Table Of Contents

Global Objects

Using Network Objects and Groups

Network Object Overview

Configuring a Network Object

Configuring a Network Object Group

Using Network Objects and Groups in a Rule

Viewing the Usage of a Network Object or Group

Configuring Service Groups

Service Groups

Add/Edit Service Group

Browse Service Groups

Configuring Class Maps

DNS Class Map

Add/Edit DNS Traffic Class Map

Add/Edit DNS Match Criterion

Manage Regular Expressions

Manage Regular Expression Class Maps

FTP Class Map

Add/Edit FTP Traffic Class Map

Add/Edit FTP Match Criterion

H.323 Class Map

Add/Edit H.323 Traffic Class Map

Add/Edit H.323 Match Criterion

HTTP Class Map

Add/Edit HTTP Traffic Class Map

Add/Edit HTTP Match Criterion

IM Class Map

Add/Edit IM Traffic Class Map

Add/Edit IM Match Criterion

SIP Class Map

Add/Edit SIP Traffic Class Map

Add/Edit SIP Match Criterion

Configuring Inspect Maps

DCERPC Inspect Map

Customize Security Level

DCERPC Inspect Map Basic/Advanced Viewl

DNS Inspect Map

Customize Security Level

DNS Inspect Map Basic View

DNS Inspect Map Advanced View

Add/Edit DNS Inspect

Manage Class Maps

ESMTP Inspect Map

Customize Security Level

MIME File Type Filtering

ESMTP Inspect Map Basic View

ESMTP Inspect Map Advanced View

Add/Edit ESMTP Inspect

FTP Inspect Map

Customize Security Level

File Type Filtering

FTP Inspect Map Basic View

FTP Inspect Map Advanced View

Add/Edit FTP Map

GTP Inspect Map

Customize Security Level

IMSI Prefix Filtering

GTP Inspect Map Basic View

GTP Inspect Map Advanced View

Add/Edit GTP Map

H.323 Inspect Map

Customize Security Level

Phone Number Filtering

H.323 Inspect Map Basic View

H.323 Inspect Map Advanced View

Add/Edit HSI Group

Add/Edit H.323 Map

HTTP Inspect Map

Customize Security Level

URI Filtering

HTTP Inspect Map Basic View

HTTP Inspect Map Advanced View

Add/Edit HTTP Map

Instant Messaging (IM) Inspect Map

Instant Messaging (IM) Inspect Map View

Add/Edit IM Map

IPSec Pass Through Inspect Map

Customize Security Level

IPSec Pass Through Inspect Map Basic View

IPSec Pass Through Inspect Map Advanced View

MGCP Inspect Map

Gateways and Call Agents

MGCP Inspect Map View

Add/Edit MGCP Group

NetBIOS Inspect Map

NetBIOS Inspect Map View

RADIUS Inspect Map

RADIUS Inspect Map Host

RADIUS Inspect Map Other

SCCP (Skinny) Inspect Map

Customize Security Level

Message ID Filtering

SCCP (Skinny) Inspect Map Basic View

SCCP (Skinny) Inspect Map Advanced View

Add/Edit Message ID Filter

SIP Inspect Map

Customize Security Level

SIP Inspect Map Basic View

SIP Inspect Map Advanced View

Add/Edit SIP Inspect

SNMP Inspect Map

Add/Edit SNMP Map

Configuring Regular Expressions

Regular Expressions

Add/Edit Regular Expression

Build Regular Expression

Test Regular Expression

Add/Edit Regular Expression Class Map

TCP Maps

Add/Edit TCP Map

Configuring Time Ranges

Add/Edit Time Range

Add/Edit Periodic Time Range

Global Objects

---

The Global Objects pane provides a single location where you can configure, view, and modify the reusable components that you need to implement your policy on the security appliance. For example, once you define the hosts and networks that are covered by your security policy, you can select the host or network to which a feature applies, instead of having to redefine it every time. This saves time and ensures consistency and accuracy of your security policy. When you need to add or delete a host or network, you can use the Global Objects pane to change it in a single place.

This chapter includes the following sections:

•Using Network Objects and Groups

•Configuring Service Groups

•Configuring Class Maps

•Configuring Inspect Maps

•Configuring Regular Expressions

•TCP Maps

•Configuring Time Ranges

Using Network Objects and Groups

This section describes how to use network objects and groups, and includes the following topics:

•Network Object Overview

•Configuring a Network Object

•Configuring a Network Object Group

•Using Network Objects and Groups in a Rule

•Viewing the Usage of a Network Object or Group

Network Object Overview

Network objects let you predefine host and network IP addresses so that you can streamline subsequent configuration. When you configure the security policy, such as an access rule or a AAA rule, you can choose these predefined addresses instead of typing them in manually. Moreover, if you change the definition of an object, the change is inherited automatically by any rules using the object.

You can add network objects manually, or you can let ASDM automatically create objects from existing configuration, such as access rules and AAA rules. If you edit one of these derived objects, it persists even if you later delete the rule that used it. Otherwise, derived objects only reflect the current configuration if you refresh.

A network object group is a group containing multiple hosts and networks together. A network object group can also contain other network object groups. You can then specify the network object group as the source address or destination address in an access rule.

When you are configuring rules, the ASDM window includes an Addresses side pane at the right that shows available network objects and network object groups; you can add, edit, or delete objects directly in the Addresses pane. You can also drag additional network objects and groups from the Addresses pane to the source or destination of a selected access rule.

Configuring a Network Object

To configure a network object, perform the following steps:

---

Step 1 In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object to add a new object, or choose an object and click Edit.

You can also add or edit network objects from the Addresses side pane in a rules window, or when you are adding a rule.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

The Add/Edit Network Object dialog box appears.

Step 2 Fill in the following values:

•Name—(Optional) The object name. Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less.

•IP Address—The IP address, either a host or network address.

•Netmask—The subnet mask for the IP address.

•Description—(Optional) The description of the network object.

Step 3 Click OK.

You can now use this network object when you create a rule. For an edited object, the change is inherited automatically by any rules using the object.

---

---

Note You cannot delete a network object that is in use.

---

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Configuring a Network Object Group

To configure a network object group, perform the following steps:

---

Step 1 In the Configuration > Global Objects > Network Objects/Group pane, click Add > Network Object Group to add a new object group, or choose an object group and click Edit.

You can also add or edit network object groups from the Addresses side pane in a rules window, or when you are adding a rule.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

The Add/Edit Network Object Group dialog box appears.

Step 2 In the Group Name field, enter a group name.

Use characters a to z, A to Z, 0 to 9, a dot, a dash, or an underscore. The name must be 64 characters or less.

Step 3 (Optional) In the Description field, enter a description up to 200 characters in length.

Step 4 You can add existing objects or groups to the new group (nested groups are allowed), or you can create a new address to add to the group:

•To add an existing network object or group to the new group, double-click the object in the Existing Network Objects/Groups pane.

You can also select the object, and then click Add. The object or group is added to the right-hand Members in Group pane.

•To add a new address, fill in the values under the Create New Network Object Member area, and click Add.

The object or group is added to the right-hand Members in Group pane. This address is also added to the network object list.

To remove an object, double-click it in the Members in Group pane, or click Remove.

Step 5 After you add all the member objects, click OK.

You can now use this network object group when you create a rule. For an edited object group, the change is inherited automatically by any rules using the group.

---

---

Note You cannot delete a network object group that is in use.

---

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Using Network Objects and Groups in a Rule

When you create a rule, you can enter an IP address manually, or you can browse for a network object or group to use in the rule.

To use a network object or group in a rule, perform the following steps:

---

Step 1 From the rule dialog box, click the ... browse button next to the source or destination address field.

The Browse Source Address or Browse Destination Address dialog box appears.

Step 2 You can either add a new network object or group, or choose an existing network object or group by double-clicking it.

To find an object in the list, enter a name or IP address in the Filter field and click Filter. The wildcard characters asterisk (*) and question mark (?) are allowed.

•To add a new network object, see the "Configuring a Network Object" section.

•To add a new network object group, see the "Configuring a Network Object Group" section.

After you add a new object or double-click an existing object, it appears in the Selected Source/Destination field. For access rules, you can add multiple objects and groups in the field, separated by commas.

Step 3 Click OK.

You return to the rule dialog box.

---

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Viewing the Usage of a Network Object or Group

To view what rules use a network object or group, in the Configuration > Global Objects > Network Objects/Group pane, click the magnifying glass Find icon.

The Usages dialog box appears listing all the rules currently using the network object or group. This dialog box also lists any Network Objects/Groups that contain the object.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Configuring Service Groups

This section describes how to configure service groups, and includes the following topics:

•Service Groups

•Add/Edit Service Group

•Browse Service Groups

Service Groups

The Service Groups pane lets you associate multiple services into a named group. You can create service groups for each of the following types:

•TCP ports

•UDP ports

•TCP-UDP ports

•ICMP types

•IP protocols

Multiple service groups can be nested into a "group of groups" and used as a single group.

You can use a service group for most configurations that require you to identify a port, ICMP type, or protocol. When you are configuring NAT or security policy rules, the ASDM window even includes a side pane at the right that shows available service groups and other global objects; you can add, edit, or delete objects directly in the side pane.

Fields

•Add—Adds a service group. Choose the type of service groups you want to add from the drop-down list.

•Edit—Edits a service group.

•Delete—Deletes a service group. When a service group is deleted, it is removed from all service groups where it is used. If a service group is used in an access rule, do not remove it. A service group used in an access rule cannot be made empty.

•Find—Filters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.

–Filter field—Enter the name of the service group. The wildcard characters asterisk (*) and question mark (?) are allowed.

–Filter—Runs the filter.

–Clear—Clears the Filter field.

•Type—Lets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all service groups, choose All.

•Name—Lists the service group names. Click the plus (+) icon next to the name to expand the service group so you can view the services. Click the minus (-) icon to collapse the service group.

•Description—Lists the service group descriptions.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit Service Group

The Add/Edit Service Group dialog box lets you assign services to a service group. This dialog box name matches the type of service group you are adding; for example, if you are adding a TCP service group, the name is "Add/Edit TCP Service Group."

Fields

•Group Name—Enter the group name, up to 64 characters in length. The name must be unique for all object groups. A service group name cannot share a name with a network object group.

•Description—Enter a description of this service group, up to 200 characters in length.

•Members Not in Group—Identifies items that can be added to the service group.

–Service/Service Group, ICMP Type/ICMP Group, or Protocol/Protocol Group—The title of this table depends on the type of service group you are adding. Choose from already defined service groups, or choose from a list of commonly used port, type, or protocol names.

Name—Lists the already defined service groups and commonly used ports, types, or protocols.

–Port #, ICMP #, or Protocol #—The title of this table depends on the type of service group you are adding. Lets you add a new item, either by number or name. For TCP, UDP, and TCP-UDP service groups, you can enter a range of ports numbers.

•Members in Group—Shows items that are already added to the service group.

•Add—Adds the selected item to the service group.

•Remove—Removes the selected item from the service group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Browse Service Groups

The Browse Service Groups dialog box lets you choose a service group. This dialog box is used in multiple configuration screens and is named appropriately for your current task. For example, from the Add/Edit Access Rule dialog box, this dialog box is named "Browse Source Port" or "Browse Destination Port."

Fields

•Add—Adds a service group.

•Edit—Edits the selected service group.

•Delete—Deletes the selected service group.

•Find—Filters the display to show only matching names. Clicking Find opens the Filter field. Click Find again to hide the Filter field.

–Filter field—Enter the name of the service group. The wildcard characters asterisk (*) and question mark (?) are allowed.

–Filter—Runs the filter.

–Clear—Clears the Filter field.

•Type—Lets you choose the type of service group to show, including TCP, UDP, TCP-UDP, ICMP, and Protocol. To view all types, choose All. Typically, the type of rule you configure can only use one type of service group; you cannot select a UDP service group for a TCP access rule.

•Name—Shows the name of the service group. Click the plus (+) icon next to the name of an item to expand it. Click the minus (-) icon to collapse the item.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Configuring Class Maps

An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

This section describes how to configure inspection class maps, and includes the following topics:

•DNS Class Map

•FTP Class Map

•H.323 Class Map

•HTTP Class Map

•IM Class Map

•SIP Class Map

DNS Class Map

The DNS Class Map panel lets you configure DNS class maps for DNS inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the DNS class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the DNS class map.

–Value—Shows the value to match in the DNS class map.

•Description—Shows the description of the class map.

•Add—Adds match conditions for the DNS class map.

•Edit—Edits match conditions for the DNS class map.

•Delete—Deletes match conditions for the DNS class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit DNS Traffic Class Map

The Add/Edit DNS Traffic Class Map dialog box lets you define a DNS class map.

Fields

•Name—Enter the name of the DNS class map, up to 40 characters in length.

•Description—Enter the description of the DNS class map.

•Add—Adds a DNS class map.

•Edit—Edits a DNS class map.

•Delete—Deletes a DNS class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit DNS Match Criterion

The Add/Edit DNS Match Criterion dialog box lets you define the match criterion and value for the DNS class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of DNS traffic to match.

–Header Flag—Match a DNS flag in the header.

–Type—Match a DNS query or resource record type.

–Class—Match a DNS query or resource record class.

–Question—Match a DNS question.

–Resource Record—Match a DNS resource record.

–Domain Name—Match a domain name from a DNS query or resource record.

•Header Flag Criterion Values—Specifies the value details for the DNS header flag match.

–Match Option—Specifies either an exact match or match all bits (bit mask match).

–Match Value—Specifies to match either the header flag name or the header flag value.

Header Flag Name—Lets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match.

•Type Criterion Values—Specifies the value details for the DNS type match.

–DNS Type Field Name—Lists the DNS types to select.

A—IPv4 address

NS—Authoritative name server

CNAME—Canonical name

SOA—Start of a zone of authority

TSIG—Transaction signature

IXFR—Incremental (zone) transfer

AXFR—Full (zone) transfer

–DNS Type Field Value—Specifies to match either a DNS type field value or a DNS type field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

•Class Criterion Values—Specifies the value details for the DNS class match.

–DNS Class Field Name—Specifies to match on internet, the DNS class field name.

–DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

•Question Criterion Values—Specifies to match on the DNS question section.

•Resource Record Criterion Values—Specifies to match on the DNS resource record section.

–Resource Record— Lists the sections to match.

Additional—DNS additional resource record

Answer—DNS answer resource record

Authority—DNS authority resource record

•Domain Name Criterion Values—Specifies to match on the DNS domain name.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Manage Regular Expressions

The Manage Regular Expressions dialog box lets you configure Regular Expressions for use in pattern matching. Regular expressions that start with "_default" are default regular expressions and cannot be modified or deleted.

Fields

•Name—Shows the regular expression names.

•Value—Shows the regular expression definitions.

•Add—Adds a regular expression.

•Edit—Edits a regular expression.

•Delete—Deletes a regular expression.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Manage Regular Expression Class Maps

The Manage Regular Expression Class Maps dialog box lets you configure regular expression class maps. See Regular Expressions for more information.

Fields

•Name—Shows the regular expression class map name.

•Match Conditions—Shows the match type and regular expressions in the class map.

–Match Type—Shows the match type, which for regular expressions is always a positive match type (shown by the icon with the equal sign (=)) the criteria. (Inspection class maps allow you to create negative matches as well (shown by the icon with the red circle)). If more than one regular expression is in the class map, then each match type icon appears with "OR" next it, to indicate that this class map is a "match any" class map; traffic matches the class map if only one regular expression is matched.

–Regular Expression—Lists the regular expressions included in each class map.

•Description—Shows the description of the class map.

•Add—Adds a regular expression class map.

•Edit—Edits a regular expression class map.

•Delete—Deletes a regular expression class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

FTP Class Map

The FTP Class Map panel lets you configure FTP class maps for FTP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the FTP class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the FTP class map.

–Value—Shows the value to match in the FTP class map.

•Description—Shows the description of the class map.

•Add—Adds an FTP class map.

•Edit—Edits an FTP class map.

•Delete—Deletes an FTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit FTP Traffic Class Map

The Add/Edit FTP Traffic Class Map dialog box lets you define a FTP class map.

Fields

•Name—Enter the name of the FTP class map, up to 40 characters in length.

•Description—Enter the description of the FTP class map.

•Add—Adds an FTP class map.

•Edit—Edits an FTP class map.

•Delete—Deletes an FTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit FTP Match Criterion

The Add/Edit FTP Match Criterion dialog box lets you define the match criterion and value for the FTP class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of FTP traffic to match.

–Request-Command—Match an FTP request command.

–File Name—Match a filename for FTP transfer.

–File Type—Match a file type for FTP transfer.

–Server—Match an FTP server.

–User Name—Match an FTP user.

•Request-Command Criterion Values—Specifies the value details for the FTP request command match.

–Request Command—Lets you select one or more request commands to match.

APPE—Append to a file.

CDUP—Change to the parent of the current directory.

DELE—Delete a file at the server site.

GET—FTP client command for the retr (retrieve a file) command.

HELP—Help information from the server.

MKD—Create a directory.

PUT—FTP client command for the stor (store a file) command.

RMD—Remove a directory.

RNFR—Rename from.

RNTO—Rename to.

SITE—Specify a server specific command.

STOU—Store a file with a unique name.

•File Name Criterion Values—Specifies to match on the FTP transfer filename.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•File Type Criterion Values—Specifies to match on the FTP transfer file type.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Server Criterion Values—Specifies to match on the FTP server.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•User Name Criterion Values—Specifies to match on the FTP user.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

H.323 Class Map

The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the H.323 class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the H.323 class map.

–Value—Shows the value to match in the H.323 class map.

•Description—Shows the description of the class map.

•Add—Adds an H.323 class map.

•Edit—Edits an H.323 class map.

•Delete—Deletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit H.323 Traffic Class Map

The Add/Edit H.323 Traffic Class Map dialog box lets you define a H.323 class map.

Fields

•Name—Enter the name of the H.323 class map, up to 40 characters in length.

•Description—Enter the description of the H.323 class map.

•Add—Adds an H.323 class map.

•Edit—Edits an H.323 class map.

•Delete—Deletes an H.323 class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit H.323 Match Criterion

The Add/Edit H.323 Match Criterion dialog box lets you define the match criterion and value for the H.323 class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of H.323 traffic to match.

–Called Party—Match the called party.

–Calling Party—Match the calling party.

–Media Type—Match the media type.

•Called Party Criterion Values—Specifies to match on the H.323 called party.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Calling Party Criterion Values—Specifies to match on the H.323 calling party.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Media Type Criterion Values—Specifies which media type to match.

–Audio—Match audio type.

–Video—Match video type.

–Data—Match data type.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

HTTP Class Map

The HTTP Class Map panel lets you configure HTTP class maps for HTTP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the HTTP class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the HTTP class map.

–Value—Shows the value to match in the HTTP class map.

•Description—Shows the description of the class map.

•Add—Adds an HTTP class map.

•Edit—Edits an HTTP class map.

•Delete—Deletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit HTTP Traffic Class Map

The Add/Edit HTTP Traffic Class Map dialog box lets you define a HTTP class map.

Fields

•Name—Enter the name of the HTTP class map, up to 40 characters in length.

•Description—Enter the description of the HTTP class map.

•Add—Adds an HTTP class map.

•Edit—Edits an HTTP class map.

•Delete—Deletes an HTTP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit HTTP Match Criterion

The Add/Edit HTTP Match Criterion dialog box lets you define the match criterion and value for the HTTP class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of HTTP traffic to match.

–Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

–Request Arguments—Applies the regular expression match to the arguments of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

–Request Body—Applies the regular expression match to the body of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

–Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

–Request Header Field—Applies the regular expression match to the header of the request.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

–Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

–Request Header non-ASCII—Matches non-ASCII characters in the header of the request.

–Request Method—Applies the regular expression match to the method of the request.

Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.

Greater Than Length—Enter a URI length value in bytes.

–Request URI—Applies the regular expression match to the URI of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Response Body—Applies the regex match to the body of the response.

ActiveX—Specifies to match on ActiveX.

Java Applet—Specifies to match on a Java Applet.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

–Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

–Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that response field lengths will be matched against.

–Response Header Field—Applies the regular expression match to the header of the response.

Predefined—Specifies the response header fields: accept-ranges, age, allow, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, date, etag, expires, last-modified, location, pragma, proxy-authenticate, retry-after, server, set-cookie, trailer, transfer-encoding, upgrade, vary, via, warning, www-authenticate.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

–Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

–Response Header non-ASCII—Matches non-ASCII characters in the header of the response.

–Response Status Line—Applies the regular expression match to the status line.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

IM Class Map

The IM Class Map panel lets you configure IM class maps for IM inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the IM class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the IM class map.

–Value—Shows the value to match in the IM class map.

•Description—Shows the description of the class map.

•Add—Adds an IM class map.

•Edit—Edits an IM class map.

•Delete—Deletes an IM class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit IM Traffic Class Map

The Add/Edit IM Traffic Class Map dialog box lets you define a IM class map.

Fields

•Name—Enter the name of the IM class map, up to 40 characters in length.

•Description—Enter the description of the IM class map.

•Add—Adds an IM class map.

•Edit—Edits an IM class map.

•Delete—Deletes an IM class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit IM Match Criterion

The Add/Edit IM Match Criterion dialog box lets you define the match criterion and value for the IM class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of IM traffic to match.

–Protocol—Match IM protocols.

–Service—Match IM services.

–Version—Match IM file transfer service version.

–Client Login Name—Match client login name from IM service.

–Client Peer Login Name—Match client peer login name from IM service.

–Source IP Address—Match source IP address.

–Destination IP Address—Match destination IP address.

–Filename—Match filename form IM file transfer service.

•Protocol Criterion Values—Specifies which IM protocols to match.

–Yahoo! Messenger—Specifies to match Yahoo! Messenger instant messages.

–MSN Messenger—Specifies to match MSN Messenger instant messages.

•Service Criterion Values—Specifies which IM services to match.

–Chat—Specifies to match IM message chat service.

–Conference—Specifies to match IM conference service.

–File Transfer—Specifies to match IM file transfer service.

–Games—Specifies to match IM gaming service.

–Voice Chat—Specifies to match IM voice chat service (not available for Yahoo IM)

–Web Cam—Specifies to match IM webcam service.

•Version Criterion Values—Specifies to match the version from the IM file transfer service. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Client Login Name Criterion Values—Specifies to match the client login name from the IM service. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Client Peer Login Name Criterion Values—Specifies to match the client peer login name from the IM service. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Source IP Address Criterion Values—Specifies to match the source IP address of the IM service.

–IP Address—Enter the source IP address of the IM service.

–IP Mask—Mask of the source IP address.

•Destination IP Address Criterion Values—Specifies to match the destination IP address of the IM service.

–IP Address—Enter the destination IP address of the IM service.

–IP Mask—Mask of the destination IP address.

•Filename Criterion Values—Specifies to match the filename from the IM file transfer service. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

SIP Class Map

The SIP Class Map panel lets you configure SIP class maps for SIP inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, IM, and SIP.

Fields

•Name—Shows the SIP class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the SIP class map.

–Value—Shows the value to match in the SIP class map.

•Description—Shows the description of the class map.

•Add—Adds a SIP class map.

•Edit—Edits a SIP class map.

•Delete—Deletes a SIP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit SIP Traffic Class Map

The Add/Edit SIP Traffic Class Map dialog box lets you define a SIP class map.

Fields

•Name—Enter the name of the SIP class map, up to 40 characters in length.

•Description—Enter the description of the SIP class map.

•Add—Adds a SIP class map.

•Edit—Edits a SIP class map.

•Delete—Deletes a SIP class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit SIP Match Criterion

The Add/Edit SIP Match Criterion dialog box lets you define the match criterion and value for the SIP class map.

Fields

•Match Type—Specifies whether the class map includes traffic that matches the criterion, or traffic that does not match the criterion.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of SIP traffic to match.

–Called Party—Match the called party as specified in the To header.

–Calling Party—Match the calling party as specified in the From header.

–Content Length—Match the Content Length header, between 0 and 65536.

–Content Type—Match the Content Type header.

–IM Subscriber—Match the SIP IM subscriber.

–Message Path—Match the SIP Via header.

–Request Method—Match the SIP request method.

–Third-Party Registration—Match the requester of a third-party registration.

–URI Length—Match a URI in the SIP headers, between 0 and 65536.

•Called Party Criterion Values—Specifies to match the called party. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Calling Party Criterion Values—Specifies to match the calling party. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Content Length Criterion Values—Specifies to match a SIP content header of a length greater than specified.

–Greater Than Length—Enter a header length value in bytes.

•Content Type Criterion Values—Specifies to match a SIP content header type.

–SDP—Match an SDP SIP content header type.

–Regular Expression—Match a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•IM Subscriber Criterion Values—Specifies to match the IM subscriber. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Message Path Criterion Values—Specifies to match a SIP Via header. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Request Method Criterion Values—Specifies to match a SIP request method.

–Request Method—Specifies a request method: ack, bye, cancel, info, invite, message, notify, options, prack, refer, register, subscribe, unknown, update.

•Third-Party Registration Criterion Values—Specifies to match the requester of a third-party registration. Applies the regular expression match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•URI Length Criterion Values—Specifies to match a URI of a selected type and greater than the specified length in the SIP headers.

–URI type—Specifies to match either SIP URI or TEL URI.

–Greater Than Length—Length in bytes.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Configuring Inspect Maps

This section describes how to configure inspect maps, and includes the following topics:

•DCERPC Inspect Map

•DNS Inspect Map

•ESMTP Inspect Map

•FTP Inspect Map

•GTP Inspect Map

•H.323 Inspect Map

•HTTP Inspect Map

•Instant Messaging (IM) Inspect Map

•IPSec Pass Through Inspect Map

•MGCP Inspect Map

•NetBIOS Inspect Map

•RADIUS Inspect Map

•SCCP (Skinny) Inspect Map

•SIP Inspect Map

•SNMP Inspect Map

The algorithm the security appliance uses for stateful application inspection ensures the security of applications and services. Some applications require special handling, and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports.

Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.

Each application inspection engine also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.

In addition, stateful application inspection audits the validity of the commands and responses within the protocol being inspected. The security appliance helps to prevent attacks by verifying that traffic conforms to the RFC specifications for each protocol that is inspected.

The Inspect Maps feature lets you create inspect maps for specific protocol inspection engines. You use an inspect map to store the configuration for a protocol inspection engine. You then enable the configuration settings in the inspect map by associating the map with a specific type of traffic using a global security policy or a security policy for a specific interface.

Use the Service Policy Rules tab on the Security Policy pane to apply the inspect map to traffic matching the criteria specified in the service policy. A service policy can apply to a specific interface or to all the interfaces on the security appliance.

DCERPC	The DCERPC inspection lets you create, view, and manage DCERPC inspect maps. You can use a DCERPC map to inspect DCERPC messages between a client and endpoint mapper, and to apply NAT for the secondary connection, if needed. DCERPC is a specification for a remote procedure call mechanism.
DNS	The DNS inspection lets you create, view, and manage DNS inspect maps. You can use a DNS map to have more control over DNS messages and to protect against DNS spoofing and cache poisoning. DNS is used to resolve information about domain names, including IP addresses and mail servers.
ESMTP	The ESMTP inspection lets you create, view, and manage ESMTP inspect maps. You can use an ESMTP map for application security and protocol conformance to protect against attacks, to block senders and receivers, and to block mail relay. Extended SMTP defines protocol extensions to the SMTP standard.
FTP	The FTP inspection lets you create, view, and manage FTP inspect maps. FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.
GTP	The GTP inspection lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.
H.323	The H.323 inspection lets you create, view, and manage H.323 inspect maps. You can use an H.323 map to inspect RAS, H.225, and H.245 VoIP protocols, and for state tracking and filtering.
HTTP	The HTTP inspection lets you create, view, and manage HTTP inspect maps. HTTP is the protocol used for communication between Worldwide Web clients and servers. You can use an HTTP map to enforce RFC compliance and HTTP payload content type. You can also block specific HTTP methods and prevent the use of certain tunneled applications that use HTTP as the transport.
IM	The IM inspection lets you create, view, and manage IM inspect maps. You can use an IM map to control the network usage and stop leakage of confidential data and other network threats from IM applications.
IPSec Pass Through	The IPSec Pass Through inspection lets you create, view, and manage IPSec Pass Through inspect maps. You can use an IPSec Pass Through map to permit certain flows without using an access list.
MGCP	The MGCP inspection lets you create, view, and manage MGCP inspect maps. You can use an MGCP map to manage connections between VoIP devices and MGCP call agents.
NetBIOS	The NetBIOS inspection lets you create, view, and manage NetBIOS inspect maps. You can use a NetBIOS map to enforce NetBIOS protocol conformance including field count and length consistency, and message checks.
RADIUS Accounting	The RADIUS Accounting inspection lets you create, view, and manage RADIUS Accounting inspect maps. You can use a RADIUS map to protect against an overbilling attack.
SCCP (Skinny)	The SCCP (Skinny) inspection lets you create, view, and manage SCCP (Skinny) inspect maps. You can use an SCCP map to perform protocol conformance checks and basic state tracking.
SIP	The SIP inspection lets you create, view, and manage SIP inspect maps. You can use a SIP map for application security and protocol conformance to protect against SIP-based attacks. SIP is a protocol widely used for internet conferencing, telephony, presence, events notification, and instant messaging.
SNMP	The SNMP inspection lets you create, view, and manage SNMP inspect maps. SNMP is a protocol used for communication between network management devices and network management stations. You can use an SNMP map to block a specific SNMP version, including SNMP v1, 2, 2c and 3.

DCERPC Inspect Map

The DCERPC pane lets you view previously configured DCERPC application inspection maps. A DCERPC map lets you change the default configuration values used for DCERPC application inspection.

DCERPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.

This typically involves a client querying a server called the Endpoint Mapper (EPM) listening on a well known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.

DCERPC inspect maps inspect for native TCP communication between the EPM and client on well known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and Port number are received from the applicable EPM response messages. Since a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (high, medium, or low).

–Low

Pinhole timeout: 00:02:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: enabled

Endpoint mapper service lookup timeout: 00:05:00

–Medium—Default.

Pinhole timeout: 00:01:00

Endpoint mapper service: not enforced

Endpoint mapper service lookup: disabled.

–High

Pinhole timeout: 00:01:00

Endpoint mapper service: enforced

Endpoint mapper service lookup: disabled

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Medium.

•DCERPC Inspect Maps—Table that lists the defined DCERPC inspect maps. The defined inspect maps are also listed in the DCERPC area of the Inspect Maps tree.

•Add—Adds the new DCERPC inspect map to the defined list in the DCERPC Inspect Maps table and to the DCERPC area of the Inspect Maps tree. To configure the new DCERPC map, select the DCERPC entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the DCERPC Inspect Maps table and from the DCERPC area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured DCERPC application inspection maps.

Fields

•Settings—Specifies the pinhole timeout and endpoint mapper security settings.

–Pinhole Timeout—Sets the pinhole timeout. Since a client may use the server information returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.

–Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.

–Enforce endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper service. If disabled, the pinhole timeout is used.

Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.

•Reset to Predefined Security Level—Resets the security level settings to the predefined levels of high, medium, or low.

–Reset To—Resets the security level to high, medium, or low.

•Reset—Resets all security settings to the default. The default pinhole timeout is one minute. The default endpoint mapper settings are none.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

DCERPC Inspect Map Basic/Advanced Viewl

The DCERPC map pane lets you configure basic and advanced settings for previously configured DCERPC application inspection maps.

Fields

•Name—Shows the name of the previously configured DCERPC map.

•Description—Enter the description of the DCERPC map, up to 200 characters in length.

•Basic View—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure security settings.

–Default Level—Sets the security level back to the default level of Medium.

•Advanced View—Lets you configure the security settings.

–Pinhole Timeout—Sets the pinhole timeout. Since a client may use the server information returned by the endpoint mapper for multiple connections, the timeout value is configurable based on the client application environment. Range is from 0:0:1 to 1193:0:0. Default is 2 minutes.

–Enforce endpoint-mapper service—Enforces endpoint mapper service during binding.

–Enforce endpoint-mapper service lookup—Enables the lookup operation of the endpoint mapper service. If disabled, the pinhole timeout is used.

Service Lookup Timeout—Sets the timeout for pinholes from lookup operation.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

DNS Inspect Map

The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets you change the default configuration values used for DNS application inspection.

DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example.

The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further.

A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (high, medium, or low).

–Low—Default.

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: disabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: disabled

TSIG resource record: not enforced

–Medium

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: not enforced

–High

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: enforced

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Low.

•DNS Inspect Maps—Table that lists the defined DNS inspect maps. The defined inspect maps are also listed in the DNS area of the Inspect Maps tree.

•Add—Adds the new DNS inspect map to the defined list in the DNS Inspect Maps table and to the DNS area of the Inspect Maps tree. To configure the new DNS map, select the DNS entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the DNS Inspect Maps table and from the DNS area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured DNS application inspection maps.

Fields

•Settings—Specifies DNS security settings and actions.

–Enable DNS guard function—As part of protocol conformance, this option performs a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

–Enable NAT rewrite function—As part of protocol conformance, this option enables IP address translation in the A record of the DNS response.

–Enable protocol enforcement—As part of protocol conformance, this option enables DNS message format check, including domain name, label length, compression, and looped pointer check.

–Randomize the DNS identifier for DNS query—As part of protocol conformance, this option randomizes the DNS identifier in the DNS query message.

–Drop packets that exceed specified maximum length—As part of filtering, this option drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

–Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive instances of DNS identifier mismatches.

Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a system message log is sent.

Time Interval—Enter the time period to monitor (in seconds).

–Enforce TSIG record source to be present in DNS message—As part of protocol conformance, this option requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced:

Drop packet—Drops the packet (logging can be either enabled or disabled).

Log—Enables logging.

•Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

–Reset to—Specifies high, medium, or low security setting.

–Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

DNS Inspect Map Basic View

The DNS Inspect Map Basic View pane shows the configured settings for the DNS inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured DNS map.

•Description—Enter the description of the DNS map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

DNS Inspect Map Advanced View

The DNS Inspect Map Advanced View pane lets you configure the inspect map settings.

Fields

•Name—Shows the name of the previously configured DNS map.

•Description—Enter the description of the DNS map, up to 200 characters in length.

•Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.

–Enable DNS guard function—Performs a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

–Enable NAT re-write function—Enables IP address translation in the A record of the DNS response.

–Enable protocol enforcement—Enables DNS message format check, including domain name, label length, compression, and looped pointer check.

–Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS query message.

–Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource record be present in DNS transactions. Actions taken when TSIG is enforced:

Drop packet—Drops the packet (logging can be either enabled or disabled).

Log—Enables logging.

•Filtering—Tab that lets you configure the filtering settings for DNS.

–Global Settings—Applies settings globally.

Drop packets that exceed specified maximum length (global)—Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

–Server Settings—Applies settings on the server only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to server that exceed length indicated by the RR—Drops packets sent to the server that exceed the length indicated by the Resource Record.

–Client Settings—Applies settings on the client only.

Drop packets that exceed specified maximum length——Drops packets that exceed maximum length in bytes.

Maximum Packet Length—Enter maximum packet length in bytes.

Drop packets sent to client that exceed length indicated by the RR—Drops packets sent to the client that exceed the length indicated by the Resource Record.

•Mismatch Rate—Tab that lets you configure the ID mismatch rate for DNS.

–Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive instances of DNS identifier mismatches.

Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a system message log is sent.

Time Interval—Enter the time period to monitor (in seconds).

•Inspections—Tab that shows you the DNS inspection configuration and lets you add or edit.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the DNS inspection.

–Value—Shows the value to match in the DNS inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add DNS Inspect dialog box to add a DNS inspection.

–Edit—Opens the Edit DNS Inspect dialog box to edit a DNS inspection.

–Delete—Deletes a DNS inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit DNS Inspect

The Add/Edit DNS Inspect dialog box lets you define the match criterion and value for the DNS inspect map.

Fields

•Single Match—Specifies that the DNS inspect has only one match statement.

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of DNS traffic to match.

–Header Flag—Match a DNS flag in the header.

–Type—Match a DNS query or resource record type.

–Class—Match a DNS query or resource record class.

–Question—Match a DNS question.

–Resource Record—Match a DNS resource record.

–Domain Name—Match a domain name from a DNS query or resource record.

•Header Flag Criterion Values—Specifies the value details for DNS header flag match.

–Match Option—Specifies either an exact match or match all bits (bit mask match).

–Match Value—Specifies to match either the header flag name or the header flag value.

Header Flag Name—Lets you select one or more header flag names to match, including AA (authoritative answer), QR (query), RA (recursion available), RD (recursion denied), TC (truncation) flag bits.

Header Flag Value—Lets you enter an arbitrary 16-bit value in hex to match.

•Type Criterion Values—Specifies the value details for DNS type match.

–DNS Type Field Name—Lists the DNS types to select.

A—IPv4 address

NS—Authoritative name server

CNAME—Canonical name

SOA—Start of a zone of authority

TSIG—Transaction signature

IXFR—Incremental (zone) transfer

AXFR—Full (zone) transfer

–DNS Type Field Value—Specifies to match either a DNS type field value or a DNS type field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

•Class Criterion Values—Specifies the value details for DNS class match.

–DNS Class Field Name—Specifies to match on internet, the DNS class field name.

–DNS Class Field Value—Specifies to match either a DNS class field value or a DNS class field range.

Value—Lets you enter an arbitrary value between 0 and 65535 to match.

Range—Lets you enter a range match. Both values between 0 and 65535.

•Question Criterion Values—Specifies to match on the DNS question section.

•Resource Record Criterion Values—Specifies to match on the DNS resource record section.

–Resource Record— Lists the sections to match.

Additional—DNS additional resource record

Answer—DNS answer resource record

Authority—DNS authority resource record

•Domain Name Criterion Values—Specifies to match on DNS domain name.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Multiple Matches—Specifies multiple matches for the DNS inspection.

–DNS Traffic Class—Specifies the DNS traffic class match.

–Manage—Opens the Manage DNS Class Maps dialog box to add, edit, or delete DNS Class Maps.

•Actions—Primary action and log settings.

–Primary Action—Mask, drop packet, drop connection, none.

–Log—Enable or disable.

–Enforce TSIG—Do not enforce, drop packet, log, drop packet and log.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Manage Class Maps

The Manage Class Map dialog box lets you configure class maps for inspection.

An inspection class map matches application traffic with criteria specific to the application. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. The applications that support inspection class maps are DNS, FTP, H.323, HTTP, Instant Messaging (IM), and SIP.

Fields

•Name—Shows the class map name.

•Match Conditions—Shows the type, match criterion, and value in the class map.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the class map.

–Value—Shows the value to match in the class map.

•Description—Shows the description of the class map.

•Add—Adds match conditions for the class map.

•Edit—Edits match conditions for the class map.

•Delete—Deletes match conditions for the class map.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

ESMTP Inspect Map

The ESMTP pane lets you view previously configured ESMTP application inspection maps. An ESMTP map lets you change the default configuration values used for ESMTP application inspection.

Since ESMTP traffic can be a main source of attack from spam, phising, malformed messages, buffer overflows, and buffer underflows, detailed packet inspection and control of ESMTP traffic are supported. Application security and protocol conformance enforce the sanity of the ESMTP message as well as detect several attacks, block senders and receivers, and block mail relay.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (high, medium, or low).

–Low—Default.

Log if command line length is greater than 512

Log if command recipient count is greater than 100

Log if body line length is greater than 1000

Log if sender address length is greater than 320

Log if MIME file name length is greater than 255

–Medium

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections if sender address length is greater than 320

Drop Connections if MIME file name length is greater than 255

–High

Obfuscate Server Banner

Drop Connections if command line length is greater than 512

Drop Connections if command recipient count is greater than 100

Drop Connections if body line length is greater than 1000

Drop Connections and log if sender address length is greater than 320

Drop Connections and log if MIME file name length is greater than 255

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Low.

–MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

•ESMTP Inspect Maps—Table that lists the defined ESMTP inspect maps. The defined inspect maps are also listed in the ESMTP area of the Inspect Maps tree.

•Add—Adds the new ESMTP inspect map to the defined list in the ESMTP Inspect Maps table and to the ESMTP area of the Inspect Maps tree. To configure the new ESMTP map, select the ESMTP entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the ESMTP Inspect Maps table and from the ESMTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured ESMTP application inspection maps.

Fields

•Settings—Specifies ESMTP security settings and actions.

–Mask server banner—Enforces banner obfuscation.

–Configure Mail Relay—Enables ESMTP mail relay.

Domain Name—Specifies a local domain.

Action—Drop connection or log.

Log—Enable or disable.

–Check for command line length—Enables command line length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

–Check for command recipient count—Enables command recipient count matching at specified count.

Minimum Count—Shows the minimum count configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

–Check for body line length—Enables body line length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

–Check for sender address length—Enables sender address length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

–Check for MIME file name length—Enables MIME file name length matching at specified length.

Minimum Length—Shows the minimum length configured.

Action—Reset, drop connection, log.

Log—Enable or disable.

•Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

–Reset to—Specifies high, medium, or low security setting.

–Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

MIME File Type Filtering

The MIME File Type Filtering dialog box lets you configure the settings for a MIME file type filter.

Fields

•Match Type—Shows the match type, which can be a positive or negative match.

•Criterion—Shows the criterion of the inspection.

•Value—Shows the value to match in the inspection.

•Action—Shows the action if the match condition is met.

•Log—Shows the log state.

•Add—Opens the Add MIME File Type Filter dialog box to add a MIME file type filter.

•Edit—Opens the Edit MIME File Type Filter dialog box to edit a MIME file type filter.

•Delete—Deletes a MIME file type filter.

•Move Up—Moves an entry up in the list.

•Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

ESMTP Inspect Map Basic View

The ESMTP Inspect Map Basic View pane shows the configured settings for the ESMTP inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured ESMTP map.

•Description—Enter the description of the ESMTP map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•MIME File Type Filtering—Opens the MIME Type Filtering dialog box to configure MIME file type filters.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

ESMTP Inspect Map Advanced View

The ESMTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

•Name—Shows the name of the previously configured ESMTP map.

•Description—Enter the description of the ESMTP map, up to 200 characters in length.

•Parameters—Tab that lets you configure the parameters for the ESMTP inspect map.

–Mask server banner—Enforces banner obfuscation.

–Encrypted Packet Inspection—Configures encrypted traffic inspection options.

Disable Inspection for encrypted traffic (over TLS) on an ESMTP Session—Disables encrypted traffic inspection.

Enable Logging for encrypted traffic—Enables logging if encrypted traffic inspection is disabled.

•Filtering—Tab that lets you configure the parameters for the ESMTP inspect map.

–Configure Mail Relay—Enables ESMTP mail relay.

Domain Name—Specifies a local domain.

Action—Drop connection or log.

Log—Enable or disable.

–Check for special characters PIPE(`|'), backquote(`''), NUL in sender or recipient address—Checks for PIPE and backquote characters.

Action—Drop connection or log.

Log—Enable or disable.

•Inspections—Tab that shows you the ESMTP inspection configuration and lets you add or edit.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the ESMTP inspection.

–Value—Shows the value to match in the ESMTP inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add ESMTP Inspect dialog box to add an ESMTP inspection.

–Edit—Opens the Edit ESMTP Inspect dialog box to edit an ESMTP inspection.

–Delete—Deletes an ESMTP inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit ESMTP Inspect

The Add/Edit ESMTP Inspect dialog box lets you define the match criterion and value for the ESMTP inspect map.

Fields

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of ESMTP traffic to match.

–Body Length—Match body length at specified length in bytes.

–Body Line Length—Match body line length matching at specified length in bytes.

–Commands—Match commands exchanged in the ESMTP protocol.

–Command Recipient Count—Match command recipient count greater than number specified.

–Command Line Length—Match command line length greater than length specified in bytes.

–EHLO Reply Parameters—Match an ESMTP ehlo reply parameter.

–Header Length—Match header length at length specified in bytes.

–Header To Fields Count—Match header To fields count greater than number specified.

–Invalid Recipients Count—Match invalid recipients count greater than number specified.

–MIME File Type—Match MIME file type.

–MIME Filename Length—Match MIME filename.

–MIME Encoding—Match MIME encoding.

–Sender Address—Match sender email address.

–Sender Address Length—Match sender email address length.

•Body Length Criterion Values—Specifies the value details for body length match.

–Greater Than Length—Body length in bytes.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•Body Line Length Criterion Values—Specifies the value details for body line length match.

–Greater Than Length—Body line length in bytes.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•Commands Criterion Values—Specifies the value details for command match.

–Available Commands Table:

AUTH

DATA

EHLO

ETRN

HELO

HELP

MAIL

NOOP

QUIT

RCPT

RSET

SAML

SOML

VRFY

–Add—Adds the selected command from the Available Commands table to the Selected Commands table.

–Remove—Removes the selected command from the Selected Commands table.

–Primary Action—Mask, Reset, Drop Connection, None, Limit Rate (pps).

–Log—Enable or disable.

–Rate Limit—Do not limit rate, Limit Rate (pps).

•Command Recipient Count Criterion Values—Specifies the value details for command recipient count match.

–Greater Than Count—Specify command recipient count.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•Command Line Length Criterion Values—Specifies the value details for command line length.

–Greater Than Length—Command line length in bytes.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•EHLO Reply Parameters Criterion Values—Specifies the value details for EHLO reply parameters match.

–Available Parameters Table:

8bitmime

auth

binarymime

checkpoint

dsn

ecode

etrn

others

pipelining

size

vrfy

–Add—Adds the selected parameter from the Available Parameters table to the Selected Parameters table.

–Remove—Removes the selected command from the Selected Commands table.

–Action—Reset, Drop Connection, Mask, Log.

–Log—Enable or disable.

•Header Length Criterion Values—Specifies the value details for header length match.

–Greater Than Length—Header length in bytes.

–Action—Reset, Drop Connection, Mask, Log.

–Log—Enable or disable.

•Header To Fields Count Criterion Values—Specifies the value details for header To fields count match.

–Greater Than Count—Specify command recipient count.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•Invalid Recipients Count Criterion Values—Specifies the value details for invalid recipients count match.

–Greater Than Count—Specify command recipient count.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•MIME File Type Criterion Values—Specifies the value details for MIME file type match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Action—Reset, drop connection, log.

–Log—Enable or disable.

•MIME Filename Length Criterion Values—Specifies the value details for MIME filename length match.

–Greater Than Length—MIME filename length in bytes.

–Action—Reset, Drop Connection, Log.

–Log—Enable or disable.

•MIME Encoding Criterion Values—Specifies the value details for MIME encoding match.

–Available Encodings table

7bit

8bit

base64

binary

others

quoted-printable

–Add—Adds the selected parameter from the Available Encodings table to the Selected Encodings table.

–Remove—Removes the selected command from the Selected Commands table.

–Action—Reset, Drop Connection, Log.

–Log—Enable or disable.

•Sender Address Criterion Values—Specifies the value details for sender address match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Action—Reset, Drop Connection, Log.

–Log—Enable or disable.

•Sender Address Length Criterion Values—Specifies the value details for sender address length match.

–Greater Than Length—Sender address length in bytes.

–Action—Reset, Drop Connection, Log.

–Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

FTP Inspect Map

The FTP pane lets you view previously configured FTP application inspection maps. An FTP map lets you change the default configuration values used for FTP application inspection.

FTP command filtering and security checks are provided using strict FTP inspection for improved security and control. Protocol conformance includes packet length checks, delimiters and packet format checks, command terminator checks, and command validation.

Blocking FTP based on user values is also supported so that it is possible for FTP sites to post files for download, but restrict access to certain users. You can block FTP connections based on file type, server name, and other attributes. System message logs are generated if an FTP connection is denied after inspection.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (medium or low).

–Low

Mask Banner Disabled

Mask Reply Disabled

–Medium—Default.

Mask Banner Enabled

Mask Reply Enabled

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Medium.

–File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

•FTP Inspect Maps—Table that lists the defined FTP inspect maps. The defined inspect maps are also listed in the FTP area of the Inspect Maps tree.

•Add—Adds the new FTP inspect map to the defined list in the FTP Inspect Maps table and to the FTP area of the Inspect Maps tree. To configure the new FTP map, select the FTP entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the FTP Inspect Maps table and from the FTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.

Fields

•Settings—Specifies FTP security settings and actions.

–Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.

–Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.

•Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is medium.

–Reset to—Specifies high, medium, or low security setting.

–Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

File Type Filtering

The File Type Filtering dialog box lets you configure the settings for a file type filter.

Fields

•Match Type—Shows the match type, which can be a positive or negative match.

•Criterion—Shows the criterion of the inspection.

•Value—Shows the value to match in the inspection.

•Action—Shows the action if the match condition is met.

•Log—Shows the log state.

•Add—Opens the Add File Type Filter dialog box to add a file type filter.

•Edit—Opens the Edit File Type Filter dialog box to edit a file type filter.

•Delete—Deletes a file type filter.

•Move Up—Moves an entry up in the list.

•Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

FTP Inspect Map Basic View

The FTP Inspect Map Basic View pane shows the configured settings for the FTP inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured FTP map.

•Description—Enter the description of the FTP map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•File Type Filtering—Opens the Type Filtering dialog box to configure file type filters.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

FTP Inspect Map Advanced View

The FTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

•Name—Shows the name of the previously configured FTP map.

•Description—Enter the description of the FTP map, up to 200 characters in length.

•Parameters—Tab that lets you configure the parameters for the FTP inspect map.

–Mask greeting banner from the server—Masks the greeting banner from the FTP server to prevent the client from discovering server information.

–Mask reply to SYST command—Masks the reply to the syst command to prevent the client from discovering server information.

•Inspections—Tab that shows you the FTP inspection configuration and lets you add or edit.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the FTP inspection.

–Value—Shows the value to match in the FTP inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add FTP Inspect dialog box to add an FTP inspection.

–Edit—Opens the Edit FTP Inspect dialog box to edit an FTP inspection.

–Delete—Deletes an FTP inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit FTP Map

The Add/Edit FTP Inspect dialog box lets you define the match criterion and value for the DNS inspect map.

Fields

•Single Match—Specifies that the FTP inspect has only one match statement.

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of FTP traffic to match.

–Request Command—Match an FTP request command.

–File Name—Match a filename for FTP transfer.

–File Type—Match a file type for FTP transfer.

–Server—Match an FTP server.

–User Name—Match an FTP user.

•Request Command Criterion Values—Specifies the value details for FTP request command match.

–Request Command:

APPE—Command that appends to a file.

CDUP—Command that changes to the parent directory of the current working directory.

DELE—Command that deletes a file.

GET—Command that gets a file.

HELP—Command that provides help information.

MKD—Command that creates a directory.

PUT—Command that sends a file.

RMD—Command that deletes a directory.

RNFR—Command that specifies rename-from filename.

RNTO—Command that specifies rename-to filename.

SITE—Commands that are specific to the server system. Usually used for remote administration.

STOU—Command that stores a file using a unique filename.

•File Name Criterion Values—Specifies the value details for FTP filename match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•File Type Criterion Values—Specifies the value details for FTP file type match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Server Criterion Values—Specifies the value details for FTP server match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•User Name Criterion Values—Specifies the value details for FTP user name match.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Multiple Matches—Specifies multiple matches for the FTP inspection.

–FTP Traffic Class—Specifies the FTP traffic class match.

–Manage—Opens the Manage FTP Class Maps dialog box to add, edit, or delete FTP Class Maps.

•Action—Reset.

•Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

GTP Inspect Map

The GTP pane lets you view previously configured GTP application inspection maps. A GTP map lets you change the default configuration values used for GTP application inspection.

GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.

---

Note GTP inspection is not available without a special license.

---

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Security level low only.

–Do not Permit Errors

–Maximum Number of Tunnels: 500

–GSN timeout: 00:30:00

–Pdp-Context timeout: 00:30:00

–Request timeout: 00:01:00

–Signaling timeout: 00:30:00.

–Tunnel timeout: 01:00:00.

–T3-response timeout: 00:00:20.

–Drop and log unknown message IDs.

•Customize—Opens the Customize Security Level dialog box for additional settings.

•Default Level—Sets the security level back to the default.

•IMSI Prefix Filtering—Opens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters.

•GTP Inspect Maps—Table that lists the defined GTP inspect maps. The defined inspect maps are also listed in the GTP area of the Inspect Maps tree.

•Add—Adds the new GTP inspect map to the defined list in the GTP Inspect Maps table and to the GTP area of the Inspect Maps tree. To configure the new GTP map, select the GTP entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the GTP Inspect Maps table and from the GTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured FTP application inspection maps.

Fields

•Permit Errors—Lets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

•Drop and Log unknown message IDs—Drops and logs all message IDs that are unknown.

•Maximum Number of Requests—Lets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.

•Maximum Number of Tunnels—Lets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.

•Timeouts

–GSN timeout—Lets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

–PDP-Context timeout—Lets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

–Request Queue—Lets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

–Signaling—Lets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

–Tunnel—Lets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeout—Specifies the GTP Request idle timeout.

–T3-Response timeout—Specifies the maximum wait time for a response before removing the connection.

•Reset to—Specifies low security setting.

•Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

IMSI Prefix Filtering

The IMSI Prefix tab lets you define the IMSI prefix to allow within GTP requests.

Fields

•Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value.

•Mobile Network Code—Defines the two or three-digit value identifying the network code.

•Add—Add the specified country code and network code to the IMSI Prefix table.

•Delete—Deletes the specified country code and network code from the IMSI Prefix table.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

GTP Inspect Map Basic View

The GTP Inspect Map Basic View pane shows the configured settings for the GTP inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured GTP map.

•Description—Enter the description of the GTP map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•IMSI Prefix Filtering—Opens the IMSI Prefix Filtering dialog box to configure IMSI prefix filters.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

GTP Inspect Map Advanced View

The GTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

•Name—Shows the name of the previously configured GTP map.

•Description—Enter the description of the GTP map, up to 200 characters in length.

•Permit Parameters—Tab that lets you configure the permit parameters for the GTP inspect map.

–Object Groups to Add

From object group—Specify an object group or use the browse button to open the Add Network Object Group dialog box.

To object group—Specify an object group or use the browse button to open the Add Network Object Group dialog box.

–Add—Add the specified country code and network code to the IMSI Prefix table.

–Delete—Deletes the specified country code and network code from the IMSI Prefix table.

–Permit Errors—Lets any packets that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped. By default, all invalid packets or packets that failed during parsing are dropped.

•General Parameters—Tab that lets you configure the general parameters for the GTP inspect map.

–Maximum Number of Requests—Lets you change the default for the maximum request queue size allowed. The default for the maximum request queue size is 200. Specifies the maximum number of GTP requests that will be queued waiting for a response. The permitted range is from 1 to 9999999.

–Maximum Number of Tunnels—Lets you change the default for the maximum number of tunnels allowed. The default tunnel limit is 500. Specifies the maximum number of tunnels allowed. The permitted range is from 1 to 9999999 for the global overall tunnel limit.

–Timeouts

GSN timeout—Lets you change the default for the maximum period of inactivity before a GSN is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

PDP-Context timeout—Lets you change the default for the maximum period of inactivity before receiving the PDP Context for a GTP session. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Request Queue—Lets you change the default for the maximum period of inactivity before receiving the GTP message during a GTP session. The default is 1 minute. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Signaling—Lets you change the default for the maximum period of inactivity before a GTP signaling is removed. The default is 30 minutes. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down.

Tunnel—Lets you change the default for the maximum period of inactivity for the GTP tunnel. The default is 1 hour. Timeout is in the format hh:mm:ss, where hh specifies the hour, mm specifies the minutes, and ss specifies the seconds. A value 0 means never tear down Request timeout—Specifies the GTP Request idle timeout.

T3-Response timeout—Specifies the maximum wait time for a response before removing the connection.

•IMSI Prefix Filtering—Tab that lets you configure the IMSI prefix filtering for the GTP inspect map.

–Mobile Country Code—Defines the non-zero, three-digit value identifying the mobile country code. One or two-digit entries will be prepended by 0 to create a three-digit value.

–Mobile Network Code—Defines the two or three-digit value identifying the network code.

–Add—Add the specified country code and network code to the IMSI Prefix table.

–Delete—Deletes the specified country code and network code from the IMSI Prefix table.

•Inspections—Tab that lets you configure the GTP inspect maps.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the GTP inspection.

–Value—Shows the value to match in the GTP inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add GTP Inspect dialog box to add an GTP inspection.

–Edit—Opens the Edit GTP Inspect dialog box to edit an GTP inspection.

–Delete—Deletes an GTP inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit GTP Map

The Add/Edit GTP Inspect dialog box lets you define the match criterion and value for the GTP inspect map.

Fields

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of GTP traffic to match.

–Access Point Name—Match on access point name.

–Message ID—Match on the message ID.

–Message Length—Match on the message length

–Version—Match on the version.

•Access Point Name Criterion Values—Specifies an access point name to be matched. By default, all messages with valid APNs are inspected, and any APN is allowed.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Action—Drop.

–Log—Enable or disable.

•Message ID Criterion Values—Specifies the numeric identifier for the message that you want to match. The valid range is 1 to 255. By default, all valid message IDs are allowed.

–Value—Specifies whether value is an exact match or a range.

Equals—Enter a value.

Range—Enter a range of values.

–Action—Drop packet or limit rate (pps).

–Log—Enable or disable.

•Message Length Criterion Values—Lets you change the default for the maximum message length for the UDP payload that is allowed.

–Minimum value—Specifies the minimum number of bytes in the UDP payload. The range is from 1 to 65536.

–Maximum value—Specifies the maximum number of bytes in the UDP payload. The range is from 1 to 65536.

–Action—Drop packet.

–Log—Enable or disable.

•Version Criterion Values—Specifies the GTP version for messages that you want to match. The valid range is 0-255. Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 3386, while Version 1 uses port 2123. By default all GTP versions are allowed.

–Value—Specifies whether value is an exact match or a range.

Equals—Enter a value.

Range—Enter a range of values.

–Action—Drop packet.

–Log—Enable or disable.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

H.323 Inspect Map

The H.323 pane lets you view previously configured H.323 application inspection maps. An H.323 map lets you change the default configuration values used for H.323 application inspection.

H.323 inspection supports RAS, H.225, and H.245, and its functionality translates all embedded IP addresses and ports. It performs state tracking and filtering and can do a cascade of inspect function activation. H.323 inspection supports phone number filtering, dynamic T.120 control, H.245 tunneling control, protocol state tracking, H.323 call duration enforcement, and audio/video control.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (low, medium, or high).

–Low—Default.

State Checking h225 Disabled

State Checking ras Disabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance not enforced

–Medium

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Disabled

Call duration Limit Disabled

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: no

–High

State Checking h225 Enabled

State Checking ras Enabled

Call Party Number Enabled

Call duration Limit 1:00:00

RTP conformance enforced

Limit payload to audio or video, based on the signaling exchange: yes

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Medium.

–Phone Number Filtering—Opens the Phone Number Filtering dialog box to configure phone number filters.

•H.323 Inspect Maps—Table that lists the defined H.323 inspect maps. The defined inspect maps are also listed in the H.323 area of the Inspect Maps tree.

•Add—Adds the new H.323 inspect map to the defined list in the H.323 Inspect Maps table and to the H.323 area of the Inspect Maps tree. To configure the new H.323 map, select the H.323 entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the H.323 Inspect Maps table and from the H.323 area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured H.323 application inspection maps.

Fields

•Settings—Specifies H.323 security settings and actions.

–Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages.

–Check state transition of RAS messages—Enforces H.323 state checking on RAS messages.

–Enforce call duration limit—Enforces the absolute limit on a call.

Call Duration Limit—Time limit for the call (hh:mm:ss).

–Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup.

–Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange.

•Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

–Reset to—Specifies high, medium, or low security setting.

–Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Phone Number Filtering

The Phone Number Filtering dialog box lets you configure the settings for a phone number filter.

Fields

•Match Type—Shows the match type, which can be a positive or negative match.

•Criterion—Shows the criterion of the inspection.

•Value—Shows the value to match in the inspection.

•Action—Shows the action if the match condition is met.

•Log—Shows the log state.

•Add—Opens the Add Phone Number Filter dialog box to add a phone number filter.

•Edit—Opens the Edit Phone Number Filter dialog box to edit a phone number filter.

•Delete—Deletes a phone number filter.

•Move Up—Moves an entry up in the list.

•Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

H.323 Inspect Map Basic View

The H323 Inspect Map Basic View pane shows the configured settings for the H323 inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured H323 map.

•Description—Enter the description of the H323 map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•Phone Number Filtering—Opens the Phone Number Filtering dialog box which lets you configure the settings for a phone number filter.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

H.323 Inspect Map Advanced View

The H.323 Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

•Name—Shows the name of the previously configured H.323 map.

•Description—Enter the description of the H.323 map, up to 200 characters in length.

•State Checking—Tab that lets you configure state checking parameters for the H.323 inspect map.

–Check state transition of H.225 messages—Enforces H.323 state checking on H.225 messages.

–Check state transition of RAS messages—Enforces H.323 state checking on RAS messages.

•Call Attributes—Tab that lets you configure call attributes parameters for the H.323 inspect map.

–Enforce call duration limit—Enforces the absolute limit on a call.

Call Duration Limit—Time limit for the call (hh:mm:ss).

–Enforce presence of calling and called party numbers—Enforces sending call party numbers during call setup.

•Tunneling and Protocol Conformance—Tab that lets you configure tunneling and protocol conformance parameters for the H.323 inspect map.

–Check for H.245 tunneling—Allows H.245 tunneling.

Action—Drop connection or log.

–Check RTP packets for protocol conformance—Checks RTP/RTCP packets on the pinholes for protocol conformance.

Limit payload to audio or video, based on the signaling exchange—Enforces the payload type to be audio or video based on the signaling exchange.

•HSI Group Parameters—Tab that lets you configure an HSI group.

–HSI Group ID—Shows the HSI Group ID.

–IP Address—Shows the HSI Group IP address.

–Endpoints—Shows the HSI Group endpoints.

–Add—Opens the Add HSI Group dialog box to add an HSI group.

–Edit—Opens the Edit HSI Group dialog box to edit an HSI group.

–Delete—Deletes an HSI group.

•Inspections—Tab that shows you the H.323 inspection configuration and lets you add or edit.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the H.323 inspection.

–Value—Shows the value to match in the H.323 inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add H.323 Inspect dialog box to add an H.323 inspection.

–Edit—Opens the Edit H.323 Inspect dialog box to edit an H.323 inspection.

–Delete—Deletes an H.323 inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit HSI Group

The Add/Edit HSI Group dialog box lets you configure HSI Groups.

Fields

•Group ID—Enter the HSI group ID.

•IP Address—Enter the HSI IP address.

•Endpoints—Lets you configure the IP address and interface of the endpoints.

–IP Address—Enter an endpoint IP address.

–Interface—Specifies an endpoint interface.

•Add—Adds the HSI group defined.

•Delete—Deletes the selected HSI group.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit H.323 Map

The Add/Edit H.323 Inspect dialog box lets you define the match criterion and value for the H.323 inspect map.

Fields

•Single Match—Specifies that the H.323 inspect has only one match statement.

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of H.323 traffic to match.

–Called Party—Match the called party.

–Calling Party—Match the calling party.

–Media Type—Match the media type.

•Called Party Criterion Values—Specifies to match on the H.323 called party.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Calling Party Criterion Values—Specifies to match on the H.323 calling party.

–Regular Expression—Lists the defined regular expressions to match.

–Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

–Regular Expression Class—Lists the defined regular expression classes to match.

–Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

•Media Type Criterion Values—Specifies which media type to match.

–Audio—Match audio type.

–Video—Match video type.

–Data—Match data type.

•Multiple Matches—Specifies multiple matches for the H.323 inspection.

–H323 Traffic Class—Specifies the H.323 traffic class match.

–Manage—Opens the Manage H323 Class Maps dialog box to add, edit, or delete H.323 Class Maps.

•Action—Drop packet, drop connection, or reset.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

HTTP Inspect Map

The HTTP pane lets you view previously configured HTTP application inspection maps. An HTTP map lets you change the default configuration values used for HTTP application inspection.

HTTP application inspection scans HTTP headers and body, and performs various checks on the data. These checks prevent various HTTP constructs, content types, and tunneling and messaging protocols from traversing the security appliance.

HTTP application inspection can block tunneled applications and non-ASCII characters in HTTP requests and responses, preventing malicious content from reaching the web server. Size limiting of various elements in HTTP request and response headers, URL blocking, and HTTP server header type spoofing are also supported.

Fields

•Name—Enter the name of the inspect map, up to 40 characters in length.

•Description—Enter the description of the inspect map, up to 200 characters in length.

•Security Level—Select the security level (low, medium, or high).

–Low—Default.

Protocol violation action: Drop connection

Drop connections for unsafe methods: Disabled

Drop connections for requests with non-ASCII headers: Disabled

URI filtering: Not configured

Advanced inspections: Not configured

–Medium

Protocol violation action: Drop connection

Drop connections for unsafe methods: Allow only GET, HEAD, and POST

Drop connections for requests with non-ASCII headers: Disabled

URI filtering: Not configured

Advanced inspections: Not configured

–High

Protocol violation action: Drop connection and log

Drop connections for unsafe methods: Allow only GET and HEAD.

Drop connections for requests with non-ASCII headers: Enabled

URI filtering: Not configured

Advanced inspections: Not configured

–Customize—Opens the Customize Security Level dialog box for additional settings.

–Default Level—Sets the security level back to the default level of Medium.

–URI Filtering—Opens the URI Filtering dialog box to configure URI filters.

•HTTP Inspect Maps—Table that lists the defined HTTP inspect maps. The defined inspect maps are also listed in the HTTP area of the Inspect Maps tree.

•Add—Adds the new HTTP inspect map to the defined list in the HTTP Inspect Maps table and to the HTTP area of the Inspect Maps tree. To configure the new HTTP map, select the HTTP entry in Inspect Maps tree.

•Delete—Deletes the application inspection map selected in the HTTP Inspect Maps table and from the HTTP area of the Inspect Maps tree.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Customize Security Level

The Customize Security Level dialog box lets you configure the security settings for previously configured HTTP application inspection maps.

Fields

•Settings—Specifies HTTP security settings and actions.

–Check for protocol violations—Checks for HTTP protocol violations.

Action—Drop Connection, Reset, Log.

Log—Enable or disable.

–Drop connections for unsafe methods—Checks for unsafe methods and drops the connection.

Allow Only—GET and HEAD, GET, HEAD, and POST.

–Drop connections for requests with non-ASCII headers—Checks for non-ASCII characters in the message header.

•Reset to predefined security level—Resets the security level settings to the predefined levels of high, medium, or low. Default is low.

–Reset to—Specifies high, medium, or low security setting.

–Reset—Reset settings to selected level.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

URI Filtering

The URI Filtering dialog box lets you configure the settings for an URI filter.

Fields

•Match Type—Shows the match type, which can be a positive or negative match.

•Criterion—Shows the criterion of the inspection.

•Value—Shows the value to match in the inspection.

•Action—Shows the action if the match condition is met.

•Log—Shows the log state.

•Add—Opens the Add URI Filtering dialog box to add a URI filter.

•Edit—Opens the Edit URI Filtering dialog box to edit a URI filter.

•Delete—Deletes an URI filter.

•Move Up—Moves an entry up in the list.

•Move Down—Moves an entry down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

HTTP Inspect Map Basic View

The HTTP Inspect Map Basic View pane shows the configured settings for the HTTP inspect map. The Advanced View lets you configure the settings.

Fields

•Name—Shows the name of the previously configured HTTP map.

•Description—Enter the description of the HTTP map, up to 200 characters in length.

•Security Level—Shows the current security settings.

–Customize—Opens the Customize Security Level dialog box to configure the security settings.

–Default Level—Sets the security level back to the default.

•URI Filtering—Opens the URI Filtering dialog box which lets you configure the settings for an URI filter.

•Advanced View—Lets you configure the security settings.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

HTTP Inspect Map Advanced View

The HTTP Inspect Map Advanced View pane lets you configure the settings for the inspect map.

Fields

•Name—Shows the name of the previously configured HTTP map.

•Description—Enter the description of the HTTP map, up to 200 characters in length.

•Parameters—Tab that lets you configure the parameters for the HTTP inspect map.

–Check for protocol violations—Checks for HTTP protocol violations.

Action—Drop Connection, Reset, Log.

Log—Enable or disable.

–Spoof server string—Replaces the server HTTP header value with the specified string.

Spoof String—Enter a string to substitute for the server header field. Maximum is 82 characters.

–Body Match Maximum—The maximum number of characters in the body of an HTTP message that should be searched in a body match. Default is 200 bytes. A large number will have a significant impact on performance.

•Inspections—Tab that shows you the HTTP inspection configuration and lets you add or edit.

–Match Type—Shows the match type, which can be a positive or negative match.

–Criterion—Shows the criterion of the HTTP inspection.

–Value—Shows the value to match in the HTTP inspection.

–Action—Shows the action if the match condition is met.

–Log—Shows the log state.

–Add—Opens the Add HTTP Inspect dialog box to add an HTTP inspection.

–Edit—Opens the Edit HTTP Inspect dialog box to edit an HTTP inspection.

–Delete—Deletes an HTTP inspection.

–Move Up—Moves an inspection up in the list.

–Move Down—Moves an inspection down in the list.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode		Security Context
Routed	Transparent	Single	Multiple
			Context	System
•	•	•	•	—

Add/Edit HTTP Map

The Add/Edit HTTP Inspect dialog box lets you define the match criterion and value for the HTTP inspect map.

Fields

•Single Match—Specifies that the HTTP inspect has only one match statement.

•Match Type—Specifies whether traffic should match or not match the values.

For example, if No Match is selected on the string "example.com," then any traffic that contains "example.com" is excluded from the class map.

•Criterion—Specifies which criterion of HTTP traffic to match.

–Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.

–Request Arguments—Applies the regular expression match to the arguments of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

–Request Body—Applies the regular expression match to the body of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Count—Enter the maximum number of header fields.

–Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Greater Than Length—Enter a field length value in bytes that request field lengths will be matched against.

–Request Header Field—Applies the regular expression match to the header of the request.

Predefined—Specifies the request header fields: accept, accept-charset, accept-encoding, accept-language, allow, authorization, cache-control, connection, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, date, expect, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, last-modified, max-forwards, pragma, proxy-authorization, range, referer, te, trailer, transfer-encoding, upgrade, user-agent, via, warning.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers.

Greater Than Count—Enter the maximum number of headers.

–Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified.

Greater Than Length—Enter a header length value in bytes.

–Request Header non-ASCII—Matches non-ASCII characters in the header of the request.

–Request Method—Applies the regular expression match to the method of the request.

Method—Specifies to match on a request method: bcopy, bdelete, bmove, bpropfind, bproppatch, connect, copy, delete, edit, get, getattribute, getattributenames, getproperties, head, index, lock, mkcol, mkdir, move, notify, options, poll, post, propfind, proppatch, put, revadd, revlabel, revlog, revnum, save, search, setattribute, startrev, stoprev, subscribe, trace, unedit, unlock, unsubscribe.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified.

Greater Than Length—Enter a URI length value in bytes.

–Request URI—Applies the regular expression match to the URI of the request.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Response Body—Applies the regex match to the body of the response.

ActiveX—Specifies to match on ActiveX.

Java Applet—Specifies to match on a Java Applet.

Regular Expression—Specifies to match on a regular expression.

Regular Expression—Lists the defined regular expressions to match.

Manage—Opens the Manage Regular Expressions dialog box, which lets you configure regular expressions.

Regular Expression Class—Lists the defined regular expression classes to match.

Manage—Opens the Manage Regular Expression Class dialog box, which lets you configure regular expression class maps.

–Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified.