks

Preserves trailing or leading spaces in the string. For example, " test" preserves the leading space when it looks for a match.

^

Caret

Specifies the beginning of a line.

\

Escape character

When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket.

char

Character

When character is not a metacharacter, matches the literal character.

\r

Carriage return

Matches a carriage return 0x0d.

\n

Newline

Matches a new line 0x0a.

\t

Tab

Matches a tab 0x09.

\f

Formfeed

Matches a form feed 0x0c.

\xNN

Escaped hexadecimal number

Matches an ASCII character using hexadecimal (exactly two digits).

\NNN

Escaped octal number

Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space.


Configuring Settings for Inspection Rules for IOS Devices

If you configure inspection rules, you can also configure inspection settings to change the default settings for some global inspection parameters for IOS devices. Most of the inspection settings relate to preventing or mitigating Denial of Service (DoS) attacks. The default settings for most of these options are appropriate for most networks, so configure this policy only if you need to adjust one or more settings. If you do not change a setting, it is not configured on the device (the default remains configured).

To open the Inspection settings page, do one of the following:

(Device view) Select a device, then select Firewall > Settings > Inspection from the Policy selector.

(Policy view) Select Firewall > Settings > Inspection from the Policy Type selector. Create a new policy or select an existing one.

(Map view) Right-click a device and select Edit Firewall Settings > Inspection.

The following table explains the available inspection settings.

Table 15-50 Inspection Page 

Element
Description
Global Timeout Values

TCP Establish Timeout (seconds)

How long to wait for a TCP session to reach the established state before dropping the session, in seconds, from 1-2147483. The default is 30.

FIN Wait Time (seconds)

How long to maintain TCP session state information after the firewall detects a FIN-exchange, in seconds, from 1-2147483. The FIN-exchange occurs when the TCP session is ready to close. The default is 5.

TCP Idle Time (seconds)

How long to maintain a TCP session while there is no activity in the session, in seconds, from 1-2147483. The default is 3600 (one hour).

UDP Idle Time (seconds)

How long to maintain a UDP session while there is no activity in the session, in seconds, from 1-2147483. The default is 30.

When the software detects a valid UDP packet, the software establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

DNS Timeout (seconds)

The length of time for which a DNS lookup session is managed while there is no activity, in seconds, from 1-2147483. The default is 5.

SYN Flooding DoS Attack Thresholds

Maximum 1 Minute Connection Rate - low

Maximum 1 Minute Connection Rate - high

The number of new unestablished sessions that causes the system to start and stop deleting half-open sessions. Ensure that you enter a lower number in the Low field than you enter in the High field. Possible values are from 1-2147483647 per minute. The default is 400 for low and 500 for high.

Maximum Incomplete Sessions Stop Threshold

Maximum Incomplete Sessions Start Threshold

The number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions. Ensure that you enter a lower number in the stop field than you enter in the start field. Possible values are from 1-2147483647. The default is 400 for low and 500 for high.

Thresholds per Host

Max Sessions Per Host

The number of half-open TCP sessions with the same host destination address that can exist at a time before the software starts deleting half-open sessions to the host. Possible values are 1-4294967295. The default is 50.

A large number of half-open sessions can indicate there is a Denial of Service attack against the host.

Max Sessions Blocking Interval (min)

If the maximum sessions per host threshold is reached, the blocking time to apply to help mitigate the potential TCP host-specific denial-of-service (DoS) attack. Possible values are 0-35791 minutes. The default is 0.

If the blocking time value is 0, the software deletes the oldest existing half-open session for the host for every new connection request to the host above the maximum session limit. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

If the blocking time value is greater than 0, the software deletes all existing half-open sessions for the host, then blocks all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

Other

Session Hash Table Size (buckets)

The size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192. The default is 1024.

You should increase the hash table size when the total number of sessions running through the device is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.

Enable Alert Messages

Whether to generate stateful packet inspection alert messages on the console.

Enable Audit Trail Messages

Whether audit trail messages are logged to the syslog server or router.

Permit DHCP Passthrough (Transparent Firewall)

Whether to permit a transparent firewall to forward DHCP packets across the bridge without inspection.

Permitting DHCP passthrough overrides an ACL for DHCP packets, so DHCP packets are forwarded even if the ACL is configured to deny all IP packets. Thus, clients on one side of the bridge can get an IP address from a DHCP server on the opposite side of the bridge.

Block Non-SYN Packets

Whether to drop TCP packets that do not belong to an established session. These are TCP packets that do not initiate sessions, that is, the SYN bit is not set in them.

Log Dropped Packets

Whether to create log messages for dropped packets to specify the reason for dropping them.


Related Topics

Understanding Inspection Rules

Configuring Inspection Rules

Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices