-
Cisco IOS XR Virtual Firewall Command Reference, Release 3.7
-
Preface
-
Virtual Firewall Commands on Cisco IOS XR Software
-
Class Map Commands
-
Access Control List Commands
-
Policy Map Commands
-
Virtual Firewall Interface Commands
-
Virtualization Commands
-
Authentication and Accounting Commands
-
High Availability Commands
-
TCP/IP Normalization and IP Reassembly Parameters Commands
-
Parameter Map Commands
-
Terminal and Session Commands
-
System and File Management Commands
-
SNMP Commands
-
Logging Commands
-
VASI Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Policy Map Commands on the Virtual Firewall
appl-parameter http advanced-options
match content length (policy map)
match content-type-verification
match header length (policy map)
match header mime-type (policy map)
match port-misuse (policy map)
match request-method (policy map)
match request-method (ftp policy map)
match transfer-encoding (policy map)
Policy Map Commands on the Virtual Firewall
This module describes the policy map commands. Policy map commands allow you to configure a policy map that defines the different actions applied to traffic passing through the VFW application. The VFW application attempts to match multiple classes within the policy map to allow a multifeature policy map. The VFW application executes the action for only one matching class within each of the class sets. The definition of which classes are in the same class set depends on the actions applied to the classes; the VFW application associates each policy map action with a specific set of classes.
Note
The commands described in this module are SanOS (Linux) commands used on the VFW application. Before you can access any of these commands, you must attach from the route processor to the VFW application using the service firewall attach location command. For more information, see the "Attaching to the VFW Application" section in Cisco IOS XR Virtual Firewall Configuration Guide.
appl-parameter http advanced-options
To associate an HTTP parameter map with a Layer 3 and Layer 4 policy map, use the appl-parameter http advanced-options command in policy map class configuration mode. To disassociate the HTTP parameter map as an action from the policy map, use the no form of this command.
appl-parameter http advanced-options name
no appl-parameter http advanced-options name
Syntax Description
name
Name of an existing HTTP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Defaults
No default behavior or values
Command Modes
Policy map class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The appl-parameter http advanced-options command associates an HTTP parameter map with a Layer 3 and Layer 4 policy map. A parameter map is a means to combine related actions for use in a Layer 3 and Layer 4 HTTP policy map. Parameter maps are defined using the parameter-map type http command.
Examples
The following example shows how to specify the appl-parameter http advanced-options command as an action for the policy map:
firewall/Admin(config)# policy-map multi-match L4SLBPOLICYfirewall/Admin(config-pmap)# class FILTERHTTPfirewall/Admin(config-pmap-c)# appl-parameter http advanced-options http_param_map1Related Commands
Creates a Layer 3 and Layer 4 policy map and enters policy map configuration mode.
Creates a connection, HTTP, or SSL type parameter map.
class
To associate a class map with a policy map, use the class command in the appropriate policy map configuration mode. To remove an associated class map from a policy map, use the no form of this command.
class {class_name [insert-before class2] | class-default}
no class {class_name [insert-before class2]}
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map configuration
Policy map FTP inspection configuration
Policy map HTTP inspection configuration
Management policy map configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The class specified by the class_name argument represents a previously defined traffic class configured with the class-map command. Refer to the "Class Map Commands on the Virtual Firewall" module for more information regarding the class-map command. If you are configuring a Layer 3 and Layer 4 policy map, use Layer 3 and Layer 4 class maps. If you are configuring a Layer 7 policy map, use appropriate Layer 7 class maps. If you are configuration a management policy map, use management class maps.
Examples
The following example shows how to associate a Layer 3 and Layer 4 class map with a Layer 3 and Layer 4 policy map:
firewall/Admin(config)# policy-map multi-match L4_SLB_POLICYfirewall/Admin(config-pmap) #class L4_SLB_CLASSfirewall/Admin(config-pmap-c)#The following example shows how to associate a Layer 7 HTTP inspection class map with a Layer 7 HTTP inspection policy map:
host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASSfirewall/Admin(config-pmap-ins-http-c)#The following example shows how to associate a Layer 7 FTP inspection class map with a Layer 7 FTP inspection policy map:
host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICYhost/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASSfirewall/Admin(config-pmap-ftp-ins-c)#The following example shows how to associated a management class map with a management policy map:
firewall/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICYfirewall/Admin(config-pmap-mgmt)# class SSH-ALLOW_CLASSRelated Commands
clear service-policy
To clear the service policy statistics, use the clear service-policy command.
clear service-policy policy_name
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to clear the statistics for the service policy HTTP1:
firewall/Admin# clear service-policy HTTP1Related Commands
Displays the statistics for service policies enabled globally within a context or on a specific interface.
connection advanced-options
To associate a connection parameter map with a Layer 3 and Layer 4 policy map, use the connection advanced-options command in policy map class configuration mode. To disassociate the parameter map from a policy map, use the no form of this command.
connection advanced-options name
no connection advanced-options name
Syntax Description
name
Name of an existing connection parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Defaults
No default behavior or values
Command Modes
Policy map class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the parameter-map type connection command to create a connection paramter map. For details about configuring a connection parameter map, see the "Configuring TCP/IP Normalization and IP Reassembly Parameters on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to associate the connection parameter map IP_MAP with a Layer 3 and Layer 4 TCP/IP policy map:
firewall/Admin(config)# policy-map multi-match TCPIP_POLICYfirewall/Admin(config-pmap)# class TCP_CLASSfirewall/Admin(config-pmap-c)# connection advanced-options IP_MAPRelated Commands
deny
To deny management traffic specified in the associated Layer 3 and Layer 4 management class map, use the deny command in the Layer 3 and Layer 4 management policy map class configuration mode. To return to the default state and permit all management traffic to pass, use the no form of this command.
deny
no deny
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map management class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the admin feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the deny command to deny management traffic specified in the management class map.
Examples
The following example shows how to deny the traffic specified in the class map named SSH_CLASS:
firewall/Admin(config-pmap-mgmt)# class SSH_CLASSfirewall/Admin(config-pmap-mgmt-c)# denyRelated Commands
Allows the IP network management protocols listed in the associated Layer 3 and Layer 4 management class map to be received by the VFW application.
deny (ftp)
To deny the FTP request commands specified in a class map or specified in an inline match command, use the deny command in the appropriate policy map FTP inspection configuration mode. To return to the default state and permit all FTP request commands to pass, use the no form of this command.
deny
no deny
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map FTP inspection class configuration
Policy map FTP inspection match configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the deny command to deny the FTP request commands by resetting the FTP session. By default, the VFW application allows all FTP commands to pass.
Examples
The following example shows how to instruct the VFW application to deny the FTP request commands specified in the Layer 7 FTP inspection class map by resetting the FTP session:
firewall/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASSfirewall/Admin(config-pmap-ftp-ins-c)# denyThe following example shows how to instruct the VFW application to deny the FTP request commands specified in an inline Layer 7 policy map match command by resetting the FTP session:
firewall/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICYhost/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdirhost/Admin(config-pmap-ftp-ins-m)# denydescription (policy map)
To provide a brief summary about policy map, use the description command in the appropriate policy map configuration mode. To remove the description from the class map, use the no form of this command.
description text
no description
Syntax Description
text
Description for the policy map. Enter an unquoted text string with a maximum of 240 alphanumeric characters.
Defaults
No default behavior or values
Command Modes
Policy map configuration
Policy map FTP inspection configuration
Policy map HTTP inspection configuration
Management policy map configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command has no user role restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Examples
The following example shows how to add a description that the class map is to perform Layer 3 and Layer 4 inspection:
firewall/Admin(config)# policy-map multi-match L4_POLICYfirewall/Admin(config-cmap)# description Policy map for L3/L4 inspectionRelated Commands
inspect
To define the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions, use the inspect command in policy map class configuration mode. To remove an associated class map from a policy map, use the no form of this command.
inspect {dns [maximum-length bytes]} | {ftp [strict policy policy_map1]} | {http [policy policy_map2 | url-logging]} | {icmp [error]} | rtsp
no inspect {dns [maximum-length bytes]} | {ftp [strict policy policy_map1]} | {http [policy policy_map2 | url-logging]} | {icmp [error]} | rtsp
Syntax Description
Defaults
The default for the maximum length is 512 bytes.
Command Modes
Policy map class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the inspect command to define the Layer 3 and Layer 4 HTTP deep packet inspection, FTP command inspection, or application protocol inspection policy actions. Application inspection involves the examination of protocols such as DNS, FTP, HTTP, ICMP, and RTSP to verify the protocol behavior and identify unwanted or malicious traffic passing through the VFW application.
To perform the deep packet inspection of Layer 7 HTTP application traffic by the VFW application, first create a Layer 7 HTTP deep packet inspection policy using the policy-map type inspect http command (see the "Configuring Application Protocol Inspection on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide). You nest the Layer 7 deep packet inspection policy using the Layer 3 and Layer 4 inspect http command. If you do not specify a Layer 7 HTTP policy map, the VFW application performs a general set of Layer 3 and Layer 4 HTTP protocol fixup actions and internal RFC compliance checks.
To perform checks for protocol RFC compliance and to prevent web browsers from sending embedded commands in FTP requests, first create a Layer 7 FTP policy using the policy-map type inspect ftp command (see the "Configuring Application Protocol Inspection on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide). You nest the Layer 7 FTP inspection traffic policy using the Layer 3 and Layer 4 inspect ftp command. If you do not specify a Layer 7 FTP policy map, the VFW application performs a general set of Layer 3 and Layer 4 FTP protocol fixup actions.
Examples
The following example shows how to specify the inspect http command as an action for an HTTP application protocol inspection policy map:
firewall/Admin(config)# policy-map multi-match HTTP_INSPECT_L4POLICYfirewall/Admin(config-pmap)# class HTTP_INSPECT_L4CLASSfirewall/Admin(config-pmap-c)# inspect http policy HTTP_DEEPINSPECT_L7POLICYRelated Commands
mask-reply
To instruct the VFW application to mask the reply to the FTP SYST command by filtering sensitive information from the command output, use the mask-reply command in policy map FTP inspection class configuration mode. To disable the masking of the system reply to the FTP SYST command, use the no form of this command.
mask-reply
no mask-reply
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map FTP inspection class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The mask-reply command is applicable only to the FTP SYST command and its associated reply. The SYST command is used to find out the type of operating system at the FTP server.
Examples
The following example shows how to instruct the VFW application to mask the reply to the FTP SYST command:
firewall/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASSfirewall/Admin(config-pmap-ftp-ins-c)# mask-replymatch content (policy map)
To configure the Layer 7 HTTP inspection policy map to define HTTP application inspection decisions based on content expressions contained within the HTTP entity-body, use the match content command in policy map HTTP inspection configuration mode. To clear content expression-checking match criteria from the policy map, use the no form of this command.
match name content expression [offset number] [insert-before map_name]
no match name
Syntax Description
name
Name of the inline match condition. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
expression
Content expression contained within the HTTP entity-body. The range is from 1 to 255 alphanumeric characters. Table 4 provides a list of the supported characters that you can use in regular expressions.
offset number
(Optional) Provides an absolute offset where the content expression search string starts. The offset starts at the first byte of the Message body, after the empty line (CR,LF,CR,LF) between the headers and the body of the message. The offset value is between 1 to 4000 bytes.
insert-before map_name
(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match content command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then define the action to use if a match is made. Options are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
The VFW application supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the spaces are escaped or quoted. Table 4 provides a list of the supported characters that you can use in regular expressions.
Examples
The following example shows how to specify a content expression contained within the entity-body sent with an HTTP request:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH1 content .*newp2psigfirewall/Admin(config-pmap-ins-http-m)Related Commands
match content length (policy map)
To configure the Layer 7 HTTP inspection policy map to define application inspection decisions in the HTTP content up to the configured maximum content parse length, use the match content length command in policy map HTTP inspection configuration mode. To clear the HTTP content length match criteria from the policy map, use the no form of this command.
match name content length operator bytes1 [bytes2] [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Messages that meet the specified criteria are either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action.
When you use the match content length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
Examples
The following example shows how to define application inspection decisions in the HTTP content up to the configured maximum content parse length:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH2 content length eq 3495firewall/Admin(config-pmap-ins-http-m)Related Commands
match content-type-verification
To verify the content MIME-type messages with the header MIME-type, use the match content-type-verification command in policy map HTTP inspection configuration mode. To clear the MIME-type match criteria from the policy map, use the no form of this command.
match name content-type-verification [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match content-type-verification command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
The match content-type-verification command limits the MIME types in HTTP messages allowed through the VFW application. It verifies that the header MIME-type value is in the internal list of supported MIME types and the header MIME-type matches the actual content in the data or entity body portion of the message. If they do not match, the VFW application performs the specified Layer 7 policy map action: permit or reset.
The MIME-type HTTP inspection process requires a search of the entity body of the HTTP message, which may degrade performance of the VFW application.
Examples
The following example shows how to verify the content MIME-type messages with the header MIME-type:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH3 content-type-verificationfirewall/Admin(config-pmap-ins-http-m)Related Commands
match header (policy map)
To define HTTP deep packet inspection decisions based on the name and value in an HTTP header, use the match header command in policy map HTTP inspection configuration mode. To clear an HTTP header match criteria from the policy map, use the no form of this command.
match name header {header_name | header_field} header-value expression [insert-before map_name]
no match name header
Syntax Description
name
Name of the inline match condition. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
header_name
Name of the HTTP header to match (for example, www.example1.com.) The range is from 1 to 64 alphanumeric characters.
Note
header_field
Standard HTTP/1.1 header field. Valid selections include request-header fields, general-header fields, and entity-header field. Table 5 lists the supported HTTP/1.1 header fields.
header-value expression
Specifies the header value expression string to compare against the value in the specified field in the HTTP header. The range is from 1 to 255 alphanumeric characters. For a list of supported characters that you can use in regular expressions, see Table 4.
insert-before map_name
(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match header command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Table 5 lists the supported HTTP/1.1 header fields.
To define HTTP deep packet inspection decisions based on the name and value in an HTTP header, use the match header command. The VFW application performs regular expression matching against the received packet data from a particular connection based on the HTTP header expression. The VFW application supports the use of regular expressions for matching. Expressions are stored in a header map in the form header-name: expression. Header expressions allow spaces, provided that the spaces are escaped or quoted. For a list of supported characters that you can use in regular expressions, see Table 4.
Examples
The following example shows how to filter on content and allow HTTL headers that contain the expression html:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH4 header accept header-value htmlfirewall/Admin(config-pmap-ins-http-m)Related Commands
match header length (policy map)
To limit the HTTP traffic allowed through the VFW application based on the length of the entity body in the HTTP message, use the match header length command in policy map HTTP inspection configuration mode. To clear an HTTP header length match criteria from the policy map, use the no form of this command.
match name header length {request | response} operator bytes1 [bytes2] [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
By default, the maximum header length for HTTP deep packet inspection is 2048 bytes. To limit the HTTP traffic allowed through the VFW application based on the length of the entity body in the HTTP message, use the match header length command. Messages are either allowed or denied based on the Layer 7 HTTP deep packet inspection policy map action. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Examples
The following example shows how to specify that the policy map match on HTTP traffic received with a length less than or equal to 3600 bytes in the entity body of the HTTP message:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-cmap-http-insp)# match MATCH4 header length request eq 3600firewall/Admin(config-pmap-ins-http-m)Related Commands
match header mime-type (policy map)
To specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the VFW application permits or denies based on the actions in the policy map, use the match header mime-type command in policy map HTTP inspection configuration mode. To deselect the specified MIME message match criteria from the policy map, use the no form of this command.
match name header mime-type mime_type [insert-before map_name]
no match name
Syntax Description
name
Name of the inline match condition. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
mime-type mime_type
Specifies the MIME type. The VFW application includes a predefined list of MIME types, such as image\Jpeg, text\html, application\msword, audio\mpeg. Choose whether only the MIME types included in this list are permitted through the VFW application firewall or whether all MIME types are acceptable. The default behavior is to allow all MIME types. Table 6 lists the supported MIME types.
insert-before map_name
(Optional) Places the inline match command ahead of an existing class map in the policy map configuration.
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match header mime-type command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Use the match header mime-type command to specify a subset of the Multipurpose Internet Mail Extension (MIME)-type messages that the VFW application permits or denies based on the actions in the policy map. MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, nontextual messages, multipart message bodies, and non-US-ASCII information in message headers. Table 6 lists the supported MIME types.
MIME-type validation extends the format of Internet mail to allow non-US-ASCII textual messages, nontextual messages, multipart message bodies, and non-US-ASCII information in message headers.
Examples
The following example shows how to specify that the policy map permits MIME-type audio/midi messages through the VFW application:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH5 header mime-type audio\midifirewall/Admin(config-pmap-ins-http-m)#Related Commands
match port-misuse (policy map)
To define HTTP deep packet inspection compliance decisions that restrict certain HTTP traffic from passing through the VFW application, use the match port-misuse command in policy map HTTP inspection configuration mode. To clear the HTTP restricted application category match criteria from the policy map, use the no form of this command.
match name port-misuse {im | p2p | tunneling} [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The policy map detects the misuse of port 80 (or any other port running HTTP) for tunneling protocols such as peer-to-peer (p2p) applications, tunneling applications, and instant messaging.
When you use the match port-misuse command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
The port misuse application inspection process requires a search of the entity body of the HTTP message, which may degrade performance of the VFW application.
The VFW application disables the match port-misuse command by default. If you do not configure a restricted HTTP application category, the default action by the VFW application is to allow the applications without generating a log.
Examples
The following example shows how to specify that the policy map identifies peer-to-peer applications as restricted HTTP traffic:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH6 port-misuse p2pfirewall/Admin(config-pmap-ins-http-m)#Related Commands
match request-method (policy map)
To define HTTP deep packet inspection compliance decisions based on the request methods defined in RFC 2616 and by HTTP extension methods, use the match request-method command in policy map HTTP inspection configuration mode. To clear the HTTP request method match criteria from the policy map, use the no form of this command.
match name request-method {ext method | rfc method} [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match request-method command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
For unsupported HTTP request methods, include the inspect command as an action in the Layer 3 and Layer 4 policy map.
The VFW application disables the match request-method command by default. If you do not configure a request method, the default action by the VFW application is to allow the RFC 2616 HTTP request method without generating a log.
Examples
The following example shows how to specify that the policy map identifies the index HTTP RFC 2616 protocol for application inspection:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH7 request-method ext indexfirewall/Admin(config-pmap-ins-http-m)#Related Commands
match request-method (ftp policy map)
To configure a Layer 7 FTP inspection policy map to define FTP command inspection decisions performed by the VFW application, use the match request-method command in policy map FTP inspection configuration mode. To clear the FTP inspection request method from the policy map, use the no form of this command.
match name request-method ftp_command
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map FTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The match request-method command identifies the FTP command that you want filtered by the VFW application. The prompt changes from (config-pmap-ftp-ins) to (config-pmap-ftp-ins-m).
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, you can only use one inline match command in a policy map. If you require more match criteria, use a traffic class.
Use the deny or mask-reply commands to define the action for the match request-method command.
Examples
The following example shows how to add an inline match command to a Layer 7 FTP command policy map:
host/Admin(config-pmap-ftp-ins)# match FTP_REQUEST_MATCH request-method mkdirhost/Admin(config-pmap-ftp-ins-m)#Related Commands
match strict-http
To ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616, use the match strict-http command in policy map HTTP inspection configuration mode. To clear the HTTP RFC standard, RFC 2616 match criteria from the policy map, use the no form of this command.
match name strict-http [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match strict-http command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Use the match strict-http command to ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616. If the HTTP message is not compliant, the VFW application permits or resets the specified HTTP traffic based on the policy map action.
Examples
The following example shows how to configure the policy map to ensure that the internal compliance checks verify message compliance with the HTTP RFC standard, RFC 2616:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH8 strict-httpfirewall/Admin(config-pmap-ins-http-m)#Related Commands
match transfer-encoding (policy map)
To define HTTP deep packet inspection decisions that limit the HTTP transfer-encoding types that can pass through the VFW application, use the match transfer-encoding command in policy map HTTP inspection configuration mode. To clear the HTTP transfer-encoding type match criteria from the policy map, use the no form of this command.
match name transfer-encoding coding_types [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match transfer-encoding command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
The transfer-encoding general-header field indicates the type of transformation, if any, that has been applied to the HTTP message body to safely transfer it between the sender and the recipient. When an HTTP request message contains the configured transfer-encoding type, the VFW application performs the configured action in the policy map.
Each match transfer-encoding command configures a single application type.
The VFW application disables the match transfer-encoding command by default.
Examples
The following example shows how to configure the policy map to specify a chunked HTTP transfer encoding type to limit the HTTP traffic that flows through the VFW application:
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH9 transfer-encoding chunkedfirewall/Admin(config-pmap-ins-http-m)#Related Commands
match url (policy map)
To define HTTP deep packet inspection decisions based on URL name and, optionally, HTTP method, use the match url command in policy map HTTP inspection configuration mode. To remove the URL name or HTTP method match criteria from the policy map, use the no form of this command.
match name url expression [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match url command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Include only the portion of the URL following www.hostname.domain in the match statement. For example, in the URL www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html. To match the www.anydomain.com portion, the URL string can take the form of a URL regular expression. The VFW application supports the use of regular expressions for matching. For a list of the supported characters that you can use in regular expressions, see Table 4.
When matching URLs, keep in mind that the period "." character does not have a literal meaning in regular expressions. Use either the "[]" or "\" character classes to match this symbol, for example, specify "www[.]xyz[.]com" instead of "www.xyz.com".
Examples
The following example shows how to configure the policy map to define application inspection decisions based on a URL, enter
firewall/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match url whatsnew/latest.*firewall/Admin(config-pmap-ins-http-m)#Related Commands
match url length (policy map)
To limit the HTTP traffic allowed through the VFW application by specifying the maximum length of a URL in a request message that can be received by the VFW application, use the match url length command in policy map HTTP inspection configuration mode. To clear a URL length match criteria from the policy map, use the no form of this command.
match name url length operator bytes [bytes2] [insert-before map_name]
no match name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map HTTP inspection configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
When you use the match url length command, you access the policy map inspection HTTP match configuration mode and the prompt changes from (config-pmap-ins-http) to (config-pmap-ins-http-m). You can then specify the actions that the VFW application should take when network traffic matches the specified inline match command. Possible actions are permit or reset.
A match command can be included in a policy map in place of using a traffic class containing comparible match commands. However, when you use a match command in the policy map, you can specify an action for only a single match statement in the policy map.
Examples
The following example shows how to specify that the class map is to match on a URL with a length less than or equal to 10000 bytes in the request message:
firewall/Admin(config)# class-map type http inspect HTTP_INSPECT_L7POLICYfirewall/Admin(config-cmap-http-insp)# match url length eq 10000Related Commands
nat dynamic
To configure dynamic NAT and PAT as an action in a policy map, use the nat dynamic command in policy map class configuration mode. To remove a dynamic NAT action from a policy map, use the no form of this command.
nat dynamic nat_id interface interface_name
no nat dynamic nat_id interface interface_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Policy map class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the nat dynamic command to configure dynamic NAT and PAT as an action in a policy map. The VFW application applies the dynamic NAT from the interface attached to the traffic policy (through the service-policy command in interface configuration mode) to the interface specified in the nat dynamic command.
If a packet egresses an interface that you have not configured for NAT, the VFW application transmits the packet untranslated.
Examples
The following example shows how to specify the nat dynamic command as an action for a dynamic NAT policy map:
firewall/Admin(config)# policy-map multi-action NAT_POLICYfirewall/Admin(config-pmap)# class NAT_CLASSfirewall/Admin(config-pmap-c)# nat dynamic 1 interface xyzRelated Commands
nat static
To configure static NAT and static port redirection in a policy map, use the nat static command in policy map class configuration mode. To remove a NAT action from a policy map, use the no form of this command.
nat static ip_address netmask mask [tcp eq | udp eq] port interface if_name
no nat static ip_address netmask mask [tcp eq | udp eq] port interface if_name
Syntax Description
ip_address
IP address for a single static translation. This argument establishes the globally unique IP address of a host as it appears to the outside world. The policy map performs the global IP address translation for the source IP address specified in the ACL (as part of the class map traffic classification).
netmask mask
Specifies the subnet mask for the IP address. Enter a subnet mask in dotted-decimal notation.
tcp eq
Specifies that the port argument is a TCP port name or number.
port
Global TCP or UDP port for static port redirection. Enter an integer from 0 to 65535. A value of 0 instructs the VFW application to match any port. Alternatively, you can enter a protocol keyword that corresponds to a TCP port number. See Table 7 for a list of supported well-known TCP port names and numbers.
udp eq port3
Specifies that the port argument is a UDP port name or number.
interface if_name
Specifies the interface for the global IP address.
Defaults
No default behavior or values
Command Modes
Policy map class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the NAT feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the nat static command to configure static NAT and static port redirection in a policy map. Static NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended ACL which is referenced as part of the class map traffic classification. The VFW application applies static NAT from the interface attached to the traffic policy (through the service-policy command in interface configuration mode) to the interface specified in the nat static command.
Table 7 provides a list of supported well-known TCP and UDP port names and numbers.
Examples
The following example shows how to specify the nat command as an action for a static NAT and port redirection policy map:
firewall/Admin(config)# policy-map multi-action NAT_POLICYfirewall/Admin(config-pmap)# class NAT_CLASSfirewall/Admin(config-pmap-c)# nat static 192.168.12.15 255.255.255.0 8080 interface xyzRelated Commands
permit
To allow the IP network management protocols listed in the associated Layer 3 and Layer 4 management class map to be received by the VFW application, use the permit command in the Layer 3 and Layer 4 management policy map class configuration mode. To disallow the specified IP network management protocols to be received by the VFW application, use the no form of this command.
permit
no permit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map management class configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the admin feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the permit command to allow the IP network management protocols listed in the associated Layer 3 and Layer 4 management class map to be received by the VFW application.
Examples
The following example shows how to permit the specified IP network management protocol by the VFW application:
firewall/Admin(config-pmap-mgmt)# class SSH_CLASSfirewall/Admin(config-pmap-mgmt-c)# permitRelated Commands
Denies management traffic specified in the associated Layer 3 and Layer 4 management class map.
permit (http)
To allow the specified HTTP traffic to be received by the VFW application if it passes the HTTP deep packet inspection match criteria specified in the class map or an inline match condition, use the permit command in the appropriate policy map inspection HTTP configuration mode. To disallow the specified HTTP traffic to be received by the VFW application, use the no form of this command.
permit
no permit
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map inspection HTTP match configuration
Policy map inspection HTTP class configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
By default, HTTP inspection allows traffic that does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action is taken by the VFW application. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all the other requests.
Note
Examples
The following example shows how to allow the specified HTTP traffic to be received by the VFW application if the match criteria are met:
firewall/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunkedfirewall/Admin(config-pmap-ins-http-m)# permitThe following example shows how to allow the specified HTTP traffic to be received by the VFW application if the class map match criteria in class map L7HTTP_CHECK are met:
firewall/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# class L7HTTP_CHECKfirewall/Admin(config-pmap-ins-http-c)# permitRelated Commands
Denies the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection.
policy-map multi-match
To create a Layer 3 and Layer 4 policy map and access policy map configuration mode, use the policy-map multi-match command in configuration mode. When you access the policy map configuration mode, the prompt changes to (config-pmap). To remove a Layer 3 and Layer 4 policy map from the VFW application, use the no form of this command.
policy-map multi-match map_name
no policy-map multi-match map_name
Syntax Description
map_name
Name assigned to the Layer 3 and Layer 4 policy map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect, NAT, or connection feature in your user role, depending on the type of policy map you want to configure. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
For a Layer 3 and Layer 4 traffic classification, you create Layer 3 and Layer 4 policy maps with actions that configure:
•
•
•
•
To perform HTTP deep packet inspection or FTP command inspection functions, you associate a previously created Layer 7 policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on an interface; a Layer 7 policy map cannot be applied directly on an interface.
The VFW application supports a system-wide maximum of 4096 policy maps.
Examples
The following example shows how to create a Layer 3 and Layer 4 application protocol inspection policy map named L4_HTTP_APP_INSPECTION_POLICY:
firewall/Admin(config)# policy-map multi-match L4_HTTP_APP_INSPECTION_POLICYfirewall/Admin(config-pmap)#Related Commands
Creates a Layer 3 and Layer 4 class map and enters class map configuration mode.
policy-map type inspect ftp
To create an FTP command request inspection policy map and access policy map FTP inspection configuration mode, use the policy-map type inspect ftp command in configuration mode. When you access the policy map FTP inspection configuration mode, the prompt changes to (config-pmap-ftp-ins). To remove an FTP command request inspection policy map from the VFW application, use the no form of this command.
policy-map type inspect ftp first-match map_name
no policy-map type inspect ftp first-match map_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
You associate the Layer 7 FTP command request inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on an interface; a Layer 7 policy map cannot be applied directly on an interface.
To associate the Layer 7 FTP inspection policy map, you nest it using the Layer 3 and Layer 4 inspect command.
Examples
The following example shows how to create a Layer 7 FTP command inspection policy map:
host/Admin(config)# policy-map type inspect ftp first-match FTP_INSPECT_L7POLICYhost/Admin(config-pmap-ftp-ins) #Related Commands
Creates and configures a Layer 7 class map to be used for the inspection of FTP request commands and enters class map FTP inspection configuration mode.
policy-map type inspect http
To create an HTTP deep packet inspection policy map and access policy map inspection HTTP configuration mode, use the policy-map type inspect http command in configuration mode. When you access the policy map inspection HTTP configuration mode, the prompt changes to (config-pmap-ins-http). To remove an HTTP deep packet inspection policy map from the VFW application, use the no form of this command.
policy-map type inspect http all-match map_name
no policy-map type inspect http all-match map_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
You associate the Layer 7 HTTP deep packet inspection policy map within a Layer 3 and Layer 4 policy map to provide an entry point for the traffic classification. Layer 7 policy maps are considered to be child policies and can be associated only within a Layer 3 and Layer 4 policy map. Only a Layer 3 and Layer 4 policy map can be activated on an interface; a Layer 7 policy map cannot be applied directly on an interface.
To associate the Layer 7 HTTP inspection policy map, you nest it using the Layer 3 and Layer 4 inspect command.
Examples
The following example shows how to create a Layer 7 HTTP deep packet inspection policy map:
host/Admin(config)# policy-map type inspect http all-match HTTP_INSPECT_L7POLICYhost/Admin(config-pmap-ins-http)#Related Commands
Creates a Layer 7 HTTP deep packet inspection class map and enters class map HTTP inspection configuration mode.
policy-map type management
To create a Layer 3 and Layer 4 network management policy map and access the policy map management configuration mode, use the policy-map type management command in configuration mode. To remove a Layer 3 and Layer 4 network management policy map from the VFW application, use the no form of this command.
policy-map type management first-match map_name
no policy-map type management first-match map_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Use the policy-map type management command to create a Layer 3 and Layer 4 network management policy map and access the policy map management configuration mode. You can classify network traffic based on the following management protocols: HTTP, HTTPS, ICMP, SNMP, SSH, or Telnet. When you access this mode, the prompt changes to (config-pmap-mgmt).
Examples
The following example shows how to create a Layer 3 and Layer 4 network traffic management policy map:
firewall/Admin(config)# policy-map type management first-match L4_REMOTE_MGMT_ALLOW_POLICYfirewall/Admin(config-pmap-mgmt)#Related Commands
Create a Layer 3 and Layer 4 class map to classify the IP network management traffic received by the VFW application and enters class map management configuration mode.
reset
To deny the specified HTTP traffic by sending a TCP reset message to the client or server to close the connection, use the reset command in the appropriate policy map inspection HTTP configuration mode. To allow the specified HTTP traffic to be received by the VFW application, use the no form of this command.
reset
no reset
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Policy map inspection HTTP match configuration
Policy map inspection HTTP class configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the inspect feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
By default, HTTP inspection allows traffic that does not match any of the configured Layer 7 HTTP deep packet inspection matches. You can modify this behavior by including the class class-default command with the reset action to deny the specified Layer 7 HTTP traffic. In this case, if none of the class matches configured in the Layer 7 HTTP deep packet inspection policy map are hit, the class-default action is taken by the VFW application. For example, you can include a class map to allow the HTTP GET method and use the class class-default command to block all the other requests.
Note
Examples
The following example shows how to deny the specified HTTP traffic to be received by the VFW application if the match criteria are met:
firewall/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# match MATCH5 transfer-encoding chunkedfirewall/Admin(config-pmap-ins-http-m)# resetThe following example shows how to deny the specified HTTP traffic to be received by the VFW application if the class map match criteria in class map L7HTTP_CHECK are met:
firewall/Admin(config)# policy-map inspect http all-match HTTP_DEEPINSPECT_L7POLICYfirewall/Admin(config-pmap-ins-http)# class http_checkfirewall/Admin(config-pmap-ins-http-c)# resetRelated Commands
service-policy
To apply a previously created policy map and attach the traffic policy to a specific interface or globally to all interfaces in the same context, use the service-policy command in configuration mode or interface configuration mode. To remove a service policy, use the no form of this command.
service-policy input policy_name
no service-policy input policy_name
Syntax Description
Defaults
No default behavior or values
Command Modes
Configuration
Interface configurationCommand History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command requires the interface feature in your user role. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
Note the following when attaching a service policy:
•
•
•
•
Examples
The following example shows how to apply the L4SLBPOLICY policy map to an interface:
firewall/C1(config-if-mgmt)# service-policy input L4SLBPOLICYThe following example shows how to remove the L4SLBPOLICY policy map from the interface:
firewall/C1(config-if-mgmt)# no service-policy input L4SLBPOLICYRelated Commands
Displays the statistics for service policies enabled globally within a context or on a specific interface.
show service-policy
To display the statistics for service policies enabled globally within a context or on a specific interface, use the show service-policy command in EXEC mode.
show service-policy policy_name [detail]
Syntax Description
Defaults
No default behavior or values
Command Modes
EXEC
Command History
Release 3.5.0
This command was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.
Release 3.6.0
No modification.
Release 3.7.0
No modification.
Usage Guidelines
This command has no user role feature restrictions. For details about role-based access control (RBAC) and user roles, see the "Configuring Virtualization on the Virtual Firewall" module in Cisco IOS XR Virtual Firewall Configuration Guide.
The show service-policy command displays the following information:
•
•
•
The VFW application updates the counters that the show service-policy command displays after the applicable connections are closed.
Examples
The following example shows how to display the statistics and current status of the service policy APP_INSPECT_L4POLICY:
firewall/Admin# show service-policy APP_INSPECT_L4POLICYStatus : ACTIVE-----------------------------------------Context Global Policy:service-policy: APP_INSPECT_L4POLICYclass: APP_INSPECT_L4CLASSinspect dns:max length: 0curr conns : 0 , hit count : 0dropped conns : 0client pkt count : 0 , client byte count: 0server pkt count : 0 , server byte count: 0Table 8 describes the fields in the show service-policy detail command output for an application protocol inspection policy map.
Related Commands
