User Guide for Cisco Security Manager 3.1 - Firewall Services User Interface Reference [Cisco Security Manager]

Table Of Contents

Firewall Services User Interface Reference

Access Rules Page

Add and Edit Access Rule Dialog Boxes

Advanced Dialog Box

Edit Sources Dialog Box

Show Source Contents Dialog Box

Edit Destinations Dialog Box

Show Destination Contents Dialog Box

Edit Service Dialog Box

Show Service Contents Dialog Box

Edit Firewall Option Dialog Box

Edit Interfaces Dialog Box

Show Interface Contents Dialog Box

Edit Category Dialog Box

Edit Description Dialog Box

Inspection Rules Page

Add and Edit Inspection Rule Dialog Boxes

Add Inspect/Application FW Rule > Match Traffic to Protocol Page

Limit Inspection Between Source and Destination IP Addresses (ASA, FWSM 3.x) Page

Match Traffic by Custom Destination Ports Page

Match Traffic by Destination Address and Port (IOS) Page

Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x) Page

Edit Sources Dialog Box

Show Source Contents Dialog Box

Edit Destinations Dialog Box

Show Destination Contents Dialog Box

Edit Service Dialog Box

Show Service Contents Dialog Box

Edit Interfaces Dialog Box

Show Interface Contents Dialog Box

Edit Inspected Protocol Dialog Box

Configure DNS Dialog Box

Configure SMTP Dialog Box

Custom Protocol Dialog Box

Configure ESMTP Dialog Box

Configure Fragments Dialog Box

Configure IMAP Dialog Box

Configure POP3 Dialog Box

Configure RPC Dialog Box

Configuring Protocol Platform Dialog Box

Edit Category Dialog Box

Edit Description Dialog Box

AAA Rules Page

Add and Edit AAA Rules Dialog Boxes

Edit Sources Dialog Box

Show Source Contents Dialog Box

Edit Destinations Dialog Box

Show Destination Contents Dialog Box

Edit Service Dialog Box

Show Service Contents Dialog Box

Edit Interfaces Dialog Box

Show Interface Contents Dialog Box

Edit AAA Option Dialog Box

AuthProxy Dialog Box

Edit AAA Server Group Dialog Box

Edit Category Dialog Box

Edit Description Dialog Box

Web Filter Rules Page (PIX/ASA)

Add and Edit PIX/FWSM/ASA Rules Dialog Boxes

Edit Sources Dialog Box

Show Source Contents Dialog Box

Edit Destinations Dialog Box

Show Destination Contents Dialog Box

Edit Service Dialog Box

Show Service Contents Dialog Box

Edit Web Filter Type Dialog Box

Edit Web Filter Options Dialog Box

Edit Category Dialog Box

Edit Description Dialog Box

Web Filter Rules Page (IOS)

Web Filter Rules Tab

Exclusive Domains Tab

IOS Web Filter Rule and Applet Scanner Dialog Box

Exclusive Domain Name Dialog Box

Transparent Rules Page

Add and Edit Transparent Firewall Rule Dialog Boxes

Edit Transparent EtherType Dialog Box

Edit Transparent Mask Dialog Box

Edit Interfaces Dialog Box

Edit Description Dialog Box

Edit Category Dialog Box

Firewall Settings

Access Control Page

Firewall ACL Setting Dialog Box

Inspection Page

AAA Firewall > Advanced Setting Page

AAA Firewall > Advanced Setting > Clear Connection Configuration Dialog Box

AAA Firewall > MAC-Exempt List Page

AAA Firewall > MAC-Exempt List > Firewall AAA MAC Exempt Setting Dialog Box

AuthProxy Page

AuthProxy General Tab (IOS)

AuthProxy Timeout Tab (IOS)

Web Filter Page

Web Filter Server Configuration Dialog Box

Add and Edit Rule Section Dialog Boxes

Find and Replace Page

Analysis Reports Page

Import Rules - Enter Parameters Dialog Box

Import Rules - Status Page

Import Rules - Preview Page

Import Rules - Preview Page (Rules Tab)

Importing Rules - Preview Page (Objects Tab)

Policy Query Page

Policy Query Results Page

Hit Count Selection Summary Dialog Box

Hit Count Summary Results Page

Combine Rules Selection Summary Dialog Box

Combined Rules Results Summary

Rule Combiner Detail Report

Firewall Services User Interface Reference

The Firewall Services general reference contains the following topics:

•Access Rules Page

•Inspection Rules Page

•AAA Rules Page

•Web Filter Rules Page (PIX/ASA)

•Web Filter Rules Page (IOS)

•Transparent Rules Page

•Firewall Settings

•Add and Edit Rule Section Dialog Boxes

•Find and Replace Page

•Analysis Reports Page

•Import Rules - Enter Parameters Dialog Box

•Policy Query Page

•Hit Count Selection Summary Dialog Box

•Combine Rules Selection Summary Dialog Box

Access Rules Page

Use the Access Rules page to identify access rules managed by Security Manager. For more information, see Understanding Access Rules, page 12-49.

From the Access Rules page, you can add, edit, and delete rules, You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, using the shortcut keys, or by selecting the appropriate buttons located below the table.

You can reorder rules, and enable or disable rules in the table using the shortcut menu. You can also determine if objects used in rules are referenced by other policies and devices using the shortcut menu.

Navigation Path

To access the Access Rules page, do one of the following:

•(Device view) Select a device, then select Firewall > Access Rules from the Device selector.

•(Policy view) Select Firewall > Access Rules from the Policy selector.

Related Topics

•Understanding Access Rules, page 12-49

•Using Analysis, page 12-6

•Combining Rules, page 12-11

•Using Find and Replace, page 12-18

•Using Hit Count, page 12-24

•Importing Rules, page 12-32

•Using Policy Query, page 12-37

•Understanding Rule Table Sections, page 12-44

Field Reference

Table J-1 Access Rules Page

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

No.

Identifies the ordered rule number in the table.

Permit

Shows whether a rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

•Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255, and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding Service Objects, page 8-158.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-114.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected.

Dir.

Direction. Identifies traffic direction within a network. Direction is always associated with an interface:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note The out direction parameter is not supported on PIX 6.3 devices. If you enter a rule and define the direction as "out," a warning message results during activity validation and the rule is ignored.

Options

Displays additional options that are configured during the process of defining an access rule. Options vary depending on the platform selected.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Provides you with a list of tools for generating various reports and initializes the process for importing rules into Security Manager.

Menu items are:

•Analysis—Invokes a utility that identifies rules that overlap or conflict with other rules. Analysis results are displayed in a report. See Using Analysis, page 12-6.

•Combine Rules—Invokes a utility to combine rules in tables, thus improving performance and memory usage. See Combining Rules, page 12-11.

•Hit Count—Invokes a utility that collects hit count information for access lists deployed on a device. The generated report identifies the number of times that traffic for a device s permitted or denied based on an access rule. Hit count information is useful in debugging the deployed policies.

Hit Count reports can be generated for a single access rule or for all rules in the table. See Using Hit Count, page 12-24.

•Import Rules—Enables you to import rules (ACEs) by pasting them from an external application to the access rule table in Security Manager. See Importing Rules, page 12-32.

•Query—Invokes a utility to run queries against existing rules in a rule table. Query results are displayed in a report. See Using Policy Query, page 12-37.

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Using Find and Replace, page 12-18.

Up button

Moves a rule up one row in the table.

Select a rule in the table to activate the appropriate buttons.

Down button

Moves a rule down one row in the table.

Select a rule in the table to activate the appropriate buttons.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Save button

Saves your changes to the server, but keeps them private.

Note To publish your changes, click the Submit icon on the toolbar.

Add and Edit Access Rule Dialog Boxes

Use the Add and Edit Firewall Rule dialog boxes to add and firewall rules.

Note The same dialog box is used for adding and editing access rules.

Navigation Path

To access the Add and Edit Firewall Rule dialog boxes, do one of the following:

•(Device view) Select a device, then select Firewall > Access Rules from the Device selector. Right-click inside the work area, then select Add Row or right-click a row, then select Edit Row.

•(Policy view) Select Firewall > Access Rules from the Policy selector. Right-click inside the work area, then select Add Row or right-click a row, then select Edit Row.

Related Topics

•Adding Access Rules, page 12-61

•Editing Access Rules, page 12-65

•Understanding Interface Role Objects, page 8-114

•Understanding Network/Host Objects, page 8-126

•Understanding Service Objects, page 8-158

•Understanding Category Objects, page 8-48

•Add and Edit Access Rule Dialog Boxes

Field Reference

Table J-2 Add and Edit Access Rule Dialog Boxes

Element¹

Description

Edit Firewall Rule

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices for platforms that do not support the "inactive" flag; however, it is retained in the rules table for debugging purposes.

Note The inactive flag is supported on PIX/ASA 7.0 platforms.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic

•Deny—Denies traffic

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the source object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the destination object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp / <port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp / <port_number >| PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Interfaces*

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables.

Note No commands are generated for the category attribute.

Advanced button

Opens the Advanced dialog box. See Table J-3.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Advanced Dialog Box

Use the Advanced dialog box to configure optional settings to be applied to access rules.

Navigation Path

To access the Advanced dialog box, do one of the following:

•(Device view) Select a device, then select Firewall > Access Rules from the Device selector. Right-click inside the work area, then select Add Row or right-click a row, then select Edit Row. Click the Advanced button.

•(Policy view) Select a device, then select Firewall > Access Rules from the Device selector. Right-click inside the work area, then select Add Row or right-click a row, then select Edit Row. Click the Advanced button.

Related Topics

•Adding Access Rules, page 12-61

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

•Understanding Time Range Objects, page 8-172

Field Reference

Table J-3 Advanced Dialog Box

Element

Description

Log Options

Enable Logging (PIX, ASA, FWSM)

When selected, activates syslog generation for the generated ACEs.

•Default Logging—Enables you to select default logging behavior of the device. If a packet is denied, message 106023 is generated. If a packet is permitted, no syslog message is generated.

•Per ACE Logging—Enables you to select logging level and interval information for each ACE.

Note If the logging level is specified, syslog message 106100 is generated for the ACE to which it is applied.

Level

Identifies the type of syslog message used to log events for an ACE.

•Emergency—(0) System is unstable

•Alert— (1) Immediate action is needed

•Critical—(2) Critical conditions

•Error—(3) Error conditions

•Warning—(4) Warning conditions

•Notification—(5) Normal but significant condition

•Informational—(6) Informational messages only

•Debugging—(7) Debugging messages

Interval

Defines the interval of time for generating logging messages. Values are 1-600 seconds. Default is 300. You must select a logging level from the list for the logging interval value to be recognized.

If you select Default as the logging level, the default logging interval value (300) is used.

Enable Logging (IOS)

When selected, causes an informational logging message about the packet that matches the entry to be sent to the console. Enables you to select Log Input.

Log Input

When selected, includes the input interface and source MAC address or VC in the logging output.

Traffic Direction

Identifies traffic direction within a network. Direction is always associated with an interface:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note The Direction parameter is not supported on PIX 6.3 devices.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Time Ranges Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Options (IOS)

•None.

•Fragment—When selected, allows fragmentation, which provides additional management of packet fragmentation and improves compatibility with NFS.

By default, a maximum of 24 fragments is accepted to reconstruct a full IP packet; however, based on your network security policy, you might want to consider configuring the device to prevent fragmented packets from traversing the firewall.

•Established—When selected, allows outbound connections return access through the device. This command works with two connections: an original connection outbound from a network protected by the device, and a return connection inbound between the same two devices on an external host.

Note Established applies only to devices running IOS software and only for TCP protocols.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Sources Dialog Box

Use the Edit Sources dialog box to edit a source entry in a table.

Navigation Path

Double-click the Source entry in the Access Rules table, or right-click the entry, then select Edit Sources.

Related Topics

•Editing Access Rules, page 12-65

•Working with Access Rules, page 12-60

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-4 Edit Sources Dialog Box

Element¹

Description

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the source object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Source Contents Dialog Box

Use the Show Source Contents dialog box to display all source addresses. The list shows flattened values of all levels of a source address or network object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Source Contents dialog box, do one of the following:

•Right-click the Source table cell of a rule in the Access Rules table, then click Show Source Contents to display a list of all sources.

•Select an entry (subfield) in the Source table cell of a rule in the Access Rules table, then right-click and select Show <Source> Contents.

Related Topics

•Editing Access Rules, page 12-65

•Working with Access Rules, page 12-60

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-5 Show Source Contents Dialog Box

Element

Description

Source Contents

Lists networks and hosts first, followed by interface roles. You can also select a specific source (subfield) in the table, which opens a Show <subfield> dialog box.

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Destinations Dialog Box

Use the Edit Destinations dialog box to edit a destination entry in a table.

Navigation Path

Double-click the Destination entry in the Access Rules table, or right-click the entry, then select Edit Destinations.

Related Topics

•Editing Access Rules, page 12-65

•Working with Access Rules, page 12-60

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-6 Edit Destinations Dialog Box

Element¹

Description

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the destination object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Destination Contents Dialog Box

Use the Show Destination Contents dialog box to display all destination addresses. The list shows flattened values of all levels of a destination address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Destination Contents dialog box, do one of the following:

•Right-click the Destination table cell of a rule in the Access Rules table, then click Show Destination Contents to display a list of all destinations.

•Select an entry (subfield) in the Destination table cell of a rule in the Access Rules table, then right-click and select Show <Destination> Contents.

Related Topics

•Editing Access Rules, page 12-65

•Working with Access Rules, page 12-60

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-7 Show Destination Contents Dialog Box

Element

Description

Destination Contents

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Edit Service Dialog Box

Use the Edit Service dialog box to edit protocols and ports.

Navigation Path

Double-click the Service entry in the Access Rules table, or right-click the entry, then select Edit Services.

Related Topics

•Editing Access Rules, page 12-65

•Working with Access Rules, page 12-60

•Understanding Service Objects, page 8-158

Field Reference

Table J-8 Edit Service Dialog Box

Element¹

Description

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas.

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp/<port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp/<PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp / <port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Service Contents Dialog Box

Use the Show Service dialog box to display all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

Navigation Path

To access the Show Service dialog box, do one of the following:

•Right-click the Service table cell of a rule in the Access Rules table, then click Show Service Contents to display a list of all services.

•Select an entry (subfield) in the Service table cell of a rule in the Access Rules table, then right-click and select Show <Service> Contents.

Related Topics

•Editing Access Rules, page 12-65

•Understanding Service Objects, page 8-158

Field Reference

Table J-9 Show Service Contents Dialog Box

Element

Description

Service Contents

•From Policy view—displays global protocol and port values.

•From Device view—displays device-specific protocol and port values.

•From Map view—displays device-specific protocol and port values.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Firewall Option Dialog Box

Use the Edit Firewall Option dialog box to edit an option entry in the table. Options vary depending on the platform selected.

Navigation Path

Double-click the entry in the Access Rules table, or right-click the entry, then select Edit Options.

Related Topics

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

•Understanding Time Range Objects, page 8-172

Field Reference

Table J-10 Edit Firewall Option Dialog Box

Element

Description

Enable Logging

When selected, activates syslog generation for the generated ACEs.

Note If the logging level is specified, syslog message 106100 is generated for the ACE to which it is applied.

Logging Level

Identifies the type of syslog used to log events for an ACE.

•Default—Default settings on the device

•Emergency—(0) System is unstable

•Alert— (1) Immediate action is needed

•Critical—(2) Critical conditions

•Error—(3) Error conditions

•Warning—(4) Warning conditions

•Notification—(5) Normal but significant condition

•Informational—(6) Informational messages only

•Debugging—(7) Debugging messages

Note Logging level is not supported on IOS devices.

Logging Interval

Defines the interval of time, in seconds, used to generate logging messages. Values are 1-600 seconds. Default is 300. You must select a logging level from the list for the logging interval value to be recognized.

If you select Default as the logging level, the default logging interval value (300) is used.

Note This feature is not supported on IOS devices.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to edit an interface entry in a table.

Navigation Path

Double-click the entry in the Access Rules table, or right-click the entry, then select Edit Interfaces.

Related Topics

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-11 Edit Interfaces Dialog Box

Element¹

Description

Interfaces*

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Enter the interface in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Interface Contents Dialog Box

Use the Show Interface Contents dialog box to display each role type as a separate listing in the table if you are working from Policy view, or display actual interface names if you are working from Device view. The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can display a list of all interfaces by clicking on a table cell or specific entry (subfield) within the table cell, then clicking either Show Interface Contents (for a table cell) or Show <Interface> Contents (for a subfield) from the shortcut menu.

Navigation Path

To access the Show Interface Contents dialog box, do one of the following:

•Right-click the Interface table cell of a rule in the Access Rules table, then click Show Interface Contents.

•Select an entry (subfield) in the Interface table cell of a rule in the Access Rules table, then right-click and select Show <Interface> Contents.

Related Topics

•Adding Access Rules, page 12-61

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-12 Show Interface Contents Dialog Box

Element

Description

Interface Contents

•From Policy view—displays each role type as a separate listing in the table.

•From Device view—displays actual interface names.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Category Dialog Box

Use the Edit Category dialog box to edit a category entry in a table.

Navigation Path

Double-click the Category entry in the Access Rules table, or right-click the entry, then select Edit Category.

Related Topics

•Adding Access Rules, page 12-61

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

•Understanding Category Objects, page 8-48

Field Reference

Table J-13 Edit Category Dialog Box

Element

Description

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables.

Note No commands are generated for the category attribute.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Description Dialog Box

Use the Edit Description dialog box to edit a user-defined description entry in a table.

Navigation Path

Double-click the Description entry in the Access Rules table, or right-click the entry, then select Edit Description.

Related Topics

•Adding Access Rules, page 12-61

•Editing Access Rules, page 12-65

•Understanding Access Rules, page 12-49

•Working with Access Rules, page 12-60

Field Reference

Table J-14 Edit Description Dialog Box

Element

Description

Description

Enables you to enter a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Inspection Rules Page

Use the Inspection Rules page to identify inspection rules managed by Security Manager. For more information, see Understanding Inspection Rules, page 12-72.

From the Inspection Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.

From the Inspection Rules page, you can generate reports to discover object groups that are being used and identify policies associated with a particular device.

Navigation Path

To access the Inspection Rules page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector.

Related Topics

•Understanding Inspection Rules, page 12-72

Field Reference

Table J-15 Inspection Rules Page

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

No.

Identifies the ordered rule number in the table.

Permit

Shows whether a rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding Service Objects, page 8-158.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-114.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Dir.

(Direction) Identifies traffic direction within a network. Direction is always associated with an interface:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note The Direction parameter is supported on IOS devices only.

Inspected Protocol

Identifies the protocol to be inspected.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. See Understanding Time Range Objects, page 8-172.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Time Range Objects, page 8-172.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Provides you with a list of tools for generating various reports, such as rule analysis, the ability to combine rules in table sections, checking ACE hit count, and performing policy queries, and initializes the process for importing ACEs into Security Manager.

Note Currently this feature supports only the Query tool for inspection rules.

Query

Invokes a utility to run queries against existing rules in a rule table. Query results are displayed in a report. For more information, see Using Policy Query, page 12-37.

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Using Find and Replace, page 12-18.

Up button

Moves a rule up one row in the table. Select a rule in the table to activate the appropriate buttons. See Moving Inspection Rules Up and Down, page 12-87.

Down button

Moves a rule down one row in the table. Select a rule in the table to activate the appropriate buttons. See Moving Inspection Rules Up and Down, page 12-87.

Add button

Adds a rule to the table. See Adding Inspection Rules, page 12-74.

Edit button

Edits an existing rule in the table. See Editing Inspection Rules, page 12-83.

Delete button

Deletes a rule from the table. See Deleting Inspection Rules, page 12-88.

Save button

Saves your changes to the server, but keeps them private.

Note To publish your changes, click the Submit icon on the toolbar.

Add and Edit Inspection Rule Dialog Boxes

Use the Add and Edit Inspection Rule dialog boxes to add and edit inspection rules.

Note The same dialog box is used for adding and editing inspection rules.

Navigation Path

To access the Add and Edit Inspection Rule dialog boxes, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then select Add Rule, or right-click a rule, then select Edit Rule.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then select Add Rule, or right-click a rule, then select Edit Rule.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-16 Add and Edit Inspect/Application FW Rule Dialog Boxes

Element¹

Description

Apply the Rule to

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

All Interfaces

Enables you to add an inspection rule that will be associated with all interfaces.

Note Global inspection is supported for PIX and ASA devices only; however, although IOS doesn't support global inspection, it is simulated when you create an IOS inspection rule and apply it globally. Such a rule is applied to all interfaces in the direction "in".

Interface (PIX 7.x, ASA, FWSM 3.x, IOS)

Enables you to add an inspection rule based on an interface.

Traffic Direction

Enables you to further define deep packet inspection by identifying traffic direction within a network:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note Traffic direction is active only when inspection is based on an interface.

Interfaces*²

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Enter the interface information or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-114.

Match Traffic By

Default Protocol Ports

Enables you to inspect traffic based on a default protocol setting. Select this option if you want to inspect a protocol without applying any constraints to the inspected traffic. For a description of the GUI elements, see Table J-17.

Note You must click Next to open the appropriate wizard page.

Limit inspection between source and destination IP addresses (ASA, FWSM 3.x)

When selected, enables you to limit inspection between source and destination IP addresses. This setting applies to PIX 7.0, ASA, and FWSM 3.x devices only. For a description of the GUI elements, see Table J-19.

Note You must click Next to open the appropriate wizard page.

Custom Destination Ports

Enables you to inspect traffic based on TCP or UDP destination ports.

Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. For a description of the GUI elements, see Table J-20.

Note You must click Next to open the appropriate wizard page.

Destination Address and Port (IOS)

Enables you to inspect traffic on IOS devices based on destination IP addresses.

Select this option if you want to associate additional traffic with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.1. For a description of the GUI elements, see Table J-21.

Note You must click Next to open the appropriate wizard page.

Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)

Enables you to inspect traffic on ASA and FWSM 3.x devices based on source and destination IP addresses and ports. For a description of the GUI elements, see Table J-22.

Note You must click Next to open the appropriate wizard page.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Back button

Returns to the previous wizard page.

Note The Back button is unavailable from this dialog box.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

¹An asterisk indicates that the field is required.

²The asterisk is displayed if you apply the rule to ASA or IOS device interfaces.

Add Inspect/Application FW Rule > Match Traffic to Protocol Page

Use this wizard page to select the protocol to use for inspection.

Navigation Path

To access the this wizard page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Select Default Protocol Ports, then click Next.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Select Default Protocol Ports, then click Next.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Configuring Default Protocol Ports, page 12-77

•Understanding Inspection Rules, page 12-72

Field Reference

Table J-17 Add Inspect/Application FW Rule - Match Traffic To Protocol Page

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

Protocol

Lists protocols. Only one protocol can be selected per rule. Certain protocols require additional configuration information. For additional protocol information, For a description of the GUI elements, see Table J-17.

Note Alert flag, audit trail, and timeout values are optional and apply only to protocols inspected on IOS devices.

Options

Displays additional configuration settings for the selected protocol.

Device Type

Identifies the device platform, for example, ASA, PIX.

Group

Identifies a general class that the protocol supports, for example, file transfer and voice.

Selected Protocol

Displays the protocol selected. See Table J-18 for a list of protocols that support additional settings options.

Configure button

Enables you to configure additional settings based on the protocol selected. You can configure additional settings for the protocols listed below.

Note The button is inactive if no additional settings are used.

Rule Settings (IOS)

Alert

When selected, enables inspect-related alert messages to appear on the IOS device console.

•Use Default Inspection Settings—

•Enable—

•Disable—

Audit

When selected, enables inspect-related audit trail messages to appear on the IOS device console.

•Use Default Inspection Settings—

•Enable—

•Disable—

Timeout

Specifies the length of time, in seconds, for which a session is managed while there is no activity. Values are 5-43200.

•Use Default Inspection Settings—

•Specify Timeout

Inspect Router Generated Traffic

When selected,

Back button

Returns to the previous wizard page.

Note The Back button is unavailable from this dialog box.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

Table J-18 lists protocols that allow you to configure additional settings options.

Table J-18 Protocols Supporting Configuration Options

Element

Description

DNS

Sets maximum DNS packet length (PIX/ASAFWSM/IOS). Values are 512-65535. For a description of the GUI elements, see Table J-32.

FTP Strict

Enables you to select or create an FTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure FTP strict inspection, no map is required.

GTP

Enables you to select or create a GTP Map object to configure application firewall (PIX/ASA 7.x/FWSM 3.x). To configure GTP inspection, no map is required.

HTTP

Enables you to select or create an HTTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure HTTP inspection, no map is required.

RPC

Requires program number and wait time (IOS).

•Program number values are 1-4294967295.

•Wait time values are 0-35791.

For a description of the GUI elements, see Table J-39.

SMTP

Sets maximum data (PIX/FWSM/IOS). Values are 0-4294967295. For a description of THE GUI elements, see Table J-33.

Custom protocol

Requires a custom protocol name. Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000. For a description of THE GUI elements, see Table J-34.

ESMTP

Sets maximum data (PIX/ASA/FWSM 3.x/IOS). Values are 0-4294967295. For a description of THE GUI elements, see Table J-35.

Fragment

Sets maximum fragments and timeout values (IOS).

•Fragment values are 0-10000.

•Timeout values are 1-1000.

For a description of THE GUI elements, see Table J-36.

IMAP

Includes optional settings for retrieving email (IOS). For a description of THE GUI elements, see Table J-37.

POP3

Includes optional settings for retrieving email (IOS). For a description of THE GUI elements, see Table J-38.

RPC

Identifies a program number and optional wait time (FWSM 2.x/IOS).

•Program number values are 1-4294967295.

•Wait time values are 0-35791.

For a description of THE GUI elements, see Table J-39.

Limit Inspection Between Source and Destination IP Addresses (ASA, FWSM 3.x) Page

Use this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA devices.

Navigation Path

To access the Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x) wizard page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

For more information, see:

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

Related Topics

•Configuring Default Protocol Ports, page 12-77

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

•Understanding Time Range Objects, page 8-172

Field Reference

Table J-19 Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x)
Page

Element¹

Description

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic

•Deny—Denies traffic

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Back button

Returns to the previous wizard page.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

¹An asterisk indicates that the field is required.

Match Traffic by Custom Destination Ports Page

Use this wizard page (Step 2) to select protocol and port values for TCP or UDP destination ports.

Navigation Path

To access the Match Traffic By Custom Destination Ports wizard page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

For more information, see:

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

Related Topics

•Configuring Custom Destination Ports, page 12-78

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-20 Match Traffic By Custom Destination Ports Page

Element¹

Description

Protocol

•TCP

•UDP

•TCP/UDP

Ports²

Specifies port information. Values are 1-65535.

•Single—Identifies a single port value. When selected, requires a port value.

•Range—Identifies a range of port values. When selected, requires a range of port values.

Note Port range values might not be supported on all platforms or OS versions. In such cases, a validation error results.

Back button

Returns to the previous wizard page.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

¹An asterisk indicates that the field is required.

²Based on your Port selection, the asterisk is positioned beside the field requiring value parameters.

Match Traffic by Destination Address and Port (IOS) Page

Use this wizard page (Step 2) to select protocol and port values for specific destinations for IOS devices.

To treat this matched traffic type as a supported inspect protocol only when destined to certain hosts, you should create a network policy object and include the list of hosts in it. Alternatively, you can also enter a list of host IP addresses as Destinations.

Navigation Path

To access the Match Traffic By Destination Address and Port (IOS) wizard page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

For more information, see:

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

Related Topics

•Configuring Destination Address and Port (IOS), page 12-80

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-21 Match Traffic By Destination Address and Port (IOS)

Element¹

Description

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Protocol

•TCP

•UDP

•TCP /UDP

Ports²

•Single—Identifies a single port value. Values are 1-65535.

•Range—Identifies a range of port values. Values are 1-65535.

Back button

Returns to the previous wizard page.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

¹An asterisk indicates that the field is required.

²Based on your Port selection, the asterisk is positioned beside the field requiring value parameters.

Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x) Page

Use this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA and FWSM 3.x devices.

Select this matched traffic type if you want to limit inspection of traffic flowing between a set of source and destination addresses, for example, if you want to inspect FTP traffic flowing between 192.168.1.0/24 and 192.168.2.0/24.

You can use policy objects for sources, destinations and services. A time range can also be specified, which will activate the traffic criteria only during that period of time.

Navigation Path

To access the Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x) wizard page, do one of the following:

•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

Related Topics

•Configuring Source and Destination Address and Port (ASA, FWSM 3.x), page 12-81

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

•Understanding Interface Role Objects, page 8-114

•Understanding Service Objects, page 8-158

•Understanding Time Range Objects, page 8-172

Field Reference

Table J-22 Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x)
Page

Element¹

Description

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas.

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp / <port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp / <port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Back button

Returns to the previous wizard page.

Next button

Advances to the next wizard page.

Finish button

Completes the wizard dialog and returns you to the main page. The settings are shown in the table.

Note The Finish button is active on the last wizard page only.

¹An asterisk indicates that the field is required.

Edit Sources Dialog Box

Use the Edit Sources dialog box to edit a source entry in a table.

Navigation Path

Double-click the Source entry in the Inspection Rules table, or right-click the entry, then select Edit Sources.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-23 Edit Sources Dialog Box

Element¹

Description

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the source object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Source Contents Dialog Box

Use the Show Source Contents dialog box to display all source addresses. The list shows flattened values of all levels of a source address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Source Contents dialog box, do one of the following:

•Right-click the Source table cell of a rule in the Inspection Rules table, then click Show Source Contents to display a list of all sources.

•Select an entry (subfield) in the Source table cell of a rule in the Inspection Rules table, then right-click and select Show <Source> Contents.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-24 Show Source Contents Dialog Box

Element

Description

Source Contents

Lists networks and hosts first, followed by interface roles. You can also select a specific source (subfield) in the table, which opens a Show <subfield> Contents dialog box.

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Destinations Dialog Box

Use the Edit Destinations dialog box to edit a destination entry in a table.

Navigation Path

Double-click the Destination entry in the Inspection Rules table, or right-click the entry, then select Edit Destinations.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-25 Edit Destinations Dialog Box

Element¹

Description

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the destination object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Destination Contents Dialog Box

Use the Show Destination Contents dialog box to display all destination addresses. The list shows flattened values of all levels of a destination address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Destination Contents dialog box, do one of the following:

•Right-click the Destination table cell of a rule in the Inspection Rules table, then click Show Destination Contents to display a list of all destinations.

•Select an entry (subfield) in the Destination table cell of a rule in the Inspection Rules table, then right-click and select Show <Destination> Contents.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-26 Show Destination Contents Dialog Box

Element

Description

Destination Contents

Lists networks and hosts first, followed by interface roles. You can also select a specific destination (subfield) in the table, which opens a Show <subfield> dialog box.

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Service Dialog Box

Use the Edit Service dialog box to edit protocols and ports.

Navigation Path

Double-click the Service entry in the Inspection Rules table, or right-click the entry, then select Edit Services.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Service Objects, page 8-158

Field Reference

Table J-27 Edit Service Dialog Box

Element¹

Description

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas.

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp/<port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp /<port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Service Contents Dialog Box

Use the Show Service Contents dialog box to display all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

Navigation Path

To access the Show Service Contents dialog box, right-click the entry in the Traffic Match column of the Inspection Rules table, then click Show Service Contents.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Service Objects, page 8-158

Field Reference

Table J-28 Show Service Contents Dialog Box

Element

Description

Service Contents

•From Policy view—displays global protocol and port values.

•From Device view—displays device-specific protocol and port values.

•From Map view—displays device-specific protocol and port values.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to edit an interface entry in a table.

Navigation Path

Double-click the entry in the Inspection Rules table, or right-click the entry, then select Edit Interfaces.

Note You cannot access the Edit Interfaces dialog box if the interface setting is Global.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-29 Edit Interfaces Dialog Box

Element¹

Description

Interfaces*

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Enter the interface in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Interface Contents Dialog Box

Use the Show Interface Contents dialog box to display each role type as a separate listing in the table if you are working from Policy view, or display actual interface names if you are working from Device view.

The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can display a list of all interfaces by clicking on a table cell or specific entry (subfield) within the table cell, then clicking either Show Interface Contents (for a table cell) or Show <Interface> Contents (for a subfield) from the shortcut menu.

Navigation Path

To access the Show Interface Contents dialog box, do one of the following:

•Right-click the Interface table cell of a rule in the Inspection Rules table, then click Show Interface Contents.

•Select an entry (subfield) in the Destination table cell of a rule in the Inspection Rules table, then right-click and select Show <Interface> Contents.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-30 Show Interface Contents Dialog Box

Element

Description

Interface Contents

•From Policy view—displays each role type as a separate listing in the table.

•From Device view—displays actual interface names.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Inspected Protocol Dialog Box

Use the Edit Inspected Protocol dialog box to edit values for the protocol selected.

Navigation Path

To access the Edit Inspected Protocol dialog box, right-click the entry in the Inspected Protocol column of the Inspection Rules table, then click Edit Inspected Protocol.

Related Topics

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

Field Reference

Table J-31 Edit Inspected Protocol Dialog Box

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

Protocol

Lists protocols. Only one protocol can be selected per rule. Certain protocols enable you to configure additional information,

Note All protocols inspected on IOS devices require an alert flag, audit trail, and timeout values.

DNS

Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are 512-65535. For a description of the GUI elements, see Table J-32.

FTP Strict

Enables you to select or create an FTP Map object to configure application firewall (PIX 7.0/ASA/FWSM 3.x/IOS). To configure FTP strict inspection, no map is required.

GTP

Enables you to select or create a GTP Map object to configure application firewall (PIX 7.0/ASA/FWSM 3.x). To configure GTP inspection, no map is required.

HTTP

Enables you to select or create an HTTP Map object to configure application firewall (PIX 7.0/ASA/FWSM 3.x/IOS). To configure HTTP inspection, no map is required.

RPC

Requires program number and wait time (IOS).

•Program number values are 1-4294967295.

•Wait time values are 0-35791.

For a description of the GUI elements, see Table J-39.

SMTP

Requires maximum data. Values are 0-4294967295. For a description of THE GUI elements, see Table J-33.

Custom protocol

Requires a custom protocol name. Requires a custom protocol name. Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000. For a description of THE GUI elements, see Table J-34.

ESMTP

Requires maximum data (PIX 7.0/ASA/FWSM 3.x/IOS). Values are 0-4294967295. For a description of THE GUI elements, see Table J-35.

Fragment

Requires maximum fragments and timeout value.

•Fragment values are 0-10000.

•Timeout values are 1-1000.

For a description of THE GUI elements, see Table J-36.

IMAP

Includes optional settings for retrieving email (IOS). For a description of THE GUI elements, see Table J-37.

POP3

Includes optional settings for retrieving email (IOS). For a description of THE GUI elements, see Table J-38.

RPC

Requires a program number and wait time (IOS).

•Program number values are 1-4294967295.

•Wait time values are 0-35791.

For a description of THE GUI elements, see Table J-39.

Optional IOS Settings

Enable

Indicates whether the rule appears after the configuration is generated. A disabled rule is not generated; it is retained in the table for debugging purposes.

Enable Alert Messages

When selected, enables inspect-related alert messages to appear on the IOS device console.

Note Supported only on IOS devices.

Enable Audit Trail Messages

When selected, enables inspect-related audit trail messages to appear on the IOS device console.

Note Supported only on IOS devices.

Timeout (seconds)

Specifies the length of time, in seconds, for which a session is managed while there is no activity. Values are 5-43200.

Note Supported only on IOS devices.

Ok button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure DNS Dialog Box

Use the Configure DNS dialog box to configure settings for DNS inspection (PIX 7.0/ASA/FWSM/IOS).

Navigation Path

You can access the Configure DNS dialog box from the Inspection Rules table. Select DNS as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-32 Configure DNS Dialog Box

Element

Description

Maximum DNS Packet Length

Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are 512-65535.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure SMTP Dialog Box

Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol (SMTP) inspection (PIX/FWSM/IOS). SMTP is used to transfer email between servers and clients on the Internet. email clients and mail servers that use protocols other than Message Application Programming Interface (MAPI) can use the SMTP protocol to transfer a message from a client to the server, and then forward it to a message recipient's server.

SMTP inspection causes Simple Mail Transfer Protocol (SMTP) commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out.

Navigation Path

You can access the Configure SMTP dialog box from the Inspection Rules table. Select SMTP as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-33 Configure SMTP Dialog Box

Element

Description

Maximum Data

Values are 0-4294967295.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Custom Protocol Dialog Box

Use the Custom Protocol dialog box to edit settings for custom protocol inspection (IOS). Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000.

Navigation Path

You can access the Custom Protocol dialog box from the Inspection Rules table. Select, Custom Protocol as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-34 Configure Custom Protocol Dialog Box

Element

Description

Custom Protocol Name

Identifies the name associated with the custom protocol.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure ESMTP Dialog Box

Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail Transport Protocol (ESMTP) inspection (PIX/ASA/FWSM 3.x/IOS). ESMTP enables users who install mail servers behind Cisco IOS firewalls to install their servers on the basis of ESMTP (instead of Simple Mail Transport Protocol [SMTP]).

Navigation Path

You can access the Configure ESMTP dialog box from the Inspection Rules table. Select ESMTP as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-35 Configure ESMTP Dialog Box

Element

Description

Maximum Data

Values are 0-4294967295.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure Fragments Dialog Box

Use the Configure Fragments dialog box to edit settings for fragment inspection.

Navigation Path

You can access the Configure Fragments dialog box from the Inspection Rules table. Select Fragments as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-36 Configure Fragments Dialog Box

Element

Description

Maximum Fragments

Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. Values are 0-10000 state entries. Default is 256.

Note Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

Timeout (sec)

Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. Values are 1-1000. Default timeout value is one second.

If this number is set to a value greater that one second, it is automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds:

•When the number of free states is less than 32, the timeout is divided by 2.

•When the number of free states is less than 16, the timeout is set to 1 second.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure IMAP Dialog Box

Use the Configure IMAP dialog box to edit settings for Internet Message Access Protocol (IMAP) inspection (IOS). IMAP is a method for accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a client email program to access remote messages as though they were local.

Navigation Path

You can access the Configure IMAP dialog box from the Inspection Rules table. Select IMAP as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-37 Configure IMAP Dialog Box

Element

Description

Reset Connection on Invalid IMAP packet

When selected, requires that the client/server communication repeat the validation process from the time the TCP connection is initialized until the client is authenticated.

Enforce Secure Authentication

When selected, allows you to download external IMAP email only if authentication methods are secure, which generates the secure-login command.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure POP3 Dialog Box

Use the Configure POP3 dialog box to edit settings for Post Office Protocol, Version 3 (POP3) inspection (IOS). POP3 is used to receive email that is stored on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.

Navigation Path

You can access the Configure POP3 dialog box from the Inspection Rules table. Select POP3 as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-38 Configure POP3 Dialog Box

Element

Description

Reset Connection on Invalid POP3 packet

When selected, requires that the client/server communication repeat the validation process from the time the TCP connection is initialized until the client is authenticated.

Enforce Secure Authentication

When selected, allows you to download external POP3 email only if authentication methods are secure, which generates the secure-login command.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configure RPC Dialog Box

Use the RPC dialog box to edit settings for RPC inspection (IOS). RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number is blocked. For example, if you create an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.

Navigation Path

You can access the Configure RPC dialog box from the Inspection Rules table. Select RPC as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-39 Configure RPC Dialog Box

Element

Description

Program Number

Specifies the program number to permit. Values are 1-4294967295.

Wait Time

Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. Values are 0-35791 minutes. Default is 0.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Configuring Protocol Platform Dialog Box

Use the Configure (Protocol Platform) dialog box to choose a policy object based on device type.

Navigation Path

You can access the Configure (Protocol Platform) dialog box from the Inspection Rules table. Select HTTP or IM as the protocol for inspection, then click Configure.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-40 Configuring Protocol Platform Dialog Box

Element

Description

Platform radio buttons

Enables you to select the device type, which then enables you to enter the information in the field provided or click Select, which opens the appropriate Selector dialog box from which to make your selection.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Category Dialog Box

Use the Edit Category dialog box to edit a category entry in a table.

Navigation Path

Double-click the Category entry in the Inspection Rules table, or right-click the entry, then select Edit Category.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

•Understanding Category Objects, page 8-48

Field Reference

Table J-41 Edit Category Dialog Box

Element

Description

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables.

Note No commands are generated for the category attribute.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Description Dialog Box

Use the Edit Description dialog box to edit a user-defined description entry in a table.

Navigation Path

Double-click the Description entry in the Inspection Rules table, or right-click the entry, then select Edit Description.

Related Topics

•Adding Inspection Rules, page 12-74

•Editing Inspection Rules, page 12-83

•Understanding Inspection Rules, page 12-72

•Working with Inspection Rules, page 12-74

Field Reference

Table J-42 Edit Description Dialog Box

Element

Description

Description

Enables you to enter a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

AAA Rules Page

Use the AAA Rules page to identify AAA rules defined in Security Manager. For more information, see Working with AAA Rules, page 12-89.

From the AAA Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.

From the AAA Rules page, you can also generate reports to discover object groups that are being used and identify policies associated with a particular device.

Navigation Path

To access the AAA Rules page, do one of the following:

•(Device view) Select a device, then select Firewall >AAA Rules from the Device selector.

•(Policy view) Select Firewall >AAA Rules from the Policy selector.

Related Topics.

•Working with AAA Rules, page 12-89

Field Reference

Table J-43 AAA Rules Page

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

No.

Identifies the ordered rule number in the table.

Permit

Shows whether a rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126.

•Understanding Interface Role Objects, page 8-114.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126.

•Understanding Interface Role Objects, page 8-114.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding Service Objects, page 8-158.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-114.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Action

Identifies the AAA methods.

•Authentication—indicates that the rule controls traffic based on who the user is.

•Authorization—indicates that the rule controls traffic based on what the user is allowed to do.

•Accounting—indicates that the rule controls traffic based on what the user did.

AuthProxy

Identifies the authentication proxy method used for IOS devices.

Server Group

Identifies the AAA server group.

Note The AAA server group must have at least one AAA server defined.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Provides you with a list of tools for generating various reports, such as rule analysis, the ability to combine rules in table sections, checking ACE hit count, and performing policy queries, and initializes the process for importing ACEs into Security Manager

Combine Rules

Invokes a utility to combine rules in tables, thus improving performance and memory usage. See Combining Rules, page 12-11.

Query

Invokes a utility to run queries against existing rules in a rule table. Query results are displayed in a report. See Using Policy Query, page 12-37.

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Using Find and Replace, page 12-18.

Up button

Moves a rule up one row in the table.

Select a rule in the table to activate the appropriate buttons.

Down button

Moves a rule down one row in the table.

Select a rule in the table to activate the appropriate buttons.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Save button

Saves your changes to the server, but keeps them private.

Note To publish your changes, click the Submit icon on the toolbar.

Add and Edit AAA Rules Dialog Boxes

Use the Add and Edit AAA Rules dialog box to add and edit AAA rules.

Note The same dialog box is used for adding and editing access rules.

Navigation Path

To access the Add and Edit AAA Rules dialog boxes, do one of the following:

•(Device view) Select a device, then select Firewall >AAA Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >AAA Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.

Related Topics

•Adding AAA Rules, page 12-91

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Using Find and Replace, page 12-18

Field Reference

Table J-44 Add and Edit AAA Rules Dialog Boxes

Element¹

Description

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

Authentication Action

When selected, indicates that the rule controls traffic based on who the user is.

Authorization Action (PIX/ASA/FWSM)

When selected, indicates that the rule controls traffic based on what the user is allowed to do.

Accounting Action (PIX/ASA/FWSM)

When selected, indicates that the rule controls traffic based on what the user did.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots. See Understanding Interface Role Objects, page 8-114.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots. See Understanding Interface Role Objects, page 8-114.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. See Understanding Service Objects, page 8-158.

Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp/<port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp / <port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note Services are not applicable when filter except is selected from the PIX/ASA Web Filter Rule page.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

AAA Server Group (PIX,ASA,FWSM)

Identifies the AAA server group. See Understanding AAA Server Group Objects, page 8-16.

Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Interface*

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-114.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

HTTP Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies HTTP to trigger the authentication proxy.

FTP Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies FTP to trigger the authentication proxy.

Telnet Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies Telnet to trigger the authentication proxy.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Edit Sources Dialog Box

Use the Edit Sources dialog box to edit a source entry in a table.

Navigation Path

Double-click the Source entry in the AAA Rules table, or right-click the entry, then select Edit Sources.

Related Topics

•Working with AAA Rules, page 12-89

Field Reference

Table J-45 Edit Sources Dialog Box

Element¹

Description

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots. See Understanding Interface Role Objects, page 8-114.

Enter the source object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Source Contents Dialog Box

Use the Show Source Contents dialog box to display all source addresses. The list shows flattened values of all levels of a source address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Source Contents dialog box, do one of the following:

•Right-click the Source table cell of a rule in the AAA Rules table, then click Show Source Contents to display a list of all sources.

•Select an entry (subfield) in the Source table cell of a rule in the AAA Rules table, then right-click and select Show <Source> Contents.

Related Topics

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-46 Show Source Contents Dialog Box

Element

Description

Source Contents

Lists networks and hosts first, followed by interface roles. You can also select a specific source (subfield) in the table, which opens a Show <subfield> dialog box.

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Destinations Dialog Box

Use the Edit Destinations dialog box to edit a destination entry in a table.

Navigation Path

Double-click the Destination entry in the AAA Rules table, or right-click the entry, then select Edit Destinations.

Related Topics

•Working with AAA Rules, page 12-89

Field Reference

Table J-47 Edit Destinations Dialog Box

Element¹

Description

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots. See Understanding Interface Role Objects, page 8-114.

Enter the destination object names, addresses, or interface roles in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Destination Contents Dialog Box

Use the Show Destination Contents dialog box to display all destination addresses. The list shows flattened values of all levels of a destination address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

Navigation Path

To access the Show Destination Contents dialog box, do one of the following:

•Right-click the Destination table cell of a rule in the AAA Rules table, then click Show Destination Contents to display a list of all destinations.

•Select an entry (subfield) in the Destination table cell of a rule in the AAA Rules table, then right-click and select Show <Destination> Contents.

Related Topics

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-48 Show Destination Contents Dialog Box

Element

Description

Destination Contents

Lists networks and hosts first, followed by interface roles. You can also select a specific destination (subfield) in the table, which opens a Show <subfield> dialog box.

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Service Dialog Box

Use the Edit Service dialog box to edit protocols and ports.

Navigation Path

Double-click the Service entry in the AAA Rules table, or right-click the entry, then select Edit Services.

Related Topics

•Working with AAA Rules, page 12-89

Field Reference

Table J-49 Edit Service Dialog Box

Element¹

Description

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. See Understanding Service Objects, page 8-158.

Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp/<port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp /<port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Service Contents Dialog Box

Use the Show Service Contents dialog box to display all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

Navigation Path

To access the Show Service Contents dialog box, do one of the following:

•Right-click the Service table cell of a rule in the AAA Rules table, then click Show Service Contents to display a list of all services.

•Select an entry (subfield) in the Service table cell of a rule in the AAA Rules table, then right-click and select Show <Service> Contents.

Related Topics

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Understanding Service Objects, page 8-158

Field Reference

Table J-50 Show Service Dialog Box

Element

Description

Service Contents

•From Policy view—displays global protocol and port values.

•From Device view—displays device-specific protocol and port values.

•From Map view—displays device-specific protocol and port values.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Interfaces Dialog Box

Use the Edit Interfaces dialog box to edit an interface entry in a table.

Navigation Path

Double-click the entry in the AAA Rules table, or right-click the entry, then select Edit Interfaces.

Related Topics

•Working with AAA Rules, page 12-89

Field Reference

Table J-51 Edit Interfaces Dialog Box

Element¹

Description

Interfaces*

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-114.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Enter the interface in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Interface Contents Dialog Box

Use the Show Interface Contents dialog box to display each role type as a separate listing in the table if you are working from Policy view, or display actual interface names if you are working from Device view.

The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can display a list of all interfaces by clicking on a table cell or specific entry (subfield) within the table cell, then clicking either Show Interface Contents (for a table cell) or Show <Interface> Contents (for a subfield) from the shortcut menu.

Navigation Path

To access the Show Interface Contents dialog box, do one of the following:

•Right-click the Interface table cell of a rule in the AAA Rules table, then click Show Interface Contents.

•Select an entry (subfield) in the Interface table cell of a rule in the AAA Rules table, then right-click and select Show <Interface> Contents.

Related Topics

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Understanding Interface Role Objects, page 8-114

Field Reference

Table J-52 Show Interface Contents Dialog Box

Element

Description

Interface Contents

•From Policy view—displays each role type as a separate listing in the table.

•From Device view—displays actual interface names.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit AAA Option Dialog Box

Use the Edit AAA Option dialog box to edit the method for access entry.

Navigation Path

To access the Edit AAA Option dialog box, do one of the following:

•(Device view) Select a device, then select Firewall >AAA Rules from the Device selector. Right-click the entry in the Action column of the AAA Rules table, then click Edit AAA.

•(Policy view) Select Firewall >AAA Rules from the Policy selector. Right-click the entry in the Action column of the AAA Rules table, then click Edit AAA.

Related Topics

•Adding AAA Rules, page 12-91

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Editing AAA Rules, page 12-94

Field Reference

Table J-53 Edit AAA Option Dialog Box

Element

Description

Authentication

When selected, indicates that the rule controls traffic based on who the user is. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services.

Authorization (PIX/ASA)

When selected, indicates that the rule controls traffic based on what the user is allowed to do. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP and Telnet. AA authorization works by assembling a set of attributes that describe what the user is authorized to perform.

Accounting (PIX/ASA)

When selected, indicates that the rule controls traffic based on what the user did. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

AuthProxy Dialog Box

Use the AuthProxy dialog box to edit an IOS traffic type entry in a table.

Navigation Path

To access the AuthProxy dialog box, right-click the entry in the AuthProxy column of the AAA Rules table, then click Edit AuthProxy.

Related Topics

•Adding AAA Rules, page 12-91

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

Field Reference

Table J-54 AuthProxy Dialog Box

Element

Description

HTTP

Specifies HTTP to trigger the authentication proxy.

FTP

Specifies FTP to trigger the authentication proxy.

Telnet

Specifies Telnet to trigger the authentication proxy.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit AAA Server Group Dialog Box

Use the Edit AAA Server Group dialog box to edit a server group entry in a table.

Navigation Path

To access the Edit AAA Server Group dialog box, right-click the entry in the Server Group column of the AAA Rules table, then click Edit Server Group.

Related Topics

•Adding AAA Rules, page 12-91

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

•Understanding AAA Server Group Objects, page 8-16

Field Reference

Table J-55 Edit AAA Server Group Dialog Box

Element

Description

AAA Server Group

Identifies the AAA Server Group.

Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Category Dialog Box

Use the Edit Category dialog box to edit a category entry in a table.

Navigation Path

Double-click the Category entry in the AAA Rules table, or right-click the entry, then select Edit Category.

Related Topics

•Editing AAA Rules, page 12-94

•Adding AAA Rules, page 12-91

•Working with AAA Rules, page 12-89

•Understanding Category Objects, page 8-48

Field Reference

Table J-56 Edit Category Dialog Box

Element

Description

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables.

Note No commands are generated for the category attribute.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Edit Description Dialog Box

Use the Edit Description dialog box to edit a user-defined description entry in a table.

Navigation Path

Double-click the Description entry in the AAA Rules table, or right-click the entry, then select Edit Description.

Related Topics

•Adding AAA Rules, page 12-91

•Editing AAA Rules, page 12-94

•Working with AAA Rules, page 12-89

Field Reference

Table J-57 Edit Description Dialog Box

Element

Description

Description

Enables you to enter a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

Web Filter Rules Page (PIX/ASA)

Use the Web Filter Rules page to identify web filter rules defined in Security Manager for PIX and ASA devices.

From the Web Filter Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.

Navigation Path

To access the Web Filter Rules page for PIX/ASA devices, do one of the following:

•(Device view) Select a device, then select Firewall >Web Filter Rules from the Device selector.

•(Policy view) Select Firewall >Web Filter Rules from the Policy selector.

Related Topics

•Understanding Web Filter Rules, page 12-101

Field Reference

Table J-58 Web Filter Rules Page (PIX/ASA)

Element

Description

Filter

Filters the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-24.

No.

Identifies the ordered rule number in the table.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126.

•Understanding Interface Role Objects, page 8-114.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-126.

•Understanding Interface Role Objects, page 8-114.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding Service Objects, page 8-158.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Type

Displays filtering parameters.

Options

Displays additional configuration options for the selected protocol.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Provides you with a list of tools for generating various reports, such as rule analysis, the ability to combine rules in table sections, checking ACE hit count, and performing policy queries, and initializes the process for importing ACEs into Security Manager.

Note Currently this feature supports only the Query tool for web filter rules.

Query

Invokes a utility to run queries against existing rules in a rule table. Query results are displayed in a report. See Using Policy Query, page 12-37.

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Using Find and Replace, page 12-18.

Up button

Moves a rule up one row in the table.

Select a rule in the table to activate the appropriate buttons.

Down button

Moves a rule down one row in the table.

Select a rule in the table to activate the appropriate buttons.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Save button

Saves your changes to the server, but keeps them private.

Note To publish your changes, click the Submit icon on the toolbar.

Add and Edit PIX/FWSM/ASA Rules Dialog Boxes

Use the Add and Edit PIX/FWSM/ASA Rules dialog boxes to set values for Web Filter Rules for those platforms.

Navigation Path

To access the PIX/FWSM/ASA Rules dialog box, do one of the following:

•(Device view) Select a device, then select Firewall >Web Filter Rules from the Device selector. Right-click inside the work area, then click Add Row or right-click a rule, then click Edit Row.

•(Policy view) Select Firewall >Web Filter Rules from the Policy selector. Right-click inside the work area, then click Add Row or right-click a rule, then click Edit Row.

Related Topics

•Adding Web Filter Rules (PIX/ASA), page 12-103

•Understanding Web Filter Rules, page 12-101

•Working with Web Filter Rules, page 12-101

Field Reference

Table J-59 Add and Edit PIX/FWSM/ASA Web Filter Rule Dialog Boxes

Element¹

Description

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

Filtering

Lists options for handling filtering:

•Filter—Limits traffic to particular sites and limits traffic between two entities.

•Filter Except—Exempts specific traffic from filtering.

Note Filter except rules are recognized before filter rules.

Type

Describes what should be filtered.

•URL—HTTP filtering using an external filtering server, such as Websense or N2H2.

•HTTPS—Supported on Websense filtering servers only.

•Java—Supported on Websense and N2H2 servers.

•ActiveX—Supported on Websense and N2H2 servers.

•FTP—Supported on Websense filtering servers only.

Sources*

Identifies the source object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Destinations*

Identifies the destination object names or addresses of hosts and networks. Multiple entries are separated by commas. See Understanding Network/Host Objects, page 8-126.

Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a destination. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Note If you identify an interface role as a destination, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Services*

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas.

Identifies service objects that specify protocol and port information. Multiple entries are separated by commas. See Understanding Service Objects, page 8-158.

Accepted formats are:

•<protocol> where protocol = 1-255 or a well-known protocol string for example, tcp, udp, gre, etc.

•icmp/<icmp_message_type> where icmp_message_type = 1-255 or any well-known icmp message types.

•tcp | udp | tcp & udp/<port_number>, where port number = 1-65535.The port number is for destination ports; source ports = default port range.

•tcp | udp | tcp & udp / <PortListObject>, where PortListObject is a named port list object.

•tcp | udp | tcp & udp / <port_number > | PortListObject/ <port_number> | PortListObject. Using this format, you explicitly specify source ports outside of the default port range.

•Freeform text that is the name of a service object.

Enter the service in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create a service object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Note The Services field is not applicable when Filter Except is selected.

Allow traffic if URL Filter Server unavailable

When selected, permits outbound connections to pass through the security appliance without filtering if the server is unavailable.

If you omit this option and if the N2H2 or Websense server goes offline, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back online.

Block connection to HTTP Proxy Server.

When selected, prevents users from connecting to an HTTP proxy server.

Truncate CGI request by removing CGI parameters.

When selected, truncates CGI URLs to include only the CGI script location and the script name without any parameters.When a URL has a parameter list starting with a question mark (?), the URL sent to the filtering server is truncated by removing all characters after and including the question mark.

Long URL

Lists options for handling long URLs:

•Drop—Drops the packet if a URL exceeds the maximum permitted size. (Default). To avoid this, you can set the security appliance to truncate a long URL

•Truncate—Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit.

•Deny—Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available.

Note Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.

Category

Provides an intermediate level of detail to objects and rules by use of color-coding. Color-coding helps you readily identify objects and rules when you are viewing policy tables. See Understanding Category Objects, page 8-48.

Note No commands are generated for the category attribute.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Edit Sources Dialog Box

Use the Edit Sources dialog box to edit a source entry in a table.

Navigation Path

Double-click the Source entry in the Web Filter Rules table, or right-click the entry, then select Edit Sources.

Related Topics

•Adding Web Filter Rules (PIX/ASA), page 12-103

•Editing Web Filter Rules (PIX/ASA), page 12-106

•Understanding Web Filter Rules, page 12-101

•Working with Web Filter Rules, page 12-101

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-60 Edit Sources Dialog Box

Element¹

Description

Sources*

Identifies the network object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-128.

Interface roles can also be used to identify a source. When used, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that are DHCP addressed, where you cannot know the address that will be used when creating the policies because the address is dynamically assigned when the device boots.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Note If you identify an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

OK button

Saves your changes locally on the client and closes the dialog box.

Note To save your changes to the server so that they are not lost when you log out or close your client, click Save on the source page.

¹An asterisk indicates that the field is required.

Show Source Contents Dialog Box

Use the Show Source Contents dialog box to display all source addresses. The list shows flattened values of all levels of a source address or Network Object and sorts the results in ascending order on the IP address, then descending order on the mask.

You can display a list of all sources by clicking on a table cell or specific entry (subfield) within the table cell, then clicking either Show Source Contents (for a table cell) or Show <Source> Contents (for a subfield) from the shortcut menu.

Navigation Path

To access the Show Source Contents dialog box, do one of the following:

•Right-click the Source table cell of a rule in the Web Filter Rules table, then click Show Source Contents to display a list of all sources.

•Select an entry (subfield) in the Source table cell of a rule in the Web Filter Rules table, then right-click and select Show <Source> Contents.

Related Topics

•Adding Web Filter Rules (PIX/ASA), page 12-103

•Editing Web Filter Rules (PIX/ASA), page 12-106

•Understanding Web Filter Rules, page 12-101

•Working with Web Filter Rules, page 12-101

•Understanding Network/Host Objects, page 8-126

Field Reference

Table J-61 Show Source Contents Dialog Box

Element

Description

Source Contents

•From Policy view—displays global values.

•From Device view—displays device-specific values.

•From Map view—displays device-specific values.

Note If you entered 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Close button

Closes the dialog box without saving your changes.

Help button

Opens help for this page.

Edit Destinations Dialog Box

Use the Edit Destinations dialog box to edit a destination entry in a table.

Navigation Path

Double-click the Destination entry in the Web Filter Rules table, or right-click the entry, then select Edit Destinations.

Related Topics

•Adding Web Filter Rules (PIX/ASA), page 12-103

•Editing Web Filter Rules (PIX/ASA), page 12-106

•Understanding Web Filter Rules, page 12-101

•Understanding Network/Host Objects, page 8-126