Table Of Contents
Zone-Based Policy Firewall
Finding Feature Information
Contents
Prerequisites for Zone-Based Policy Firewall
Restrictions for Zone-Based Policy Firewall
Information About Zone-Based Policy Firewall
Top Level Class Maps and Policy Maps
Application Specific Class Maps and Policy Maps
Zones
Security Zones
Zone-Pairs
Zones and Inspection
Zones and ACLs
Zones and VRF Aware Firewall
Zones and Transparent Firewall
Overview of Security Zone Firewall Policies
Class Maps and Policy Maps for Zone-Based Policy Firewalls
Layer 3 and Layer 4 Class Maps and Policy Maps
Layer 7 Class Maps and Policy Maps
Class-Default Class Map
Hierarchical Policy Maps
Parameter Maps
WAAS Support for the Cisco IOS Firewall
WAAS Traffic Flow Optimization Deployment Scenarios
Out-of-Order Packet Processing Support in Zone-Based Firewall Application
Intrazone Support in Zone-Based Firewall Application
How to Configure Zone-Based Policy Firewall
Configuring Layer 3 and Layer 4 Firewall Policies
Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy
Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy
Configuring a Parameter Map
Creating an Inspect Parameter Map
Creating a URL Filter Parameter Map
Configuring a Protocol-Specific Parameter Map
Configuring OoO Packet Processing Support in Zone Based Firewall Application
Configuring Intrazone Support in Zone Based Firewall Application
Configuring Layer 7 Firewall Policies
Layer 7 Class Map and Policy Map Restrictions
Configuring an HTTP Firewall Policy
Configuring a URL Filter Policy
Configuring an IMAP Firewall Policy
Configuring an Instant Messenger (IM) Policy
Configuring a Peer-to-Peer (P2P) Policy
Configuring a POP3 Firewall Policy
Configuring an SMTP Firewall Policy
Configuring a SUNRPC Firewall Policy
Creating Security Zones, Zone-Pairs, and Attaching a Policy Map to a Zone-Pair
Security Zone Restrictions
Configuring the Cisco IOS Firewall with WAAS and WCCP
Configuration Examples for Zone-Based Policy Firewall
Configuring Layer 3 and Layer 4 Firewall Policies: Example
Configuring Layer 7 Firewall Policies: Example
Configuring a Security Zone: Example
Configuring a Zone-Pair: Example
Assigning an Interface to a Security Zone: Example
Attaching a Policy Map to a Zone-Pair: Example
Configuring a URL Filter Policy: Websense Example
Websense Server Configuration
Configuring the Websense Class Map
Configuring the Websense URL Filter Policy
Applying the URL filter to Firewall Policy
IOS Firewall Configuration with WAAS and WCCP: Example
Protocol Match Data Not Incrementing for a Class Map: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Zone-Based Policy Firewall
Zone-Based Policy Firewall
First Published: February 22, 2006
Last Updated: October 2, 2009
This module describes the Cisco IOS unidirectional firewall policy between groups of interfaces known as zones. Previously, Cisco IOS firewalls were configured as an inspect rule only on interfaces. Traffic entering or leaving the configured interface was inspected based on the direction that the "inspect" rule was applied.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Zone-Based Policy Firewall" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Zone-Based Policy Firewall
•Restrictions for Zone-Based Policy Firewall
•Information About Zone-Based Policy Firewall
•How to Configure Zone-Based Policy Firewall
•Configuration Examples for Zone-Based Policy Firewall
•Additional References
•Feature Information for Zone-Based Policy Firewall
Prerequisites for Zone-Based Policy Firewall
•Before you create zones, think about what should constitute the zones. The general guideline is that you should group together interfaces that are similar when they are viewed from a security perspective.
•The Wide Area Application Services (WAAS) and Cisco IOS firewall interoperability capability applies only on the Cisco IOS Zone-Based Policy Firewall in Release 12.4(11)T2 and later releases. The Cisco IOS firewall that preceded Release 12.4(11)T2 does not incorporate the Cisco WAAS interoperability enhancement.
Restrictions for Zone-Based Policy Firewall
•If a configuration includes both security zones and inspect rules on interfaces (the old methodology), the configuration may work, but that type of configuration is not recommend.
•The cumulative counters in the show policy-map type inspect zone-pair command output do not increment for match statements in a nested class-map configuration in Cisco IOS Releases 12.4(20)T and 12.4(15)T. The problem with the counters exists regardless of whether the top level class-map uses the match-any or match-all keywords. Refer to "Protocol Match Data Not Incrementing for a Class Map: Example" section for more information.
•In Cisco IOS Release 12.4(15)T only, if SMTP is currently configured for inspection in a class map and the inspection of ESMTP needs to be configured, then the no match protocol smtp command must be entered before adding the match protocol smtp extended command. To revert to regular SMTP inspection, use the no match protocol smtp extended command and then enter the match protocol smtp command.
If these commands are not configured in the proper order in this particular release, then the following error displays:
%Cannot add this filter.Remove match protocol smtp filter and then add this filter
•In a WAAS and Cisco IOS firewall configuration, all packets processed by a Wide Area Application Engine (WAE) device must go over the Cisco IOS firewall in both directions to support the Web Cache Coordination Protocol (WCCP). generic routing encapsulation (GRE) redirect. This situation occurs because the Layer 2 redirect is not available in Release 12.4T. If Layer 2 redirect is configured on the WAE, the system defaults to the GRE redirect to continue to function.
•In a WAAS and Cisco IOS firewall configuration, WCCP does not support traffic redirection using policy-based routing (PBR).
Information About Zone-Based Policy Firewall
To configure a zone-based policy firewall, you should understand the following concepts:
•Top Level Class Maps and Policy Maps
•Application Specific Class Maps and Policy Maps
•Zones
•Security Zones
•Zone-Pairs
•Zones and Inspection
•Zones and ACLs
•Zones and VRF Aware Firewall
•Zones and Transparent Firewall
•Overview of Security Zone Firewall Policies
•Class Maps and Policy Maps for Zone-Based Policy Firewalls
•Parameter Maps
•WAAS Support for the Cisco IOS Firewall
•Out-of-Order Packet Processing Support in Zone-Based Firewall Application
•Intrazone Support in Zone-Based Firewall Application
Top Level Class Maps and Policy Maps
Top-level class maps allow you to identify the traffic stream at a high level. This is accomplished by using match access-group and match protocol commands. These class maps cannot be used to classify traffic at the application level (the Layer 7 level). Top-level class maps are also referred to as Layer 3 and Layer 4 class-maps.
Top-level policy maps allow you to define high-level actions such as inspect, drop, pass, and urlfilter. You can attach the maps to a target (zone-pair). The maps can contain "child" policies that are also known as application-specific Layer 7 policies.
Note Only inspect class maps can be used in inspect policy maps.
Application Specific Class Maps and Policy Maps
Application-specific class maps allow you to identify traffic based on the attributes of a given protocol. All the match conditions in these class maps are specific to an application (for example, HTTP or SMTP). Application-specific class maps are identified by an additional subtype that generally is the protocol name (HTTP or SMTP) in addition to the type inspect.
Application-specific policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with URI lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application-specific policy maps cannot be attached directly to a target (zone-pair). They must be configured as "child" policies in a top-level Layer 3 or Layer 4 policy map.
Zones
A zone is a group of interfaces that have similar functions or features. They provide a way for you to specify where a Cisco IOS firewall is applied.
For example, on a router, interfaces Ethernet 0/0 and Ethernet 0/1 may be connected to the local LAN. These two interfaces are similar because they represent the internal network, so they can be grouped into a zone for firewall configurations.
Traffic between interfaces in the same zone is not be subjected to any policy. The traffic passes freely.
Firewall zones are used for security features.
Security Zones
A security zone is a group of interfaces to which a policy can be applied.
Grouping interfaces into zones involves two procedures:
•Creating a zone so that interfaces can be attached to it
•Configuring an interface to be a member of a given zone
By default, traffic flows among interfaces that are members of the same zone.
When an interface is a member of a security zone, all traffic to and from that interface (except traffic going to the router or initiated by the router) is dropped. To permit traffic to and from a zone-member interface, you must make that zone part of a zone-pair and then apply a policy to that zone-pair. If the policy permits traffic (via inspect or pass actions), traffic can flow through the interface.
For traffic to flow among all the interfaces in a router, all the interfaces must be a member of one security zone or another.
It is not necessary for all router interfaces to be members of security zones.
Figure 1 illustrates the following:
•Interfaces E0 and E1 are members of security zone Z1.
•Interface E2 is a member of security zone Z2.
•Interface E3 is not a member of any security zone.
Figure 1 Security Zone Restrictions
The following situations exist:
•Traffic flows freely between interfaces E0 and E1 because they are members of the same security zone (Z1).
•If no policies are configured, traffic will not flow between any other interfaces (for example, E0 and E2, E1 and E2, E3 and E1, and E3 and E2).
•Traffic can flow between E0 or E1 and E2 only when an explicit policy permitting traffic is configured between zone Z1 and zone Z2.
•Traffic can never flow between E3 and E0/E1/E2 because E3 is not part of any security zone.
Virtual Interfaces As Members of Security Zones
A virtual template interface is a logical interface configured with generic configuration information for a specific purpose or for configuration common to specific users, plus router-dependent information. The template contains Cisco IOS interface commands that are applied to virtual access interfaces, as needed. To configure a virtual template interface, use the interface virtual-template command.
Virtual interfaces can be members of a security zone. The virtual template interface is a member of a zone and all virtual access interfaces created from the template are members of that zone.
Zone member information is acquired from a RADIUS server and then the dynamically created interface is made a member of that zone.
The zone-member security command puts the dynamic interface into the corresponding zone.
Zone-Pairs
A zone-pair allows you to specify a unidirectional firewall policy between two security zones.
To define a zone-pair, use the zone-pair security command. The direction of the traffic is specified by specifying a source and destination zone. The source and destination zones of a zone-pair must be security zones. The same zone cannot be defined as both the source and the destination.
If desired, you can select the default self zone as either the source or the destination zone. The self zone is a system-defined zone. It does not have any interfaces as members. A zone-pair that includes the self zone, along with the associated policy, applies to traffic directed to the router or traffic generated by the router. It does not apply to traffic through the router.
The most common usage of firewalls is to apply them to traffic through a router, so you usually need at least two zones (that is, you cannot use the self zone).
Note Inspect policing is not allowed in policies that are attached to zone-pairs involving a self-zone.
To permit traffic between zone-member interfaces, you must configure a policy permitting (or inspecting) traffic between that zone and another zone. To attach a firewall policy map to the target zone-pair, use the service-policy type inspect command.
Figure 2 shows the application of a firewall policy to traffic flowing from zone z1 to zone z2, which means that the ingress interface for the traffic is a member of zone z1 and the egress interface is a member of zone z2.
Figure 2 Zone Pairs
If there are two zones and you require policies for traffic going in both directions (from z1 to z2 and z2 to z1), you must configure two zone-pairs (one for each direction).
If a policy is not configured between a pair of zones, traffic is dropped. However, it is not necessary to configure a zone-pair and a service policy solely for return traffic. Return traffic is allowed, by default, if a service policy permits the traffic in the forward direction. In the above example, it is not mandatory that you configure a zone-pair source Z2 destination Z1 solely for allowing return traffic from Z2 to Z1. The service policy on the Z1-Z2 zone-pair takes care of it.
Zones and Inspection
Zone-based policy firewalls examine the source and destination zones from the ingress and egress interfaces for a firewall policy. It is not necessary that all traffic flowing to or from an interface be inspected; you can designate that individual flows in a zone-pair be inspected through your policy map that you apply across the zone-pair. The policy map will contain class-maps that specify the individual flows.
For example, you can specify a policy map that performs HTTP URL filtering for hosts on 192.168.1.0/24 (engineers), but only does plain HTTP inspection for 192.168.2.0/24 (managers) for my inside_to_outside traffic.
This results in two flows (192.168.1.0/24 to any, 192.168.2.0/24 to any), and you can apply different inspect parameters to the flows to configure the desired different behaviors. Zone-based policy firewalls allow inside-to-internet traffic (source zone inside and destination zone outside).
You can also configure inspect parameters like Transmission Control Protocol (TCP) thresholds and timeouts on a per-flow basis.
Zones and ACLs
•Pinholes are not punched for return traffic in interface ACLs.
•ACLs applied to interfaces that are members of zones are processed before the policy is applied on the zone-pair. So, you must relax interface ACLs when there are policies between zones so that they cannot interfere with the policy firewall traffic.
Zones and VRF Aware Firewall
Cisco IOS firewall is VRF aware. It handles IP address overlap across different VRFs, separate thresholds and timeouts for VRFs, and so forth. All interfaces in a zone must belong to the same VRF.
However, you should not group interfaces from different VRFs in the same zone because VRFs belong to different entities that typically have their own policies.
You can configure a zone-pair between two zones that contain different VRFs, as shown in Figure 3.
When multiple VRFs are configured on a router and an interface provides common services to all the VRFs (for example, internet service), you should place that interface in a separate zone. You can then define policies between the common zone and other zones. (There can be one or more zones per VRF.)
Figure 3 Zones and VRF
In Figure 3, the interface providing common services is a member of the zone "common." All of VRF A is in a single zone, vrf_A. VRF B, which has multiple interfaces, is partitioned into multiple zones vrf_B_1 and vrf_B_2. Zone Z1 does not have VRF interfaces. You can specify policies between each of these zones and the common zone. Additionally, you can specify polices between each of the zones vrf_A, vrf_B_n and Z1 if VRF route export is configured and the traffic patterns make sense. You can configure a policy between zones vrf_A and vrf_B_1, but be sure that traffic can flow between them.
There is no need to specify the global thresholds and timers on a per-VRF basis. Instead, parameters are supplied to the inspect action through a parameter map.
Zones and Transparent Firewall
The Cisco IOS firewall supports transparent firewalls where the interfaces are placed in bridging mode and IP firewalling is performed on the bridged traffic.
To configure a transparent firewall, use the bridge command to enable the bridging of a specified protocol in a specified bridge and the zone-member security command to attach an interface to a zone. The bridge command on the interface indicates that the interface is in bridging mode.
A bridged interface can be a member of a zone. In a typical case, the Layer 2 domain is partitioned into zones and a policy is applied the same way as for Layer 3 interfaces.
Transparent Firewall Restriction for P2P Inspection
A Cisco IOS firewall uses Network Based Application Recognition (NBAR) for peer-to-peer (P2P) protocol classification and policy enforcement. NBAR is not available for bridged packets; thus, all P2P packet inspection is not supported for firewalls with transparent bridging.
Overview of Security Zone Firewall Policies
A class is a way of identifying a set of packets based on its contents. Normally you define a class so that you can apply an action on the identified traffic that reflects a policy. A class is designated via class maps.
An action is a specific functionality. It typically is associated with a traffic class. For example, inspect, drop, pass, and police are actions.
To create firewall policies, you should complete the following tasks:
•Define a match criteria (class map)
•Associate actions to the match criteria (policy map)
•Attach the policy map to a zone pair (service policy)
The class-map command creates a class map to be used for matching packets to a specified class. Packets arriving at the targets (such as the input interface, output interface, or zone-pair), determined by how the service-policy command is configured, are checked against the match criteria configured for a class map to determine if the packet belongs to that class.
The policy-map command creates or modifies a policy map that can be attached to one or more targets to specify a service policy. Use the policy-map command to specify the name of the policy map to be created, added to, or modified before you can configure policies for classes whose match criteria are defined in a class map.
Class Maps and Policy Maps for Zone-Based Policy Firewalls
Quality of Service (QoS) class maps have numerous match criteria; firewalls have fewer match criteria. Firewall class maps have type inspect; this information controls what shows up under firewall class maps.
A policy is an association of traffic classes and actions. It specifies what actions should be performed on the defined traffic classes. An action is a specific function, and it is typically associated with a traffic class. For example, inspect, police, and drop are actions.
Layer 3 and Layer 4 Class Maps and Policy Maps
Layer 3 and Layer 4 class maps are used to identify traffic streams on which different actions should be performed.
A Layer 3 or Layer 4 policy map is sufficient for the basic inspection of traffic.
The following example shows how to configure class map c1 with match criteria of ACL 101 and the HTTP protocol, and create an inspect policy map named p1 to specify that packets will be dropped on the traffic at c1:
Router(config)# class-map type inspect match-all c1
Router(config-cmap)# match access-group 101
Router(config-cmap)# match protocol http
Router(config)# policy-map type inspect p1
Router(config-pmap)# class type inspect c1
Router(config-pmap-c)# drop
To create a Layer 3 or Layer 4 policy, see the section "Configuring Layer 7 Firewall Policies."
Class-Map Configuration Restriction
If traffic meets multiple match criteria, the match criteria must be applied in the order of specific to less specific. For example, consider the following class map example:
class-map type inspect match-any my-test-cmap
In this example, HTTP traffic must first encounter the match protocol http command to ensure that the traffic will be handled by the service-specific capabilities of HTTP inspection. If the "match" lines were reversed so traffic encountered the match protocol tcp command before it was compared to the match protocol http command, the traffic would simply be classified as TCP traffic and inspected according to the capabilities of the Firewall's TCP Inspection component. This configuration would be a problem for services such as FTP, TFTP, and for several multimedia and voice signaling services such as H.323, SIP, Skinny, and RTSP. These services require additional inspection capabilities to recognize their more complex activities.
Rate Limiting (Policing) Traffic Within a Layer 3 and Layer 4 Policy Map
Starting with Cisco IOS Release 12.4(9)T, you can issue the police command within an inspect policy to limit the number of concurrent connections allowed for applications such as Instant Messenger and P2P.
To effectively use the police command, you must also enable Cisco IOS stateful packet inspection within the inspect policy map. If you configure the police command without configuring the inspect action (via the inspect command), you will receive an error message and the police command will be rejected.
Compatibility with Existing Police Actions
Police actions provisioned in a Modular Quality of Service (QoS) Command-Line Interface (CLI) (MQC) policy map are applied as input and output policies on an interface. An inspect policy map can only be applied to a zone-pair, not an interface. The police action will be enforced on traffic that traverses the zone-pair. (The direction is inherent to the specification of the zone-pair.) Thus, a QoS policy containing a police action can be present on interfaces that make up a zone-pair and a police action can also be present in an inspect policy map applied across the zone-pair. If both police actions are configured, the zone-pair policer is executed after the input, interface policer, but before the output, interface policer. There is no interaction between the QoS and the inspect policers.
Police Restrictions
•The police action is not allowed in policies that are attached to zone pairs involving a "self" zone. If you want to perform this task, you should use control plane policing.
•Policing can only be specified in Layer 3 and Layer 4 policy maps; it cannot be specified in Layer 7 policy maps.
Layer 7 Class Maps and Policy Maps
Layer 7 class maps can be used in inspect policy maps only for deep packet inspection (DPI).
To create a Layer 7 class map, use the class-map type inspect command for the desired protocol. For example, for the HTTP protocol you would enter the class-map type inspect http command.
The type of class map (for example, HTTP) determines the match criteria that you can use. For example, if you want to specify HTTP traffic that contains Java applets, you must specify a "match response body java" statement in the context of an "inspect HTTP" class map.
A Layer 7 policy map provides application-level inspection of traffic. The policy map can include class maps only of the same type.
The DPI functionality is delivered through Layer 7 class maps and policy maps.
To create a Layer 7 policy map, specify the protocol in the applicable policy-map type inspect command. For example, to create a Layer 7 HTTP policy map, use the policy-map type inspect http command. In that command there is an argument where you enter the HTTP policy-map name.
If you do not specify a protocol name (for example, you use the policy-map type inspect command), you will be creating a Layer 3 or Layer 4 policy map, which can only be an inspect type policy map.
A Layer 7 policy map must be contained in a Layer 3 or Layer 4 policy map; it cannot be attached directly to a target. To attach a Layer 7 policy map to a top-level policy map, use the service-policy (policy-map) command and specify the application name (that is, HTTP, IMAP, POP3, SMTP, or SUNRPC). The parent class for a Layer 7 policy should have an explicit match criterion that matched only one Layer 7 protocol before the policy is attached.
If the Layer 7 policy map is in a lower level, you must specify the inspect action at the parent level for a Layer 7 policy map.
Layer 7 Supported Protocols
You can create Layer 7 class maps and policy maps for the following protocols:
•America Online (AOL) Instant Messenger (IM) protocol
•eDonkey P2P protocol
•FastTrack traffic P2P protocol
•Gnutella Version 2 traffic P2P protocol
•H.323 VoIP Protocol Version 4
•HTTP—The protocol used by web browsers and web servers to transfer files, such as text and graphic files.
•Internet Message Access Protocol (IMAP)—Method of accessing e-mail or bulletin board messages kept on a mail server that can be shared.
•I Seek You (ICQ) IM Protocol
•Kazaa Version 2 P2P protocol
•MSN Messenger IM protocol
•Post Office Protocol, Version 3 (POP3)—Protocol that client e-mail applications use to retrieve mail from a mail server.
•SIP—Session Initiation Protocol (SIP)
•SMTP—Simple Network Management Protocol
•SUNRPC—Sun RPC (Remote Procedure Call)
•Windows Messenger IM Protocol
•Yahoo IM protocol
For information on configuring a Layer 7 class map and policy map (policies), see the section "Configuring Layer 7 Firewall Policies."
Class-Default Class Map
In addition to user-defined classes, there is a system-defined class map named class-default that represents all packets that do not match any of the user-defined classes in a policy. It always is the last class in a policy map.
You can define explicit actions for this group of packets. If you do not configure any actions for class-default in an inspect policy, the default action is drop.
The following example shows how to use class-default in a policy map. In this example, HTTP traffic is dropped and the remaining traffic is inspected. Class map c1 is defined for HTTP traffic, and class-default is used for a policy map p1.
Router(config)# class-map type inspect match-all c1
Router(config-cmap)# match protocol http
Router(config)# policy-map type inspect p1
Router(config-pmap)# class type inspect c1
Router(config-pmap-c)# drop
Router(config-pmap)# class class-default
Router(config-pmap-c)# inspect
Hierarchical Policy Maps
A policy can be nested within a policy. A policy that contains a nested policy is called a hierarchical policy.
To create a hierarchical policy, attach a policy directly to a class of traffic. A hierarchical policy contains a child and a parent policy. The child policy is the previously-defined policy that is associated with the new policy through the use of the service-policy command. The new policy using the pre-existing policy is the parent policy.
Note There can be a maximum of two levels in a hierarchical inspect service-policy.
Parameter Maps
A parameter map allows you to specify parameters that control the behavior of actions and match criteria specified under a policy map and a class map, respectively.
There are currently three types of parameter maps:
•Inspect parameter map
An inspect parameter map is optional. If you do not configure a parameter map, the software uses default parameters. Parameters associated with the inspect action apply to all nested actions (if any). If parameters are specified in both the top and lower levels, those in the lower levels override those in the top levels.
•URL Filter parameter map
A parameter map is required for URL filtering (through the URL Filter action in a Layer 3 or Layer 4 policy map and the URL Filter parameter map).
•Protocol-specific parameter map
A parameter map is required for an Instant Messenger application (Layer 7) policy map.
WAAS Support for the Cisco IOS Firewall
The WAAS firewall software, which was introduced in Cisco IOS Release 12.4(15)T, provides an integrated firewall that optimizes security-compliant WANs and application acceleration solutions with the following benefits:
•Optimizes a WAN through full stateful inspection capabilities
•Simplifies Payment Card Industry (PCI) compliance
•Protects transparent WAN accelerated traffic
•Integrates WAAS networks transparently
•Supports the Network Management Equipment (NME) WAE modules or standalone WAAS device deployment
WAAS has an automatic discovery mechanism that uses TCP options during the initial three-way handshake used to identify WAE devices transparently. After automatic discovery, optimized traffic flows (paths) experience a change in the TCP sequence number to allow endpoints to distinguish between optimized and nonoptimized traffic flows.
Note Paths are synonymous with connections.
WAAS allows the Cisco IOS firewall to automatically discover optimized traffic by enabling the sequence number to change without compromising the stateful Layer 4 inspection of TCP traffic flows that contain internal firewall TCP state variables. These variables are adjusted for the presence of WAE devices.
If the Cisco IOS firewall notices that a traffic flow has successfully completed WAAS automatic discovery, it permits the initial sequence number shift for the traffic flow and maintains the Layer 4 state on the optimized traffic flow.
Note Stateful Layer 7 inspection on the client side can also be performed on nonoptimized traffic.
WAAS Traffic Flow Optimization Deployment Scenarios
The following sections describe three different WAAS traffic flow optimization scenarios for branch office deployments. WAAS traffic flow optimization works with the Cisco IOS firewall feature on a Cisco Integrated Services Router (ISR).
•WAAS Branch Deployment with an Off-Path device
•WAAS Branch Deployment with an Inline Device
Figure 4 shows an example of an end-to-end WAAS traffic flow optimization with the Cisco IOS firewall. In this particular deployment, a NME-WAE device is on the same router as the Cisco IOS firewall. WCCP is used to redirect traffic for interception.
Figure 4 End-to-End WAAS Optimization Path
WAAS Branch Deployment with an Off-Path device
A WAE device can be either an NME-WAE that is installed on an ISR as an integrated service engine (as shown in Figure 4) or a standalone WAE device.
Figure 5 shows a WAAS branch deployment that uses WCCP to redirect traffic to an off-path, standalone WAE device for traffic interception. The configuration for this option is the same as the WAAS branch deployment with an NME-WAE.
Figure 5 WAAS Off-Path Branch Deployment
WAAS Branch Deployment with an Inline Device
Figure 6 shows a WAAS branch deployment that has an inline WAE device that is physically in front of the ISR router. Since the WAE device is in front of the router, Layer 7 inspection on the client side is not supported because the Cisco IOS firewall receives WAAS optimized packets.
Figure 6 WAAS Inline Path Branch Deployment
An edge WAAS device with the Cisco IOS firewall is applied at branch office sites that must inspect traffic moving to and from a WAN connection. The Cisco IOS firewall monitors traffic for optimization indicators (TCP options and subsequent TCP sequence number changes) and allows optimized traffic to pass, while still applying Layer 4 stateful inspection and deep packet inspection to all traffic, maintaining security while accommodating WAAS optimization advantages.
Note If the WAE device is in the inline location, the device enters its bypass mode after the automatic discovery process. Although the router is not directly involved in WAAS optimization, the router must be aware that WAAS optimization is applied to the traffic in order to apply the Cisco IOS firewall inspection to network traffic and make allowances for optimization activity if optimization indicators are present.
Out-of-Order Packet Processing Support in Zone-Based Firewall Application
Out-of-Order (OoO) packet processing support for Common Classification Engine (CCE) firewall application and CCE adoptions of Intrusion Prevention System (IPS) allows for packets that arrive out of order to be copied and reassembled in the correct order. This enhancement reduces the need to retransmit dropped packets and reduces the bandwidth needed for transmission on a network. To configure OoO support use the parameter-map type ooo global command.
Note IPS sessions use OoO parameters configured using the parameter-map type ooo global command.
Note OoO processing is not supported in Simple Mail Transfer Protocol (SMTP), as SMTP supports masking action that requires packet modification.
OoO packet processing support is enabled by default when a layer 7 policy is configured for Deep Packet Inspection (DPI) for the following protocols:
•AOL IM protocol
•eDonkey P2P protocol
•FastTrack traffic P2P protocol
•Gnutella Version 2 traffic P2P protocol
•H.323 VoIP Protocol Version 4
•HTTP—The protocol used by web browsers and web servers to transfer files, such as text and graphic files.
•IMAP—Method of accessing e-mail or bulletin board messages kept on a mail server that can be shared.
•ICQ IM Protocol
•Kazaa Version 2 P2P protocol
•MSN Messenger IM protocol
•POP3—Protocol that client e-mail applications use to retrieve mail from a mail server.
•Match Protocol SIP— Match Protocol Session Initiation Protocol (SIP)
•SUNRPC—Sun RPC (Remote Procedure Call)
•Windows Messenger IM Protocol
•Yahoo IM protocol
For information on configuring a Layer 7 class map and policy map (policies), see the section "Configuring Layer 7 Firewall Policies."
Intrazone Support in Zone-Based Firewall Application
Intrazone support allows for zone configuration to include users both inside and outside a network. This allows for traffic inspection between users belonging to the same zone but different networks. Before Cisco IOS Release 15.0(1)M, traffic within a zone had been allowed to pass uninspected by default. To configure a zone-pair definition with the same zone for source and destination use the zone-pair security command. This allows the functionality of attaching a policy-map and inspecting the traffic within the same zone.
How to Configure Zone-Based Policy Firewall
This section contains the following configuration tasks:
•Configuring Layer 3 and Layer 4 Firewall Policies (required)
•Configuring a Parameter Map (required)
•Configuring OoO Packet Processing Support in Zone Based Firewall Application (optional)
•Configuring Intrazone Support in Zone Based Firewall Application (optional )
•Configuring Layer 7 Firewall Policies (optional)
•Creating Security Zones, Zone-Pairs, and Attaching a Policy Map to a Zone-Pair (required)
•Configuring the Cisco IOS Firewall with WAAS and WCCP
Configuring Layer 3 and Layer 4 Firewall Policies
Layer 3 and Layer 4 policies are "top level" policies that are attached to the target (zone-pair). Use the following tasks to configure Layer 3 and Layer 4 firewall policies:
•Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy
•Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy
Configuring a Class Map for a Layer 3 and Layer 4 Firewall Policy
Use this task to configure a class map for classifying network traffic.
Note You must perform at least one match step from Step 4, 5, or 6.
When packets are matched to an access group, protocol or class map, a traffic rate is generated for these packets. In a zone-based firewall policy, only the first packet that creates a session matches the policy. Subsequent packets in this flow do not match the filters in the configured policy, but instead match the session directly. The statistics related to subsequent packets are shown as part of the 'inspect' action.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect [match-any | match-all] class-map-name
4. match access-group {access-group | name access-group-name}
5. match protocol protocol_name [signature]
6. match class-map class-map-name
7. show policy-map type inspect zone-pair session
8. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect [match-any | match-all]
class-map-name
Example:
Router(config)# class-map type inspect
match-all c1
|
Creates a Layer 3 or Layer 4 inspect type class map.
Enters class-map configuration mode.
|
Step 4
|
match access-group {access-group | name
access-group-name}
Example:
Router(config-cmap)# match access-group 101
|
Configures the match criteria for a class map based on the ACL name or number.
|
Step 5
|
match protocol protocol-name [signature]
Example:
Router(config-cmap)# match protocol http
|
Configures the match criteria for a class map on the basis of a specified protocol.
Only Cisco IOS stateful packet inspection supported protocols can be used as match criteria in inspect type class maps.
•signature—Signature-based classification for peer-to-peer (P2P) packets is enabled.
|
Step 6
|
match class-map class-map-name
Example:
Router(config-cmap)# match class-map c1
|
Specifies a previously defined class as the match criteria for a class map.
|
Step 7
|
show policy-map type inspect zone-pair session
Example:
Router(config-cmap)# show policy-map type
inspect zone-pair session
|
(Optional) Displays the Cisco IOS stateful packet inspection sessions created because of the policy-map application on the specified zone pair.
Note The information shown under the class-map field is the traffic rate (bits per second) of the traffic belonging to the connection initiating traffic only. Unless the connection setup rate is significantly high and sustained for multiple intervals over which the rate is computed, no significant data is shown for the connection.
|
Step 8
|
exit
Example:
Router(config-cmap)# exit
|
Returns to global configuration mode.
|
Creating a Policy Map for a Layer 3 and Layer 4 Firewall Policy
Use this task to create a policy map for a Layer 3 and Layer 4 firewall policy that will be attached to zone-pairs.
Note If you are creating an inspect type policy map, note that only the following actions are allowed: drop, inspect, police, pass, service-policy, and urlfilter.
Note You must perform at least one step from Step 5, 8, 9, or 10.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect policy-map-name
4. class type inspect class-name
5. inspect [parameter-map-name]
6. police rate bps burst size
7. drop [log]
8. pass
9. service-policy type inspect policy-map-name
10. urlfilter parameter-map-name
11. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect policy-map-name
Example:
Router(config)# policy-map type inspect p1
|
Creates a Layer 3 and Layer 4 inspect type policy map.
Enters policy-map configuration mode.
|
Step 4
|
class type inspect class-name
Example:
Router(config-pmap)# class type inspect c1
|
Specifies the traffic (class) on which an action is to be performed.
|
Step 5
|
inspect [parameter-map-name]
Example:
Router(config-pmap-c)# inspect inspect-params
|
Enables Cisco IOS stateful packet inspection.
|
Step 6
|
police rate bps burst size
Example:
Router(config-pmap-c)# police rate 2000 burst
3000
|
(Optional) Limits traffic matching within a firewall (inspect) policy.
|
Step 7
|
drop [log]
Example:
Router(config-pmap-c)# drop
|
(Optional) Drops packets that are matched with the defined class.
Note The actions drop and pass are exclusive, and the actions inspect and drop are exclusive; that is, you cannot specify both of them.
|
Step 8
|
pass
Example:
Router(config-pmap-c)# pass
|
(Optional) Allows packets that are matched with the defined class.
|
Step 9
|
service-policy type inspect policy-map-name
Example:
Router(config-pmap-c)# service-policy type
inspect p1
|
Attaches a firewall policy map to a zone-pair.
|
Step 10
|
urlfilter parameter-map-name
Example:
Router(config-pmap-c)# urlfilter param1
|
(Optional) Enables Cisco IOS firewall URL filtering.
|
Step 11
|
exit
Example:
Router(config-pmap-c)# exit
|
Returns to policy-map configuration mode.
|
Configuring a Parameter Map
Depending on your policy, you can configure either an inspect, URL filter, or protocol-specific type parameter map. If you are configuring a URL filter type or protocol-specific type policy, you must configure a parameter map, as appropriate. However, a parameter map is optional if you are using an inspect type policy.
Note Changes to the parameter map are not reflected on connections already established through the firewall. Changes are applicable only to new connections permitted to the firewall. To ensure that your firewall enforces policies strictly, clear all the connections allowed in the firewall after you change the parameter map. To clear existing connections, use the clear zone-pair inspect sessions command.
Use one of the following tasks to configure a parameter map:
•Creating an Inspect Parameter Map
•Creating a URL Filter Parameter Map
•Configuring a Protocol-Specific Parameter Map
Creating an Inspect Parameter Map
Use this task to create an inspect type parameter map.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type inspect parameter-map-name
4. alert {on | off}
5. audit-trail {on | off}
6. dns-timeout seconds
7. icmp idle-timeout seconds
8. max-incomplete {low number-of-connections | high number-of-connections}
9. one-minute {low number-of-connections | high number-of-connections}
10. sessions maximum sessions
11. tcp finwait-time seconds
12. tcp idle-time seconds
13. tcp max-incomplete host threshold [block-time minutes]
14. tcp synwait-time seconds
15. tcp window-scale-enforcement loose
16. udp idle-time seconds
17. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
parameter-map type inspect parameter-map-name
Example:
Router(config)# parameter-map type inspect
eng-network-profile
|
Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action.
Enters parameter-map type inspect configuration mode.
|
Step 4
|
alert {on | off}
Example:
Router(config-profile)# alert on
|
(Optional) Turns on and off Cisco IOS stateful packet inspection alert messages that are displayed on the console.
|
Step 5
|
audit-trail {on | off}
Example:
Router(config-profile)# audit-trail on
|
(Optional) Turns audit trail messages on or off.
|
Step 6
|
dns-timeout seconds
Example:
Router(config-profile)# dns-timeout 60
|
(Optional) Specifies the domain name system (DNS) idle timeout (the length of time for which a DNS lookup session will continue to be managed while there is no activity).
|
Step 7
|
icmp idle-timeout seconds
Example:
Router(config-profile)# icmp idle-timeout 90
|
(Optional) Configures the timeout for Internet Control Message Protocol (ICMP) sessions.
|
Step 8
|
max-incomplete {low number-of-connections |
high number-of-connections}
Example:
Router(config-profile)# max-incomplete low 800
Router(config-profile)# max-incomplete high
10000
|
(Optional) Defines the number of existing half-open sessions that will cause the Cisco IOS firewall to start and stop deleting half-open sessions.
|
Step 9
|
one-minute {low number-of-connections | high
number-of-connections}
Example:
Router(config-profile)# one-minute low 300
Router(config-profile)# one-minute high 400
|
(Optional) Defines the number of new unestablished sessions that will cause the system to start deleting half-open sessions and stop deleting half-open sessions.
|
Step 10
|
sessions maximum sessions
Example:
Router(config-profile)# sessions maximum 200
|
(Optional) Sets the maximum number of allowed sessions that can exist on a zone-pair. You may want to use this command to limit the bandwidth used by the sessions.
•sessions—Maximum number of allowed sessions. Range: 1 to 2147483647.
|
Step 11
|
tcp finwait-time seconds
Example:
Router(config-profile)# tcp finwait-time 5
|
(Optional) Specifies how long a TCP session will be managed after the Cisco IOS firewall detects a FIN-exchange.
|
Step 12
|
tcp idle-time seconds
Example:
Router(config-profile)# tcp idle-time 90
|
(Optional) Configures the timeout for TCP sessions.
|
Step 13
|
tcp max-incomplete host threshold [block-time
minutes]
Example:
Router(config-profile)# tcp max-incomplete host
500 block-time 10
|
(Optional) Specifies threshold and blocking time values for TCP host-specific DoS detection and prevention.
|
Step 14
|
tcp synwait-time seconds
Example:
Router(config-profile)# tcp synwait-time 3
|
(Optional) Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
|
Step 15
|
tcp window-scale-enforcement loose
Example:
Router(config-profile)# tcp
window-scale-enforcement loose
|
(Optional) Disables the window scale option check in the parameter map for a TCP packet that has an invalid window scale option under the Zone Based Firewall (ZBF)
|
Step 16
|
udp idle-time seconds
Example:
Router(config-profile)# udp idle-time 75
|
(Optional) Configures the idle timeout of User Datagram Protocol (UDP) sessions going through the firewall.
|
Step 17
|
exit
Example:
Router(config-profile)# exit
|
Returns to global configuration mode.
|
Creating a URL Filter Parameter Map
To create a URL filter parameter map, perform the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type urlfilter parameter-map-name
4. alert {on | off}
5. allow-mode {on | off}
6. audit-trail {on | off}
7. cache number
8. exclusive-domain {deny | permit} domain-name
9. max-request number-of-requests
10. max-resp-pak number-of-requests
11. server vendor {n2h2 | websense} {ip-address | hostname [port port-number]} [outside] [log] [retrans retransmission-count] [timeout seconds]
12. source-interface interface-name
13. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
parameter-map type urlfilter parameter-map-name
Example:
Router(config)# parameter-map type urlfilter
eng-network-profile
|
Creates or modifies a parameter map for URL filtering parameters.
Enters URL parameter-map configuration mode.
Note This command is hidden in releases later than Cisco IOS Release 12.4(20)T, but it continues to work. The parameter-map type urlfpolicy command can also be used. This command is used to create URL filtering parameters for local, trend, Websense Internet filtering, and the N2H2 Internet blocking program. We recommend the use of the URL filter policy rather than the URL filter action for Cisco IOS Release 12.4(20)T. All the use-cases supported by URL filter as an action are also supported by URL filter policy. See the "Configuring a URL Filter Policy" section for more information.
|
Step 4
|
alert {on | off}
Example:
Router(config-profile)# alert on
|
(Optional) Turns on and off Cisco IOS stateful packet inspection alert messages that are displayed on the console.
|
Step 5
|
allow-mode {on | off}
Example:
Router(config-profile)# allow-mode on
|
(Optional) Turns on or off the default mode of the filtering algorithm.
|
Step 6
|
audit-trail {on | off}
Example:
Router(config-profile)# audit-trail on
|
(Optional) Turns audit trail messages on or off.
|
Step 7
|
cache number
Example:
Router(config-profile)# cache 5
|
(Optional) Controls how the URL filter handles the cache it maintains of HTTP servers.
|
Step 8
|
exclusive-domain {deny | permit} domain-name
Example:
Router(config-profile)# exclusive-domain permit
cisco.com
|
(Optional) Adds or removes a domain name to or from the exclusive domain list so that the Cisco IOS firewall does not have to send look up requests to the vendor server.
|
Step 9
|
max-request number-of-requests
Example:
Router(config-profile)# max-request 80
|
(Optional) Specifies the maximum number of outstanding requests that can exist at a time.
|
Step 10
|
max-resp-pak number-of-requests
Example:
Router(config-profile)# max-resp-pak 200
|
(Optional) Specifies the maximum number of HTTP responses that the Cisco IOS firewall can keep in its packet buffer.
|
Step 11
|
server vendor {n2h2 | websense} {ip-address |
hostname [port port-number]} [outside] [log]
[retrans retransmission-count]
[timeout seconds]
Example:
Router(config-profile)# server vendor n2h2
10.193.64.22 port 3128 outside retrans 9
timeout 8
|
Specifies the URL filtering server.
Note This command is mandatory if you want anything from the URL Filter configuration.
|
Step 12
|
source-interface interface-name
Example:
Router(config-profile)# source-interface
ethernet0
|
(Optional) Specifies the interface whose IP address is used as the source IP address while making a TCP connection to the URL filter server (Websense or N2H2).
|
Step 13
|
exit
Example:
Router(config-profile)# exit
|
Returns to global configuration mode.
|
Configuring a Protocol-Specific Parameter Map
Use this task to configure a Layer 7, protocol-specific parameter map.
Note Protocol-specific parameter maps can be created only for Instant Messenger applications (AOL, ICQ, MSN Messenger, Yahoo Messenger, and Windows Messenger).
Prerequisites
To enable name resolution to occur, you must also enable the ip domain name command and the ip name-server command.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type protocol-info parameter-map-name
4. server {name string [snoop] | ip {ip-address | range ip-address-start ip-address-end}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
parameter-map type protocol-info
parameter-map-name
Example:
Router(config)# parameter-map type
protocol-info ymsgr
|
Defines an application-specific parameter map.
Enters parameter-map type configuration mode.
Note Protocol-specific parameter maps can be created only for Instant Messenger applications (AOL, ICQ, MSN Messenger, Yahoo Messenger, and Windows Messenger).
|
Step 4
|
server {name string [snoop] | ip {ip-address |
range ip-address-start ip-address-end}
Example:
Router(config-profile)# server name
sdsc.msg.yahoo.com
Router(config-profile)# server ip 10.1.1.1
|
Configures a set of Domain Name System (DNS) servers for which a given instant messenger application will be interacting.
Note If at least one server instance is not configured, the parameter map will not have any definitions to enforce; that is, the configured instant messenger policy cannot be enforced.
Note To configure more than one set of servers, you can issue the server command multiple times within an instant messenger's parameter map. Multiple entries are treated cumulatively.
|
Troubleshooting Tips
To display details of an IM protocol-specific parameter map, use the show parameter-map type protocol-info command.
Configuring OoO Packet Processing Support in Zone Based Firewall Application
Use this task to configure OoO Packet Processing Support in zone based firewall applicatios.
Note If a TCP based Layer 7 policy is configured for DPI, OoO is enabled by default. Use the parameter-map type ooo global command to configure the OoO packet support parameters or to turn off OoO processing.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type ooo global
4. tcp reassembly alarm {on | off}
5. tcp reassembly memory limit memory-limit
6. tcp reassembly queue length queue-length
7. tcp reassembly timeout time-limit
8. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
parameter-map type ooo global
Example:
Router(config)# parameter-map type ooo global
|
Enters parameter-map configuration mode.
|
Step 4
|
tcp reassembly alarm {on | off}
Example:
Router(config-profile)# tcp reassembly alarm on
|
Specifies the alert message configuration.
|
Step 5
|
tcp reassembly memory limit memory-limit
Example:
Router(config-profile)#tcp reassembly memory
limit 2048
|
Specifies the OoO buffer size.
|
Step 6
|
tcp reassembly queue length queue-length
Example:
Router(config-profile)#tcp reassembly queue
length 45
|
Specifies the OoO queue parameters.
|
Step 7
|
tcp reassembly timeout time-limit
Example:
Router(config-profile)#tcp reassembly timeout
34
|
Specifies the timeout for the OoO queue.
|
Step 8
|
exit
Example:
Router(config-profile)# exit
|
Returns to global configuration mode.
|
Configuring Intrazone Support in Zone Based Firewall Application
Use this task to configure intrazone support when using a zone based firewall.
SUMMARY STEPS
1. enable
2. configure terminal
3. zone-pair security zone-pair-name source source-zone-name destination destination-zone-name
4. policy-map type inspect policy-map-name
5. class type inspect protocol-type class-map-name
6. exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
zone-pair security zone-pair-name [source
source-zone-name destination
destination-zone-name]
Example:
Router(config)# zone-pair security zonepair17
source zone8 destination zone8
|
Specifies the name of the zone-pair being attached to an interface, the source zone for information and also the destination zone for information passing through this zone-pair.
Note To configure intrazone support, the source zone and the destination zone must be the same.
|
Step 4
|
policy-map type inspect policy-map-name
Example:
Router(config)# policy-map type inspect my-pmap
|
Specifies the policy map name and enters into policy-map configuration mode.
|
Step 5
|
class type inspect protocol-name class-map-name
Example:
Router(config-pmap)# class type inspect aol
cmap1
|
Specifies the firewall class map protocol and name.
|
Step 6
|
exit
Example:
Router(config)# exit
|
Returns to global configuration mode.
|
Configuring Layer 7 Firewall Policies
Configure Layer 7 policy maps if you are interested in extra provisioning for Layer 7 inspection modules. It is not necessary that you configure all of the Layer 7 policy maps.
Use one of the following tasks to configure a Layer 7, protocol-specific firewall policy:
•Configuring an HTTP Firewall Policy
•Configuring a URL Filter Policy
•Configuring an IMAP Firewall Policy
•Configuring an Instant Messenger (IM) Policy
•Configuring a Peer-to-Peer (P2P) Policy
•Configuring a POP3 Firewall Policy
•Configuring an SMTP Firewall Policy
•Configuring a SUNRPC Firewall Policy
Layer 7 Class Map and Policy Map Restrictions
•Deep packet inspection (DPI) class maps for Layer 7 can only be used in inspect policy maps of the respective type. For example, class-map type inspect http can only be used in policy-map type inspect http.
•DPI policies require an inspect action at the parent level.
•A Layer 7 (DPI) policy map must be nested at the second level in a Layer 3 or Layer 4 inspect policy map, whereas a Layer 3 or Layer 4 inspect policy can be attached at the first level. Therefore, a Layer 7 policy map cannot be attached directly to a zone-pair.
•If no action is specified in the hierarchical path of an inspect service-policy, the packet is dropped. Traffic matching class-default in the top-level policy is dropped if there are no explicit actions configured in class-default. If the traffic does not match any class in a Layer 7 policy, the traffic is not dropped; control returns to the parent policy and subsequent actions (if any) in the parent policy are executed on the packet.
•Layer 7 policy maps include class maps only of the same type.
•You can specify the reset action only for TCP traffic; it resets the TCP connection.
Configuring an HTTP Firewall Policy
Use these tasks to configure an HTTP firewall policy—a class map and a policy map, respectively.
If you want to configure match criteria on the basis of an element within a parameter map, you must configure a parameter map as shown in the task "Creating an Inspect Parameter Map."
You must specify at least one match criterion; otherwise, the firewall policy will not be effective.
Configuring an HTTP Class Map
Use this task to configure an HTTP firewall class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect http [match-any | match-all] class-map-name
4. match response body java-applet
5. match req-resp protocol violation
6. match req-resp body length {lt bytes | gt bytes}
7. match req-resp header content-type {violation | mismatch | unknown}
8. match {request | response | req-resp} header [header-name] count gt number
9. match {request | response | req-resp} header [header-name] length gt bytes
10. match request {uri | arg} length gt bytes
11. match request method {connect | copy | delete | edit | get | getattribute | getattributenames | getproperties | head | index | lock | mkdir | move | options | post | put | revadd | revlabel | revlog | revnum | save | setattribute | startrev | stoprev | trace | unedit | unlock}
12. match request port-misuse {im | p2p | tunneling | any}
13. match req-resp header transfer-encoding {chunked | compress | deflate | gzip | identity | all}
14. match {request | response | req-resp} header [header-name] regex parameter-map-name
15. match request {uri | arg} regex parameter-map-name
16. match {request | response | req-resp} body regex parameter-map-name
17. match response status-line regex parameter-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect http [match-any |
match-all] class-map-name
Example:
Router(config)# class-map type inspect http
http-class
|
Creates a class map for the HTTP protocol so that you can enter match criteria.
Enters class-map configuration mode.
|
Step 4
|
match response body java-applet
Example:
Router(config-cmap)# match response body
java-applet
|
(Optional) Identifies Java applets in an HTTP connection.
|
Step 5
|
match req-resp protocol violation
Example:
Router(config-cmap)# match req-resp protocol
violation
|
(Optional) Configures an HTTP class map to allow HTTP messages to pass through the firewall or to reset the TCP connection when HTTP noncompliant traffic is detected.
|
Step 6
|
match req-resp body length {lt bytes | gt
bytes}
Example:
Router(config-cmap)# match req-resp body length
gt 35000
|
(Optional) Configures an HTTP class map to use the minimum or maximum message size, in bytes, as a match criterion for permitting or denying HTTP traffic through the firewall. The number of bytes can be from 0 to 65535.
|
Step 7
|
match req-resp header content-type {violation |
mismatch | unknown}
Example:
Router(config-cmap)# match req-resp header
content-type mismatch
|
(Optional) This command configures an HTTP class map based on the content type of HTTP traffic.
|
Step 8
|
match {request | response | req-resp} header
[header-name] count gt number
Example:
Router(config-cmap)# match req-resp header
count gt 16
|
(Optional) Configure an HTTP firewall policy to permit or deny HTTP traffic on the basis of request, response, or both request and response messages whose header count does not exceed a maximum number of fields.
|
Step 9
|
match {request | response | req-resp} header
[header-name] length gt bytes
Example:
Router(config-cmap)# match response header
length gt 50000
|
(Optional) Permits or denies HTTP traffic based on the length of the HTTP request header.
•header-name—Specific line in the header field. If a specific line is defined, only that specific field length will be used as match criteria.
•gt bytes—Maximum number of bytes that can be in the header of the HTTP request. Number of bytes range: 0 to 65535.
|
Step 10
|
match request {uri | arg} length gt bytes
Example:
Router(config-cmap)# match request uri length
gt 500
|
(Optional) Configures an HTTP firewall policy to use the uniform resource identifier (URI) or argument length in the request message as a match criterion for permitting or denying HTTP traffic.
|
Step 11
|
match request method {connect | copy | delete |
edit | get | getattribute | getattributenames |
getproperties | head | index | lock | mkdir |
move | options | post | put | revadd | revlabel
| revlog | revnum | save | setattribute |
startrev | stoprev | trace | unedit | unlock}
Example:
Router(config-cmap)# match request method
connect
|
(Optional) Configures an HTTP firewall policy to use the request methods or the extension methods as a match criterion for permitting or denying HTTP traffic.
|
Step 12
|
match request port-misuse {im | p2p | tunneling
| any}
Example:
Router(config-cmap)# match request port-misuse
any
|
(Optional) Identifies applications misusing the HTTP port.
|
Step 13
|
match req-resp header transfer-encoding
{chunked | compress | deflate | gzip |
identity | all}
Example:
Router(config-cmap)# match req-resp header
transfer-encoding compress
|
(Optional) Permits or denies HTTP traffic according to the specified transfer encoding of the message.
•chunked—Encoding format (specified in RFC 2616, Hypertext Transfer Protocol—HTTP/1) in which the body of the message is transferred in a series of chunks; each chunk contains its own size indicator.
•compress—Encoding format produced by the UNIX compress utility.
•deflate—ZLIB format defined in RFC 1950, ZLIB Compressed Data Format Specification Version 3.3, combined with the deflate compression mechanism described in RFC 1951, DEFLATE Compressed Data Format Specification Version 1.3.
•gzip—Encoding format produced by the gzip (GNU zip) program.
•identity—Default encoding, which indicates that no encoding has been performed.
•all—All of the transfer encoding types.
|
Step 14
|
match {request | response | req-resp} header
[header-name] regex parameter-map-name
Example:
Router(config-cmap)# match req-resp header
regex non_ascii_regex
|
(Optional) Configures HTTP firewall policy match criteria on the basis of headers that match the regular expression defined in a parameter map.
HTTP has two regular expression (regex) options. One combines the header keyword, content-type header name, and regex keyword and parameter-map-name argument. The other combines the header keyword and regex keyword and parameter-map-name argument.
•If the header and regex keywords are used with the parameter-map-name argument, it does not require a period and asterisk infront of the parameter-map-name argument. For example, either "html" or ".*html" parameter-map-name argument can be configured.
•If the header keyword is used with the content-type header name and regex keyword, then the parameter map name requires a period and asterisk (.*) in front of the parameter-map-name argument. For example, the parameter-map-name argument "html" is expressed as: .*html
Note If the period and asterisk is added in front of html (.*html), the parameter-map-name argument works for both HTTP regex options.
•The mismatch keyword is only valid for the match response header content-type regex command syntax for messages that need to be matched that have a content-type header name mismatch.
Tip It is a good practice to add ".*" to the regex parameter-map-name arguments that are not present at the beginning of a text string.
|
Step 15
|
match request {uri | arg} regex
parameter-map-name
Example:
Router(config-cmap)# match request uri regex
uri_regex_cm
|
(Optional) Configure an HTTP firewall policy to permit or deny HTTP traffic on the basis of request messages whose URI or arguments (parameters) match a defined regular expression.
|
Step 16
|
match {request | response | req-resp} body
regex parameter-map-name
Example:
Router(config-cmap)# match response body regex
body_regex
|
(Optional) Configures a list of regular expressions that are to be matched against the body of the request, response or both the request and response message.
|
Step 17
|
match response status-line regex
parameter-map-name
Example:
Router(config-cmap)# match response status-line
regex status_line_regex
|
(Optional) Specifies a list of regular expressions that are to be matched against the status-line of a response message.
|
Configuring an HTTP Policy Map
Use this task to configure an HTTP firewall policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect http policy-map-name
4. class-type inspect http http-class-name
5. allow
6. log
7. reset
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect http policy-map-name
Example:
Router(config)# policy-map type inspect http
myhttp-policy
|
Creates a Layer 7 HTTP policy map. Enters policy-map configuration mode.
|
Step 4
|
class-type inspect http http-class-name
Example:
Router(config-pmap)# class-type inspect http
http-class
|
Creates a class map for the HTTP protocol.
|
Step 5
|
allow
Example:
Router(config-pmap)# allow
|
(Optional) Allows traffic class matching the class.
|
Step 6
|
log
Example:
Router(config-pmap)# log
|
Generates a log (messages).
|
Step 7
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets a TCP connection if the data length of the SMTP body exceeds the value that you configured in the class-map type inspect smtp command.
|
Configuring a URL Filter Policy
Use this task to configure a URL filter policy.
SUMMARY STEPS
1. enable
2. configure terminal
3. parameter-map type urlfpolicy {local | n2h2 | websense} parameter-map-name
4. exit
5. class-map type urlfilter {class-map-name | match-any class-map-name | n2h2 {class-map-name | match-any class-map-name} | websense {class-map-name | match-any class-map-name}}
6. exit
7. policy-map type inspect urlfilter policy-map-name
8. service-policy urlfilter policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
parameter-map type urlfpolicy {local | n2h2 |
websense} parameter-map-name
Example:
Router(config)# parameter-map type urlfpolicy
websense websense-param-map
|
Configures the URL filter name related to the parameter-map, which can include the local, Websense, or N2H2 parameter.
|
Step 4
|
Example:
Router(config-profile)# exit
|
Exits policy-map configuration mode.
|
Step 5
|
class-map type urlfilter {class-map-name |
match-any class-map-name | n2h2 {class-map-name
| match-any class-map-name} | websense
{class-map-name | match-any class-map-name}}
Example:
Router(config)# class-map type urlfilter
websense websense-param-map
|
Configures the class-map for the URL filter with the same type of parameter-map.
|
Step 6
|
Example:
Router(config-cmap)# exit
|
Exits class-map configuration mode.
|
Step 7
|
policy-map type inspect urlfilter
policy-map-name
Example:
Router(config)# policy-map type inspect
urlfilter websense-policy
|
Configures the URL filter policy.
|
Step 8
|
service-policy urlfilter policy-map-name
Example:
Router(config)# service-policy urlfilter
websense-policy
|
Applies the URL filter policy under the inspect class as the service-policy.
|
Configuring an IMAP Firewall Policy
Use these tasks to configure an IMAP firewall policy—a class map and a policy map, respectively.
Configuring an IMAP Class Map
Use this task to configure an IMAP class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect imap [match-any] class-map-name
4. log
5. match invalid-command
6. match login clear-text
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect imap [match-any]
class-map-name
Example:
Router(config)# class-map type inspect imap
imap-class
|
Creates a class map for the IMAP protocol so that you can enter match criteria. Enters class-map configuration mode.
|
Step 4
|
log
Example:
Router(config-cmap)# log
|
Generates a log of messages.
|
Step 5
|
match invalid-command
Example:
Router(config-cmap)# match invalid-command
|
(Optional) Locates invalid commands on an IMAP connection.
|
Step 6
|
match login clear-text
Example:
Router(config-cmap)# match login clear-text
|
(Optional) Finds a nonsecure login when using an IMAP server.
|
Configuring an IMAP Policy Map
Use this task to configure an IMAP firewall policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect imap policy-map-name
4. class-type inspect imap imap-class-name
5. log
6. reset
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect imap policy-map-name
Example:
Router(config)# policy-map type inspect imap
myimap-policy
|
Creates a Layer 3 IMAP policy map. Enters policy-map configuration mode.
|
Step 4
|
class-type inspect imap imap-class-name
Example:
Router(config-pmap)# class-type inspect imap
pimap
|
Creates a class map for the IMAP protocol.
|
Step 5
|
log
Example:
Router(config-pmap)# log
|
Generates a log (messages).
|
Step 6
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets a TCP connection if the data length of the SMTP body exceeds the value that you configured in the class-map type inspect smtp command.
|
Configuring an Instant Messenger (IM) Policy
Use this task to configure an IM policy—a class map and a policy map.
You can create an IM policy for the following IM applications: America Online (AOL), ICQ, MSN Messenger, Yahoo Messenger, and Windows Messenger.
Configuring an IM Class Map
Use this task to configure a class map for any supported IM application.
SUMMARY STEPS
1. enable
2. configure terminal
3. class map type inspect {aol | msnmsgr | ymsgr | icq | winmsgr} [match-any] class-map-name
4. match service {any | text-chat}
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class map type inspect {aol | msnmsgr | ymsgr |
icq | winmsgr} [match-any] class-map-name
Example:
Router(config)# class map type inspect aol
myaolclassmap
|
Creates a IM type class map so you can begin adding match criteria. This command puts the router in class-map configuration mode.
|
Step 4
|
match service {any | text-chat}
Example:
Router(config-cmap)# match service text-chat
|
(Optional) Creates a match criterion on the basis of text chat messages (text-chat) or for any available service within a given IM protocol (any).
|
Configuring an IM Policy Map
Use this task to configure a policy map for any supported IM application.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy map type inspect protocol-name policy-map-name
4. class type inspect {aol | msnmsgr | ymsgr | icq | winmsgr} class-map-name
5. reset
6. log
7. allow
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy map type inspect protocol-name
policy-map-name
Example:
Router(config)# policy map type inspect aol
myaolpolicymap
|
Creates an IM policy map. This command puts the router in policy-map configuration mode.
|
Step 4
|
class type inspect {aol | msnmsgr | ymsgr | icq
| winmsgr} class-map-name
Example:
Router(config-pmap)# class type inspect aol
myaolclassmap
|
Specifies a traffic class on which an action is to be performed.
•class-map-name—This class map name should match the class map specified via the class-map type inspect command.
|
Step 5
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets the connection.
|
Step 6
|
log
Example:
Router(config-pmap)# log
|
(Optional) Generates a log message for the matched parameters.
|
Step 7
|
allow
Example:
Router(config-pmap)# allow
|
(Optional) Allows the connection.
|
What to Do Next
If you have not done so already, you must configure an IM-specific parameter map as shown in the task "Configuring a Protocol-Specific Parameter Map."
Configuring a Peer-to-Peer (P2P) Policy
Use this task to configure a P2P firewall policy—a class map and a policy map, respectively.
You can create a P2P policy for the following P2P applications: eDonkey, FastTrack, Gnutella, and Kazaa Version 2.
Configuring a P2P Class Map
Use this task to configure a class map for any supported P2P application.
SUMMARY STEPS
1. enable
2. configure terminal
3. class map type inspect {edonkey | fasttrack | gnutella | kazaa2} [match-any] class-map-name
4. match file-transfer [regular-expression]
5. match search-file-name [regular-expression]
6. match text-chat [regular-expression]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class map type inspect {edonkey | fasttrack |
gnutella | kazaa2} [match-any] class-map-name
Example:
Router(config)# class map type inspect edonkey
myclassmap
|
Creates a P2P type class map so you can begin adding match criteria. This command puts the router in class-map configuration mode.
|
Step 4
|
match file-transfer [regular-expression]
Example:
Router(config-cmap)# match file-transfer *
|
(Optional) Matches file transfer connections within any supported P2P protocol.
Note To specify that all file transfer connections be identified by the traffic class, use "*" as the regular expression.
|
Step 5
|
match search-file name [regular-expression]
Example:
Router(config-cmap)# match search-file-name
|
(Optional) Blocks filenames within a search request for clients using the eDonkey P2P application.
Note This command is available only for the eDonkey P2P application.
|
Step 6
|
match text-chat [regular-expression]
Example:
Router(config-cmap)# match text-chat
|
(Optional) Blocks text chat messages between clients using the eDonkey P2P application.
Note This command is available only for the eDonkey P2P application.
|
Configuring a P2P Policy Map
Use this task to configure a policy map for any supported P2P application.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy map type inspect p2p policy-map-name
4. class type inspect {edonkey | fasttrack | gnutella | kazaa2} class-map-name
5. reset
6. log
7. allow
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy map type inspect p2p policy-map-name
Example:
Router(config)# policy map type inspect p2p
mypolicymap
|
Creates a P2P policy map. This command puts the router in policy-map configuration mode.
|
Step 4
|
class type inspect {edonkey | fasttrack |
gnutella | kazaa2} class-map-name
Example:
Router(config-pmap)# class type inspect edonkey
myclassmap
|
Specifies a traffic class on which an action is to be performed.
Enters the policy map configuration mode.
•class-map-name—This class map name should match the class map specified via the class-map type inspect command.
|
Step 5
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets the connection.
|
Step 6
|
log
Example:
Router(config-pmap)# log
|
(Optional) Generates a log message for the matched parameters.
|
Step 7
|
allow
Example:
Router(config-pmap)# allow
|
(Optional) Allows the connection.
|
Configuring a POP3 Firewall Policy
Use these tasks to configure a POP3 firewall policy—a class map and a policy map, respectively.
Configuring a POP3 Class Map
Use this task to configure a POP3 firewall class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect pop3 [match-any] class-map-name
4. match invalid-command
5. match login clear-text
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect pop3 [match-any]
class-map-name
Example:
Router(config)# class-map type inspect pop3
pop3-class
|
Creates a class map for the POP3 protocol so that you can enter match criteria. Enters class-map configuration mode.
|
Step 4
|
match invalid-command
Example:
Router(config-cmap)# match invalid-command
|
(Optional) Locates invalid commands on a POP3 server.
|
Step 5
|
match login clear-text
Example:
Router(config-cmap)# match login clear-text
|
(Optional) Finds a non-secure login when using a POP3 server.
|
Configuring a POP3 Firewall Policy Map
Use this task to configure a POP3 firewall policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect pop3 policy-map-name
4. class-type inspect pop3 pop3-class-name
5. log
6. reset
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect pop3 policy-map-name
Example:
Router(config)# policy-map type inspect pop3
mypop3-policy
|
Creates a Layer 7 POP3 policy map. Enters policy-map configuration mode.
|
Step 4
|
class-type inspect pop3 pop3-class-name
Example:
Router(config-pmap)# class-type inspect pop3
pcl
|
Creates a class map for the POP3 protocol.
|
Step 5
|
log
Example:
Router(config-pmap)# log
|
Generates a log (messages).
|
Step 6
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets a TCP connection if the data length of the SMTP body exceeds the value that you configured in the class-map type inspect smtp command.
|
Configuring an SMTP Firewall Policy
Use these tasks to configure an SMTP firewall policy—a class map and a policy map, respectively.
Configuring an SMTP Firewall Class Map
Use this task to configure an SMTP firewall class map.
Note To enable inspection for extended SMTP (ESMTP) in a class map, use the match protocol smtp extended command. See "Restrictions for Zone-Based Policy Firewall" section for more information on using this command in Cisco IOS Release 12.4(15)T.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect smtp [match-all | match-any] class-map-name
4. match data-length gt max-data-value
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect smtp [match-all |
match-any] class-map-name
Example:
Router(config)# class-map type inspect smtp
smtp-class
|
Creates a class map for the SMTP protocol so that you can enter match criteria. Enters class-map configuration mode.
|
Step 4
|
match data-length gt max-data-value
Example:
Router(config-cmap)# match data-length gt
200000
|
Determines if the amount of data transferred in a Simple Mail Transfer Protocol (SMTP) connection is above the configured limit.
|
Configuring an SMTP Firewall Policy Map
Use this task to configure an SMTP firewall policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect smtp policy-map-name
4. class-type inspect smtp smtp-class-name
5. reset
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect smtp policy-map-name
Example:
Router(config)# policy-map type inspect smtp
mysymtp-policy
|
Creates a Layer 7 SMTP policy map. Enters policy-map configuration mode.
|
Step 4
|
class-type inspect smtp smtp-class-name
Example:
Router(config-pmap)# class-type inspect smtp sc
|
Configures inspection parameters for the SMTP protocol.
|
Step 5
|
reset
Example:
Router(config-pmap)# reset
|
(Optional) Resets the TCP connection if the data length of the SMTP body exceeds the value that you configured in the class-map type inspect smtp command.
|
Configuring a SUNRPC Firewall Policy
Use these tasks to configure a SUNRPC firewall policy—a class map and a policy map, respectively.
Note If you are inspecting an RPC protocol (that is, you specified the match protocol sunrpc command in the Layer 4 class map) the Layer 7 SUNRPC policy map is required.
Configuring a SUNRPC Firewall Class Map
Use this task to configure a SUNRPC firewall class map.
SUMMARY STEPS
1. enable
2. configure terminal
3. class-map type inspect sunrpc [match-any] class-map-name
4. match program-number program-number
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
class-map type inspect sunrpc [match-any]
class-map-name
Example:
Router(config)# class-map type inspect sunrpc
long-urls
|
Creates a class map for the SUNRPC protocol so that you can enter match criteria. Enters class-map configuration mode.
|
Step 4
|
match program-number program-number
Example:
Router(config-cmap)# match program-number 2345
|
(Optional) Specifies the allowed Remote Procedure Call (RPC) protocol program number as a match criteria.
|
Configuring a SUNRPC Firewall Policy Map
Use this task to configure an SUNRPC firewall policy map.
SUMMARY STEPS
1. enable
2. configure terminal
3. policy-map type inspect sunrpc policy-map-name
4. class-type inspect sunrpc sunrpc-class-name
5. allow [wait-time minutes]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
policy-map type inspect sunrpc policy-map-name
Example:
Router(config)# policy-map type inspect sunrpc
my-rpc-policy
|
Creates a Layer 7 SUNRPC policy map. Enters policy-map configuration mode.
|
Step 4
|
class-type inspect sunrpc sunrpc-class-name
Example:
Router(config-pmap)# class-type inspect sunrpc
cs1
|
Configures inspection parameters for the SUNRPC protocol.
|
Step 5
|
allow [wait-time minutes]
Example:
Router(config-pmap)# allow wait-time 10
|
(Optional) Allows the configured program number. Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. The default wait time is zero minutes. This keyword is available only for the RPC protocol.
|
Creating Security Zones, Zone-Pairs, and Attaching a Policy Map to a Zone-Pair
You need two security zones to create a zone-pair. However, you can create only one security zone and use a system-defined security zone called "self." Note that if you select a self zone, you cannot configure inspect policing.
Use this process to complete the following tasks:
•Create at least one security zone
•Define zone-pairs
•Assign interfaces to security zones
•Attach a policy map to a zone-pair.
Tip Before you create zones, think about what should constitute the zones. The general guideline is that you should group together interfaces that are similar when they are viewed from a security perspective.
Security Zone Restrictions
•An interface cannot be part of a zone and legacy inspect policy at the same time.
•An interface can be a member of only one security zone.
•When an interface is a member of a security zone, all traffic to and from that interface is blocked unless you configure an explicit interzone policy on a zone-pair involving that zone.
•Traffic cannot flow between an interface that is a member of a security zone and an interface that is not a member of a security zone because a policy can be applied only between two zones.
•For traffic to flow among all the interfaces in a router, all the interfaces must be members of one security zone or another. This is particularly important because after you make an interface a member of a security zone, a policy action (such as inspect or pass) must explicitly allow packets. Otherwise, packets are dropped.
•If an interface on a router cannot be part of a security zone or firewall policy, you may have to put that interface in a security zone and configure a "pass all" policy (that is, a "dummy" policy) between that zone and other zones to which a traffic flow is desired.
•You cannot apply an access control list (ACL) between security zones or on a zone-pair.
•An ACL cannot be applied between security zones and zone-pairs. Include the ACL configuration in a class map, and use policy maps to drop traffic.
•An ACL on an interface that is a zone member should not be restrictive (strict).
•All interfaces in a security zone must belong to the same virtual routing and forwarding (VRF).
•You can configure policies between security zones whose member interfaces are in separate VRFs. However, traffic may not flow between these VRFs if the configuration does not allow it.
•If traffic does not flow between VRFs (because route-leaking between VRFs is not configured), the policy across the VRFs is not executed. This is a misconfiguration on the routing side, not on the policy side.
•Traffic between interfaces in the same security zone is not subjected to any policy; the traffic passes freely.
•The source and the destination zones in a zone pair must be the type security.
•The same zone cannot be defined as both the source and the destination.
SUMMARY STEPS
1. enable
2. configure terminal
3. zone security zone-name
4. description line-of-description
5. exit
6. zone-pair security zone-pair-name {source source-zone-name | self] destination [self | destination-zone-name]
7. description line-of-description
8. exit
9. interface type number
10. zone-member security zone-name
11. exit
12. zone-pair security zone-pair-name {source source-zone-name | self]} destination [self | destination-zone-name]
13. service-policy type inspect policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
zone security zone-name
Example:
Router(config)# zone security zone1
|
Creates a security zone to which interfaces can be assigned.
Enters security zone configuration mode.
|
Step 4
|
description line-of-description
Example:
Router(config-sec-zone)# description Internet
Traffic
|
(Optional) Describes the zone.
|
Step 5
|
exit
Example:
Router(config-sec-zone)# exit
|
Returns to global configuration mode.
|
Step 6
|
zone-pair security zone-pair name {source
source-zone-name | self] destination [self |
destination-zone-name]
Example:
Router(config)# zone-pair security zp source z1
destination z2
|
Creates a zone-pair.
Note To apply a policy, you must configure a zone-pair
Enters security zone configuration mode.
|
Step 7
|
description line-of-description
Example:
Router(config-sec-zone)# description accounting
network
|
(Optional) Describes the zone-pair.
|
Step 8
|
exit
Example:
Router(config-sec-zone)# exit
|
Returns to global configuration mode.
|
Step 9
|
interface type number
Example:
Router(config)# interface ethernet 0
|
Specifies an interface for configuration.
Enters interface configuration mode.
|
Step 10
|
zone-member security zone-name
Example:
Router(config-if)# zone-member security zone1
|
Assigns an interface to a specified security zone.
Note When you make an interface a member of a security zone, all traffic into and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone-pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.
|
Step 11
|
exit
Example:
Router(config-if)# exit
|
Returns to interface configuration mode.
|
Step 12
|
zone-pair security zone-pair-name {source
source-zone-name | self]} destination [self |
destination-zone-name]
Example:
Router(config)# zone-pair security zp source z1
destination z2
|
Creates a zone-pair.
Enters security zone-pair configuration mode.
|
Step 13
|
service-policy type inspect policy-map-name
Example:
Router(config-sec-zone-pair)# service-policy
type inspect p2
|
Attaches a firewall policy map to the destination zone-pair.
Note If a policy is not configured between a pair of zones, traffic is dropped by default.
|
Configuring the Cisco IOS Firewall with WAAS and WCCP
Use the task in this section to enable IOS firewall inspection so that WAAS optimization can be discovered.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip wccp service-id
4. ip inspect waas enable
5. class-map type inspect class-name
6. match protocol protocol-name [signature]
7. exit
8. policy-map type inspect policy-map-name
9. class class-default
10. class-map type inspect class-name
11. inspect
12. exit
13. exit
14. zone security zone-name
15. description line-of-description
16. exit
17. zone-pair security zone-pair name {source source-zone-name | self] destination [self | destination-zone-name]
18. description line-of-description
19. exit
20. interface type number
21. description line-of-description
22. zone-member security zone-name
23. ip address ip-address
24. ip wccp {service-id {group-listen | redirect {in | out}} | redirect exclude in | web-cache {group-listen | redirect {in | out}}
25. exit
26. zone-pair security zone-pair-name {source source-zone-name | self]} destination [self | destination-zone-name]
27. service-policy type inspect policy-map-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip wccp service-id
Example:
Router(config)# ip wccp 61
|
Enters the WCCP dynamically defined service identifier number.
|
Step 4
|
ip inspect waas enable
Example:
Router(config)# ip inspect WAAS enable
|
Enables the Cisco IOS firewall inspection so that WAAS optimization can be discovered.
Note If an ISR router with IOS Firewall is deployed as an intermediary router inside the WAAS optimization path, the ip inspect waas enable command needs to be used to enable WAAS awareness and interoperability. If the router were not configured for optimization awareness, optimized traffic would violate TCP activity expectations, and the firewall would drop the traffic.
|
Step 5
|
class-map type inspect class-name
Example:
Router(config)# class-map type inspect
most-traffic
|
Creates an inspect type class map for the traffic class and enters class-map configuration mode.
Note The class-map type inspect most-traffic command is hidden.
|
Step 6
|
match protocol protocol-name [signature]
Example:
Router(config-cmap)# match protocol http
|
Configures the match criteria for a class map on the basis of a specified protocol and enters security zone configuration mode.
Only Cisco IOS stateful packet inspection supported protocols can be used as match criteria in inspect type class maps.
•signature—Signature-based classification for peer-to-peer (P2P) packets is enabled.
|
Step 7
|
exit
Example:
Router(config-sec-zone)# exit
|
Returns to global configuration mode.
|
Step 8
|
policy-map type inspect policy-map-name
Example:
Router(config)# policy-map type inspect p1
|
Creates a Layer 3 and Layer 4 inspect type policy map and enters policy-map configuration mode.
|
Step 9
|
Example:
Router(config-pmap)# class class-default
|
Specifies the matching of the system default class. If the system default class is not to be specified, then unclassified packets are matched.
|
Step 10
|
class-map type inspect class-name
Example:
Router(config-pmap)# class type inspect
most-traffic
|
Specifies the firewall traffic (class) map on which an action is to be performed.
|
Step 11
|
Example:
Router(config-pmap-c)# inspect
|
Enables Cisco IOS stateful packet inspection.
|
Step 12
|
exit
Example:
Router(config-pmap-c)# exit
|
Returns to policy map configuration mode.
|
Step 13
|
exit
Example:
Router(config-pmap)# exit
|
Returns to global configuration mode.
|
Step 14
|
zone security zone-name
Example:
Router(config)# zone security zone1
|
Creates a security zone to which interfaces can be assigned and enters security zone configuration mode.
|
Step 15
|
description line-of-description
Example:
Router(config-sec-zone)# description Internet
Traffic
|
(Optional) Describes the zone.
|
Step 16
|
exit
Example:
Router(config-sec-zone)# exit
|
Returns to global configuration mode.
|
Step 17
|
zone-pair security zone-pair name {source
source-zone-name | self] destination [self |
destination-zone-name]
Example:
Router(config)# zone-pair security zp source z1
destination z2
|
Creates a zone-pair and enters security zone configuration mode.
Note To apply a policy, you must configure a zone-pair
|
Step 18
|
description line-of-description
Example:
Router(config-sec-zone)# description accounting
network
|
(Optional) Describes the zone-pair.
|
Step 19
|
exit
Example:
Router(config-sec-zone)# exit
|
Returns to global configuration mode.
|
Step 20
|
interface type number
Example:
Router(config)# interface ethernet 0
|
Specifies an interface and enters interface configuration mode.
|
Step 21
|
description line-of-description
Example:
Router(config-if)# description
|
(Optional) Describes the interface.
|
Step 22
|
zone-member security zone-name
Example:
Router(config-if)# zone-member security zone1
|
Assigns an interface to a specified security zone.
Note When you make an interface a member of a security zone, all traffic into and out of that interface (except traffic bound for the router or initiated by the router) is dropped by default. To let traffic through the interface, you must make the zone part of a zone-pair to which you apply a policy. If the policy permits traffic, traffic can flow through that interface.
|
Step 23
|
ip address ip-address
Example:
Router(config-if)# ip address 10.70.0.1
255.255.255.0
|
Assigns the interface IP address for the security zone and enters IP configuration mode.
|
Step 24
|
ip wccp {service-id {group-listen | redirect
{in | out}} | redirect exclude in | web-cache
{group-listen | redirect {in | out}}
Example:
Router(config-if)# ip wccp 61 redirect in
|
Specifies the following WCCP parameters on the interface:
•The service-id argument defines a service identifier number from 1 to 254.
•The redirect exclude in keywords are used to exclude inbound packets from outbound redirection.
•The web-cache keyword is used to define the standard web caching service.
•The group-listen keyword is used for discovering multicasted WCCP protocol packets.
•The in keyword is used to redirect to a cache engine the appropriate inbound packets.
•The out keyword is used to redirect to a cache engine the appropriate outbound packets.
|
Step 25
|
exit
Example:
Router(config-if)# exit
|
Returns to global configuration mode.
|
Step 26
|
zone-pair security zone-pair-name {source
source-zone-name | self]} destination [self |
destination-zone-name]
Example:
Router(config)# zone-pair security zp source z1
destination z2
|
Creates a zone-pair and enters security zone-pair configuration mode.
|
Step 27
|
service-policy type inspect policy-map-name
Example:
Router(config-sec-zone-pair)# service-policy
type inspect p2
|
Attaches a firewall policy map to the destination zone-pair.
Note If a policy is not configured between a pair of zones, traffic is dropped by default.
|
Configuration Examples for Zone-Based Policy Firewall
•Configuring Layer 3 and Layer 4 Firewall Policies: Example
•Configuring Layer 7 Firewall Policies: Example
•Configuring a Security Zone: Example
•Configuring a Zone-Pair: Example
•Assigning an Interface to a Security Zone: Example
•Attaching a Policy Map to a Zone-Pair: Example
•Configuring a URL Filter Policy: Websense Example
•IOS Firewall Configuration with WAAS and WCCP: Example
Configuring Layer 3 and Layer 4 Firewall Policies: Example
The following example shows a Layer 3 / Layer 4 top-level policy. Traffic is matched to access control list 199. There is deep-packet HTTP inspection.
class-map type inspect match-all http-traffic
policy-map type inspect mypolicy
class type inspect http-traffic
service-policy http http-policy
Configuring Layer 7 Firewall Policies: Example
The following example matches HTTP sessions that have a URL length greater than 500. The Layer 7 policy action is reset.
class-map type inspect http long-urls
match request uri length gt 500
policy-map type inspect http http-policy
class type inspect http long-urls
The following example enables inspection for ESMTP by including the extended keyword:
class-map type inspect c1
match protocol smtp extended
policy-map type inspect p1
Now the service-policy type inspect smtp command is optional and can be entered after the inspect command.
Configuring a Security Zone: Example
The following example creates security zone z1 which is called Internet Traffic.
description Internet Traffic
Configuring a Zone-Pair: Example
A zone-based firewall drops a packet if it is not explicitly allowed by a rule or policy in contrast to a legacy firewall, which permits a packet if it is not explicitly denied by a rule or policy by default.
A zone-based firewall behaves differently in handling intermittent ICMP responses generated within a zone as a result of the traffic flowing between in-zones and out-zones.
In a configuration where an explicit policy is configured for the self zone to go out of its zone and for the traffic moving between the in-zone and out-zone, if any intermittent ICMP responses are generated, then the zone-based firewall looks for a explicit permit rule for ICMP protocol in the self zone to go out of its zone. An explicit inspect rule for ICMP protocol for the self zone to go out-zone may not help since there is not a session associated with the intermittent ICMP responses.
The following example creates zones z1 and z2, describes the zones, and specifies that the firewall policy map is applied in zone z2 for traffic flowing between the zones:
description finance department networks
description engineering services network
zone-pair security zp source z1 destination z2
Assigning an Interface to a Security Zone: Example
The following example attaches interface ethernet0 to zone z1:
Attaching a Policy Map to a Zone-Pair: Example
The following example attaches a firewall policy map to the target zone-pair p1:
zone-pair security zp source z1 destination z2
service-policy type inspect p1
Configuring a URL Filter Policy: Websense Example
The following examples configure a URL filter policy for Websense.
Websense Server Configuration
The following example configures the Websense server.
parameter-map type urlfpolicy websense websense-param-map
server fw21-ss1-bldr.example.com timeout 30
source-interface Loopback0
truncate script-parameters
cache-size maximum-entries 100
block-page redirect-url http://telluride.example.com
Configuring the Websense Class Map
The following example configures the Websense class map.
class-map type urlfilter websense match-any websense-class
match server-response any
Configuring the Websense URL Filter Policy
The following example configures the Websense URL filter policy.
policy-map type inspect urlfilter websense-policy
parameter type urlfpolicy websense websense-param-map
class type urlfilter websense websense-class
Applying the URL filter to Firewall Policy
The following example applies the URL filter to the firewall policy.
policy-map type inspect websense-global-policy
class type inspect http-class
service-policy urlfilter websense-policy
IOS Firewall Configuration with WAAS and WCCP: Example
The following example provides an end-to-end WAAS traffic flow optimization configuration for the Cisco IOS firewall that uses WCCP to redirect traffic to a WAE device for traffic interception.
The following configuration example prevents traffic from being dropped between security zone members because the integrated-service-engine interface is configured on a different zone and each security zone member is assigned an interface. This change was made to the Cisco IOS firewall configuration in Cisco IOS Release 12.4(20)T and 12.4(22)T to address the different input interfaces.
class-map type inspect most-traffic
match protocol icmp
match protocol ftp
match protocol tcp
match protocol udp
policy—map type inspect p1
class type inspect most—traffic
inspect
class class—default
zone security zone-hr
zone security zone-outside
zone—pair security hr—out source zone-hr destination zone-outside
service—policy type inspect p1
zone—pair security out—hr source zone-outside destination zone-hr
service—policy type inspect p1
zone—pair security eng—out source zone-eng destination zone-outside
service—policy type inspect p1
interface GigabitEthernet0/0
description Trusted interface
ipaddress 10.70.0.1 255.255.255.0
ip wccp 61 redirect in
zone—member security zone-hr
interface GigabitEthernet0/0
description Trusted interface
ipaddress 10.71.0.2 255.255.255.0
ip wccp 61 redirect in
zone—member security zone-eng
interface GigabitEthernet0/1
description Untrusted interface
ipaddress 10.72.2.3 255.255.255.0
ip wccp 62 redirect in
zone—member security zone-outside
Note The new configuration in Cisco IOS Release 12.4(20)T and 12.4(22)T places the integrated-service-engine in its own zone and need not be part of any zone-pair. The zone-pairs are configured between zone-hr (zone-out) and zone-eng (zone-output).
interface Integrated—Service—Enginel/0
ipaddress 10.70.100.1 255.255.255.252
ip wccp redirect exclude in
zone—member security z-waas
Protocol Match Data Not Incrementing for a Class Map: Example
The following configuration example causes the match counter problem in the show policy-map type inspect zone-pair command output:
class-map type inspect match-any y
class-map type inspect match-all x
However, cumulative counters for the above configuration is displayed in the show policy-map type inspect zone-pair command output if the class-map matches any class-map:
#show policy-map type inspect zone session
Service-policy inspect : fw
Match: class-map match-any y
2 packets, 48 bytes <======= Cumulative class map counters are incrementing.
0 packets, 0 bytes <==== The match for the protocol is not incrementing.
Number of Established Sessions = 1
Session 53105C0 (10.1.1.2:19180)=>(172.1.1.2:23) telnet:tcp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
Bytes sent (initiator:responder) [30:69]
Class-map: class-default (match-any)
Additional References
The following sections provide references related to Zone-Based Policy Firewall.
Related Documents
Standards
Standard
|
Title
|
No new or modified standards are supported by this release.
|
—
|
MIBs
MIB
|
MIBs Link
|
None
|
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://www.cisco.com/go/mibs
|
RFCs
RFC
|
Title
|
No new or modified RFCs are supported by this release.
|
—
|
Technical Assistance
Description
|
Link
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.
To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.
|
http://www.cisco.com/techsupport
|
Feature Information for Zone-Based Policy Firewall
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or a later release appear in the table.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for Zone-Based Policy Firewall
Feature Name
|
Releases
|
Feature Information
|
Zone-Based Policy Firewall
|
12.4(6)T
|
This feature provides a Cisco IOS unidirectional firewall policy between groups of interfaces known as zones.
The following commands were introduced or modified by this feature:
class-map type inspect, class type inspect, clear parameter-map type protocol-info, debug policy-firewall, match body regex, match file-transfer, match header count, match header length, match header regex, match protocol (zone), match request length, match request regex, match response status-line regex, match search-file-name, match service, match text-chat, parameter-map type, policy-map type inspect, server (parameter-map), service-policy (policy-map), service-policy type inspect, show parameter-map type protocol-info
|
Application Inspection And Control for HTTP—Phase 2
|
12.4(9)T
|
This feature extends support for HTTP application firewall policies.
The following section provides information about this feature: Configuring an HTTP Firewall Policy
The following commands were introduced or modified by this feature: match body regex, match header count, match header length, match header regex, match request length, match request regex, match response status-line regex
|
P2P Application Inspection and Control—Phase 1
|
12.4(9)T 12.4(20)T
|
This feature introduces support for identifying and enforcing a configured policy for the following peer-to-peer applications: eDonkey, FastTrack, Gnutella Version 2, and Kazaa Version 2.
Support for identifying and enforcing a configured policy for the following Instant Messenger applications is also introduced: AOL, MSN Messenger and Yahoo Messenger.
In Release 12.4(20)T, support was added for the following applications: H.323 VoIP and SIP.
In Release 12.4(20)T, support for the following IM applications was also added: ICQ and Windows Messenger.
The following sections provide information about this feature:
•Configuring a Protocol-Specific Parameter Map
•Configuring an Instant Messenger (IM) Policy
•Configuring a Peer-to-Peer (P2P) Policy
The following commands were introduced or modified by this feature: class-map type inspect, class type inspect, clear parameter-map type protocol-info, debug policy-firewall, match file-transfer, match protocol (zone), match search-file-name, match service, match text-chat, parameter-map type, policy-map type inspect, server (parameter-map), show parameter-map type protocol-info
|
Zone Based Firewall (ZBFW) Usability and Manageability Features
|
15.0(1)M
|
The ZBFW Usability and Manageability features covered in this feature are OoO Packet processing Support in zone based firewalls, Intrazone Support in zone based firewalls and enhanced debug capabilities.
The following sections provide information about this feature:
•Out-of-Order Packet Processing Support in Zone-Based Firewall Application
•Intrazone Support in Zone-Based Firewall Application
•Configuring OoO Packet Processing Support in Zone Based Firewall Application
•Configuring Intrazone Support in Zone Based Firewall Application
The following commands were introduced or modified by this feature: clear ip ips statistics, debug cce dp named-db inspect, debug policy-firewall, debug ip virtual-reassembly list, parameter-map type ooo global, show parameter-map type ooo global, zone-pair security.
|
Rate-limiting Inspected Traffic
|
12.4(9)T
|
This feature allows users to rate limit traffic within a Cisco IOS firewall (inspect) policy. Also, users can limit the absolute number of sessions that can exist on a zone-pair.
The following sections provide information about this feature:
•Rate Limiting (Policing) Traffic Within a Layer 3 and Layer 4 Policy Map
•Creating an Inspect Parameter Map
The following commands were introduced by this feature: police (zone policy), sessions maximum.
|
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Pulse, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Fast Step, Follow Me Browsing, FormShare, GainMaker, GigaDrive, HomeLink, iLYNX, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0908R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2006—2009 Cisco Systems, Inc. All rights reserved.
