User Guide for Cisco Security Manager 3.2.2 - Managing Firewall Services [Cisco Security Manager]

Table Of Contents

Managing Firewall Services

Managing Your Rules Tables

Using Rule Expiration

Using Analysis

Generating Analysis Reports

Combining Rules

Combined Rules Criteria Notes

Defining Combined Rules Criteria

Understanding Combined Rules Summary Results

Using Find and Replace

Find and Replace Notes

How Regular Expressions are Supported in Find and Replace

Defining Find and Replace Criteria

Using Hit Count

Generating Hit Count Reports

Understanding Hit Count Results

Changing How Hit Count Results Are Displayed

Importing Rules

Notes

Extended Access List: Example 1

Extended Access List: Example 2

Standard Access List: Example

How to Import Rules

Using Policy Query

Generating Policy Query Reports

Understanding Policy Query Results

Understanding Rule Table Sections

Notes About Rule Table Sections

Adding Rule Table Sections

Adding Rules to an Existing Table Section

Removing Rules from an Existing Table Section

Editing a Rule Table Section

Removing a Rule Table Section

Optimizing ACLs in Rules

Notes about ACL Optimization

Caveats To ACL Optimization

Optimizing Policy Objects in Rules

Notes about Policy Object Optimization

Expanding Object Groups During Discovery

Understanding Access Rules

How Access Rules Are Recognized on Devices

Notes About Access Rules

Working with Access Rules

Logging Events for an ACE

Adding Access Rules

Editing Access Rules

Enabling and Disabling Access Rules

Cutting, Copying, and Pasting Access Rules

Moving Access Rules Up and Down

Deleting Access Rules

Understanding Inspection Rules

Working with Inspection Rules

Adding Inspection Rules

Configuring Default Protocol Ports

Configuring Custom Destination Ports

Configuring Destination Address and Port (IOS)

Configuring Source and Destination Address and Port (ASA, FWSM 3.x)

Editing Inspection Rules

Enabling and Disabling Inspection Rules

Cutting, Copying, and Pasting Inspection Rules

Moving Inspection Rules Up and Down

Deleting Inspection Rules

Working with AAA Rules

Adding AAA Rules

Editing AAA Rules

Enabling and Disabling AAA Rules

Cutting, Copying, and Pasting AAA Rules

Moving AAA Rules Up and Down

Deleting AAA Rules

Understanding Web Filter Rules

Working with Web Filter Rules

Adding Web Filter Rules (PIX/ASA)

Editing Web Filter Rules (PIX/ASA)

Enabling and Disabling Web Filter Rules (PIX/ASA)

Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA)

Moving Web Filter Rules Up and Down (PIX/ASA)

Deleting Web Filter Rules (PIX/ASA)

Adding Web Filter Rules (IOS)

Editing Web Filter Rules (IOS)

Deleting Web Filter Rules (IOS)

Adding Exclusive Domains (IOS)

Editing Exclusive Domains (IOS)

Deleting Exclusive Domains (IOS)

Working with Transparent Firewall Rules

Adding Transparent Rules

Editing Transparent Rules

Enabling and Disabling Transparent Rules

Cutting, Copying, and Pasting Transparent Rules

Moving Transparent Rules Up and Down

Deleting Transparent Rules

Understanding Firewall Settings

Understanding Settings for Access Controls

Object Group Search

Per User Downloadable ACLs

Access List Compilation

Configuring Settings for Access Control

Configuring Firewall ACL Settings

Configuring Settings for Inspection Rules

Supported Features for Inspection

Configuring Settings for AAA

Configuring Settings for AAA Firewall (PIX/ASA/FWSM)

Understanding MAC Exempt Address Lists

Configuring Settings for AAA (IOS)

Configuring Settings for Web Filter Servers

Adding Settings for Web Filter Server Configuration

Editing Settings for Web Filter Server Configuration

Deleting Settings for Web Filter Server Configuration

Managing Firewall Services

Firewall Services manages firewall-related policies in Security Manager that apply to the adaptive security appliance (ASA), PIX Firewall (PIX), Firewall Services Module (FWSM) installed in a Catalyst 6500 Series or Cisco 7600 Router Series devices, and security routers running Cisco IOS (IOS).

Each firewall policy comprises a collection of rules. The rules are loaded into rules tables incrementally, allowing you to scroll and view a partial rule set before the entire rule set is in memory. After rules are loaded the first time, they are retained in cache memory, so subsequent viewing of the rules tables is instantaneous. Cache memory is automatically cleared after an activity is approved or discarded, if a device is rediscovered, or when a policy is copied from another device. While rules are being loaded into tables, the action buttons on the page are grayed out until loading is complete; however, you can still make changes to the rules in the table during this process.

You can define firewall policies from "Device view," which enables you to configure local service policies on individual firewall devices and security appliances. You can then share these local policies with other devices. You can also define firewall policies from "Policy view," which enables you to define a general policy to assign to a set of devices or all devices. Policy view enables you to manage shared policies at the system level. For more information, see Chapter 7, "Managing Policies".

Firewall Services provides a uniform design for displaying firewall policy information for all supported platforms. This design is represented in the form of rules tables that are shown in the main work area. The options listed in the Firewall selector are based on the type of device for which rules are being created.

Security Manager manages the following types of policies under Firewall Services:

•Firewall rules—Permit or deny a packet based on source address, destination address, source interface, and service. For more information, see Working with Access Rules.

•Inspection rules—Support routers running IOS, PIX Firewalls 7.x, and fixup commands on adaptive security appliances (ASAs) and Firewall Services Modules (FWSMs) 3.x. For more information, see Working with Inspection Rules.

•AAA rules—Control authentication, authorization, or accounting for traffic. For more information, see Working with AAA Rules.

•Web filter rules—Specify filter URLs using a filtering server such as Websense. For more information, see Working with Web Filter Rules.

•Transparent rules—EtherType rules used to configure non-IP related traffic policies through the firewall appliance when operating in transparent mode. In transparent mode, you can apply extended and EtherType access rules to an interface. For more information, see Working with Transparent Firewall Rules.

In addition to understanding the types of firewall policies that Security Manager supports, you need to understand the concept of policy inheritance. Inheritance refers to the capability of Security Manager to enforce hierarchical lists of first-match, rule-based policies such as access rules. Within the hierarchy, policies at a lower level in the hierarchy (called child policies) extend or override the properties of the policies that are directly above them in the hierarchy (called parent policies). Firewall policies can be inherited by a parent policy. Settings-based policies do not recognize inheritance, but settings-based policies can be shared and assigned to other devices. For more information, see the following:

•Understanding Rule Inheritance, page 7-4

•Working with Shared Policies in Device View, page 7-24.

To better understand the difference between policy inheritance and policy assignment, see Inheritance vs. Assignment, page 7-6.

It is important to understand how Security Manager recognizes names for access control lists. During deployment, the ACL names can be automatically generated by Security Manager or preserved as defined by users. For more information, see:

•How ACL Names Are Generated, page 9-28

•Preserving User-Defined ACL Names, page 9-26

•Identifying Original ACL Names, page 9-29

•Naming Conflicts and Resolutions, page 9-30

•Notes on ACL Naming, page 9-30

Firewall policies have the following properties:

•A policy assigned to a device will correspond to a set of commands (CLI) on that device.

•Only one policy of a particular type can be assigned to a device; however, a policy type can be assigned to multiple devices. If a new policy of the same type is assigned to a device, the new policy overrides the previous assignment. For more information, see Assigning a Shared Policy to a Selected Device, page 7-29.

•A policy can be shared or local. A local policy applies to only one device and is removed when the device is removed from Security Manager. A shared policy can be assigned to multiple devices and remains in the system even if all of its associated devices are removed from Security Manager. For more information, see Local Policies vs. Shared Policies, page 7-3.

Note Shared policies are listed when you are working at the global policy level. You must assign a name to the policy when it is created. For more information, see Creating a New Shared Policy, page 7-39.

•You can define a policy at the global level, which can be inherited at the device level.

•The ACEs from the mandatory rules are ordered from the highest group down to the device. Mandatory rules cannot be overridden. The ACEs from the Default rules are ordered in the opposite direction and can be overridden. For more information, see Understanding Rule Inheritance, page 7-4.

•You can edit firewall policy inheritance from either Device view or Policy view.

•You can copy or clone firewall policies between devices.

Security Manager does not recognize out-of-band changes (rules and other changes entered directly to the device). If the device has several changes that you want recognized by Security Manager, you can right-click the device, then click Discover Policies on Device. Security Manager contacts the device and rediscovers the policies on it. If you are requesting to discover policies for the first time, you are prompted with a warning that all policies on the device will be overridden if you continue.

If permanent changes are entered directly to the device, you can be made aware of such changes by requesting that an error or warning is generated before you deploy updated configurations to the device.

•A warning permits the deployment to continue and a message appears in the deployment status window.

•An error denies the deployment.

For more information, see Deploying Directly to a Device, page 18-10.

Note Out-of-band changes do not appear in rules tables managed by Security Manager. Only policies defined in Security Manager are shown in rules tables.

Related Topics

•Understanding Settings for Access Controls

•Managing Your Rules Tables

•Working with Access Rules

•Working with Inspection Rules

•Working with AAA Rules

•Working with Web Filter Rules

•Working with Transparent Firewall Rules

Managing Your Rules Tables

To help you administer your rules tables, Security Manager provides you with the ability to perform a variety of functions. You can:

•Set rule expiration dates and automatic notifications. See Using Rule Expiration.

•Analyze whether rules overlap or conflict with other rules. See Using Analysis.

•Combine rules to improve performance and memory usage. See Combining Rules.

•Search for a particular object or text string and replace it globally or selectively. See Using Find and Replace.

•Collect data identifying the number of times that traffic for a device is permitted or denied based on an access rule. See Using Hit Count.

•Import rules by pasting them from an external application to the access rule table in Security Manager, or by importing them from a file. See Importing Rules.

•Compose a query that describes a set of packets. The results of the query identify all rules that could affect the defined packets. See Using Policy Query.

•Divide your rules tables into sections to help you manage large rules tables. See Understanding Rule Table Sections.

•Optimize network policy objects that are used in rules tables when deploying generated configurations to PIX, ASA, and FWSM devices. See Optimizing Policy Objects in Rules.

•Expand object groups to display separate CLI during discovery. See Expanding Object Groups During Discovery.

•Create network/host policy objects from cell contents in Access Rules and AAA Rules tables. See Editing Access Rules and Editing AAA Rules respectively.

Using Rule Expiration

Access control lists and policies are beneficial in controlling traffic on networks and managing traffic inspection. Many policies are created for the purpose of granting access for some limited period of time. The rule expiration feature is designed to help you control and maintain policies that are defined over time. Using the Security Manager GUI interface, you can automatically remove policies that are no longer needed, which helps you to better administer your policy rules.

You can set rule expiration parameters from the Access Rules table at the same time that you define a policy rule. For more information, see Adding Access Rules. You can also edit rule expiration parameters inline. For more information, see Editing Access Rules.

The Access Rules table includes a column with expiration date information. For non-expired rules, the expiration date is displayed in the column in plain text. For expired rules, the expiration date information is in bolded text.

You can filter ACEs in rules tables using the Expiration Date option, which can list rules that have already expired or rules that will expire on a specific date or time period. You can notify users of expired rules by configuring email settings. Such notifications can be configured "x" number of days prior to the expiration date, whereby "x" is a value from 0 up to one day prior to the expiration date. Email notifications are generally set using the Admin menu; however, you can override email settings for particular rules using the rule expiration GUI.

When setting rule expiration dates, you have the option of entering a date in the field provided by clicking the calendar icon (for example, 02-Feb-2008) or by specifying the number of days until the expiration date (for example, 30 days), which then configures the calendar expiration date for you.

Related Topics

•Generating Analysis Reports

•Contiguous and Discontiguous Network Masks, page 9-70

Using Analysis

The Analysis feature analyzes and reports rules that overlap or conflict with other rules. The analysis is performed using the rules defined for a selected device. Reports are provided for access rules only. For more information, see Generating Analysis Reports.

Certain conflicting rules might have no effect on a device after they are deployed; however, they create unnecessary clusters in the rules table. By detecting these rules, you can clean up the rule set and optimize performance.

Other conflicting rules, such as opposite rules, can create unwanted results to your network. By detecting these conflicting rules, you can implement your security needs as intended.

The Analysis feature supports discontiguous masks. For more information, see Contiguous and Discontiguous Network Masks, page 9-70.

Some of the types of conflicts shown in the analysis report include:

•Duplicate rules—Rules that are identical.

•Conflicting rules.

–Opposite rules (Table 12-1).

–Opposite rules (Table 12-2).

–A lower rule that will never be used (Table 12-3).

–The first rule contained in a second rule (Table 12-4).

Table 12-1 Opposite Rules

Source

Destination

Protocol

Action

my-PC

Mail-Servers

smtp-25

Permit

my-PC

Mail-Servers

smtp-25

Deny

Table 12-2 Opposite Rules

Source

Destination

Service

Action

my-PC

any

smtp-25

Permit

my-PC

1.2.3.4

smtp-25

Deny

Table 12-3 Lower Rule Never Used

Source

Destination

Protocol

Action

PC-subnet (192.168.101.0/24

Print-Server

lpr-515

Permit

my-PC (192.168.101.50)

Print-Server

lpr-515

Deny

Table 12-4 First Rule Contained In Second Rule

Source

Destination

Protocol

Action

PC-subnet (192.168.101.0/24

Web-Proxy1

80

Permit

Trusted-Nets (192.168.0.0/16)

Web-Proxy1

80

Permit

The analysis report is displayed in three window panes (Figure 12-1).

•Left pane—Lists Conflicting Groups. Conflicts are grouped into conflicting groups based on "base rules."

•Top right pane—Identifies a base rule and one or more conflicting rules for this conflicting group.

•Bottom right pane—Identifies one or more conflicts at the "tuple" level for the base rule and conflicting rule. A tuple consists of the sub-elements of a rule on which rule analysis is conducted, for example, source, destination, service, and interface. The specific conflicting relationship and details can be navigated using the Previous and Next buttons.

Figure 12-1 Example of Analysis Report Layout

Related Topics

•Generating Analysis Reports

•Contiguous and Discontiguous Network Masks, page 9-70

Generating Analysis Reports

The Analysis feature analyzes and reports rules that overlap or conflict with other rules. The analysis is performed using the rules defined for a selected device group. For more information, see Figure 12-1.

Figure 12-2 shows an Analysis Report query from the Access Rules page.

Figure 12-2 Analysis Report Query

Figure 12-3 shows the results to that query. The report in this example shows that the rules conflict.

Figure 12-3 Analysis Report Results

Related Topics

•Analysis Reports Page, page I-124

•Figure 12-1

•Contiguous and Discontiguous Network Masks, page 9-70

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 Click the Tools button located below the table, then select Analysis.

Note Depending on how many rules are present, a progress bar may or may not be displayed.

The Analysis Report appears. For a description of the GUI elements, see Table I-93 on page I-125.

Step 4 Based on the report, make any corrections to the rules tables as needed.

Step 5 Click OK to close the report.

Combining Rules

Your organization might dictate the need for using a large number of ACLs. A large number of ACLs can affect performance and memory usage in Security Manager and on the device. To help you manage your ACLs, you can combine rules, thus facilitating your ability to maintain them.

Combining rules provides a way to group objects of a similar type so that a single access rule can apply to all objects in the group. For example, consider the following three object groups:

•My Services—Includes the TCP/UDP port numbers of the service requests that are allowed access to the internal network.

•Trusted Hosts—Includes the host and network addresses allowed access to the greatest range of services and servers.

•Public Servers—Includes the host addresses of servers to which the greatest access is provided.

After combining these objects, you can use a single access rule to allow trusted hosts to make specific service requests to a group of public servers.

Note Combining objects does not automatically create an object group. To create an object group, you can right-click a cell in the table, then choose to create a network object or service object from the cell contents using the shortcut menu.

Combining rules dramatically compresses the number of access rules required to implement a particular security policy. For example, a customer policy that required 3,300 access rules might only require 40 rules after hosts and services are properly grouped.

To achieve this, multidimensional sorting is performed. For example:

1. Policies are sorted by their sources, so policies with the same source are placed together.

2. Same-source policies are sorted by destination, so policies with the same source and destination are placed together.

3. Same-source and same-destination policies are combined into a single policy, and the services are combined into an object group.

4. Adjacent policies are checked to see if they have the same source and service. If so, they are combined into a single policy, and the destinations are combined into an object group.

5. Adjacent policies are checked to see if they have the same destination and service. If so, they are combined into a single policy, and the sources are combined into an object group.

Sorting is repeated based on destination and service in place of source.

For example, you might have two rules:
Rule 1: Src:1.1.1.1 Dst:2.2.2.2 Svc:CMD Interface:inside Action:Permit
Rule 2: Src:1.1.1.1 Dst:3.3.3.3 Svc:CMD Interface:inside Action:Permit
The two rules can be combined to form a new rule:
New Rule: Src:1.1.1.1 Dst:2.2.2.2, 3.3.3.3 Svc:CMD Interface:inside Action:Permit
Tip You can right-click the Destination cell to create a network object from the combined cell contents.

You can elect to automatically create network objects to replace the comma-separated values in a rule table cell that resulted when multiple rules were combined. The network objects are created during deployment. To set this feature, select Tools > Security Manager Administration > Deployment. From the Deployment page, select Create Object Groups for Multiple Sources, Destinations, or Services in a Rule.

Each object in the source domain must have a unique name so that policies can be sorted alphabetically. The same requirement is true for destinations and services. Sorting can also be based on IP addresses or port numbers.

Related Topics

•Combined Rules Criteria Notes

•Defining Combined Rules Criteria

•Combine Rules Selection Summary Dialog Box, page I-149

Combined Rules Criteria Notes

When combining rules, note the following:

•For access rules to be combined, they must share the same values for:

–Enabled/disabled flag

–Category

–Permit/deny flag

–Traffic direction

–Logging options

–Time range

–IOS options

•For AAA rules to be combined, they must share the same values for:

–Enabled/disabled flag

–Category

–Permit/deny flag

–Server group

–Authentication, authorization, and accounting options

–AuthProxy options (Applicable to IOS devices only)

•All rules have the option to include a description and category field. Although the category field does not affect the CLI generated, rules with different categories cannot be combined. Rules with different descriptions, however, can be combined and the new rule will contain a concatenation of the descriptions separated by a new line.

•Rules belonging to different sections cannot be combined.

•Rules with different actions (permit/deny) cannot be combined.

•If the currently selected folder is a parent policy when viewed from Policy View or Map View, the Combined Rules button is enabled, but the summary results are read-only.

•If you do not have the correct privileges to modify a rules table, the Combined Rules button is enabled, but the summary results are read-only.

Related Topics

•Combining Rules

•Defining Combined Rules Criteria

•Combine Rules Selection Summary Dialog Box, page I-149

Defining Combined Rules Criteria

Related Topics

•Combining Rules

•Combined Rules Criteria Notes

•Combine Rules Selection Summary Dialog Box, page I-149

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > [Access Rules | AAA Rules ].

The appropriate table appears based on your selection.

Step 3 (Optional) Select specific rules in the table for the purpose of combining. To consider all rules in the table, do nothing.

Step 4 Click the Tools button located below the table, then select Combine Rules.

The Combine Rules Selection Summary dialog box appears.

Step 5 Select the columns used for combining rules.

Step 6 Click OK.

The Results Summary is displayed after the rules table has been analyzed. For more information, see Understanding Combined Rules Summary Results.

Step 7 (Optional) Click Detail Report to display a text description of combined rule information and displays table cell contents in its entirety. Close the window after you view its contents.

Step 8 Click OK to replace the original rules in the rules tables with the combined rules. You return to the main table with the new combined rules shown.

Step 9 Click Save, which saves your changes to the server but keeps them private.

Understanding Combined Rules Summary Results

The combined rules summary is divided into two tables (Figure 12-4). The top table shows the new rules that have been generated. A table cell with a red border identifies the changes that were made to the cell content, enabling the rules to be combined. The bottom table shows the original rules in the table before they were combined and indicates the rules' original row numbers.

Tip Selecting a combined rule in the top table shows the rules in the lower table that were combined.

You can make changes directly to the results shown in the Description column. You an also create a network or service object from the Source, Destination, or Service columns.

Clicking OK updates the rules table with the combined rules; however, you must click Save to save your changes to the server.

Note If you decide not to combine rules after you click Save, you can cancel the activity; however, after the activity is approved, you cannot revert back to uncombined rules.

From this report, you can click Detailed Report, which opens a text description of combined rule information and displays table cell contents in its entirety. The report is in HTML, which you can print and save using Internet Explorer toolbar options.

Figure 12-4 Combined Rule Summary

1

Combined cell

2

Newly combined rule

3

Original rules

Related Topics

•Combining Rules

•Combined Rules Criteria Notes

•Combine Rules Selection Summary Dialog Box, page I-149

Using Find and Replace

The Find and Replace feature is a convenient method by which you can search for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. The feature is similar to the find and replace feature in Microsoft Windows applications. You access this feature by clicking the Find and Replace icon (shown as a binoculars icon), which is located below the rules tables.

Note The Find and Replace feature is not supported from the Transparent Rules tables or Web Filter Rules tables for IOS devices.

Currently you can search for data in Source, Destination, Service, Interface, and Description table columns. When you begin to identify your search operation, you choose a data type on which to search using a list box. The available values used in the search will vary based on your selection. Find and Replace works on a table-by-table basis.

Table 12-5 identifies the data on which a search can be performed. For other values listed in tables, you can perform similar functionality using a combination of filtering and multiple rule editing features.

Table 12-5 Find and Replace Values

Column

Searched Values

Source/Destination

IP address or network object name. The search feature is not case-sensitive.

Service

Raw service string, for example TCP/80, or service object name. The search feature is not case-sensitive.

Note The Find and Replace feature uses a syntactic search and not a semantic search. For example, if you search on TCP/80 and a rule has HTTP service defined, search results will not find it.

Interface

Interface role pattern used in raw interface string, such as Ethernet0, or interface role object, such as External. The search feature is not case-sensitive.

Description

Enables you to enter a string of text that is used to define a policy rule.

Related Topics

•Find and Replace Notes

•How Regular Expressions are Supported in Find and Replace

•Defining Find and Replace Criteria

•Find and Replace Page, page I-123

Find and Replace Notes

When defining your find and replace criteria, be aware of the following:

•"Find" using partial data is supported only for named policy objects, not IP address, nameless services or service strings. For example, if you search for network "10.10" and deselect "Find whole words only," search results will find all named objects that include 10.10, but no IP addresses that contain the string, for example, 110.10.23.34, or 23.10.10.45.

Note Search results can highlight complete subcell information only. For example, if you search on "External" for Interface Role, and the results display External7202, the entire interface name is highlighted.

•Although a rule can contain multiple sources, destinations, services, and interfaces, you cannot search on multiple items; the search feature supports only single items. For example, to find search results for rules containing FTP and HTTP services, two searches are needed, one for FTP and one for HTTP.

•Only text strings used as search criterion for Descriptions can be partially replaced.

•Searches on patterns are supported. For example, you can select your search criterion for Interface Roles by typing a text string in the field provided or clicking Select, which opens the Interface Selector from which to make your selection. Searches on patterns are supported only when the Allow Wildcards check box is selected.

Note Only * and ? regular expressions are supported with text strings.

•Searches on IP addresses and services using wildcards is not supported.

•Although you cannot search for multiple items, you can identify multiple items as a replacement value. Enter multiple networks, services, or interface roles in the Replace field using comma-separated values.

•If no value is entered in the Replace field, the resulting found items are deleted from the rules.

•Rules with read-only values cannot be replaced.

•Regular Expression constructs are based on Java 1.4.2 pattern matching; however, certain exceptions apply, which are described in How Regular Expressions are Supported in Find and Replace. For more information on regular expression constructs, refer to http://java.sun.com.

Related Topics

•Using Find and Replace

•How Regular Expressions are Supported in Find and Replace

•Defining Find and Replace Criteria

•Find and Replace Page, page I-123

How Regular Expressions are Supported in Find and Replace

When the Allow Wildcards check box is selected, the Find and Replace fields use a proprietary regular expression syntax (in essence, Sun's Java RegEx syntax) with the exceptions that are shown in Table 12-6.

Table 12-6 Regular Expression Exceptions

Character

Match

.

Indicates a literal '.' (It is implicitly escaped.)

?

Indicates any character 1 time.

*

Indicates any character 1-n times. For example, `\d*' will not match 0-n digits; it will match 1 digit and 0-n of any characters.

+

Indicates any character 1-n times.

Examples of wildcard-enabled searches:

•Find string '*' matches everything.

•Find string for Network '*.*.*.*' matches all IP addresses.

•Find string for Network '1.*.*.*' matches all IP addresses with '1' as the final digit in the first octet, for example, `1.2.3.4' and `91.2.3.4'.

•Find string for Network '^1.*.*.*' matches all IP addresses with '1' as the first octet exactly. For example, `1.2.3.4' is a match, but `91.2.3.4' is not.

•Find string for Description 'Blogg$' only matches text ending with 'Blogg'. For example, `Joe Blogg' is a match, but `Joe Bloggs' is not.

Examples of wildcard-enabled replacements:

•Find string for Interface Role '*side' and Replace string 'External' replaces all Interface Roles ending with 'side'. For example, both 'inside' and 'outside' become 'External'.

•Find string for Network '*.(*.*.*)' and Replace string '10.$1' sets the first octet of all IP Address to '10'. For example, '1.2.3.4.' is replaced by '10.2.3.4'.

•Find string for Service 'tcp/([6-7]000)-*' and Replace string 'tcp/$1-8000' finds every port with a starting range between 6000 and 7000 and sets the end to '8000'.

•Find string for Description 'c(?)t' and Replace string 'b$1t' replaces three letter words starting with 'c' and ending with 't', with three letter words starting with 'b' and ending with 'r'. For example, 'cat' becomes 'bar' and 'cut' becomes 'bur'.

Related Topics

•Using Find and Replace

•Find and Replace Notes

•Defining Find and Replace Criteria

•Find and Replace Page, page I-123

Defining Find and Replace Criteria

Related Topics

•Using Find and Replace

•Find and Replace Notes

•How Regular Expressions are Supported in Find and Replace

•Find and Replace Page, page I-123

Procedure

Step 1 From any Firewall rules table, clickFind and Replace, which is located at the bottom of each rules table. The Find and Replace button is represented as binoculars. You can also use the shortcut keys (Ctrl+F).

The Find and Replace dialog box appears. For a description of the GUI elements, see Table I-92 on page I-123.

Note The Find and Replace feature is not supported from the Transparent Rules tables or Web Filter Rules tables for IOS devices.

Step 2 Select the type of item on which to base your search using the first list box. Then, identify the column(s) to search using the adjacent list box.

Step 3 Enter the search information in the Find field or click Select, which opens a selector dialog box from which to make your selection.

Step 4 Enter the replace information in the Replace field or click Select, which opens a selector dialog box from which to make your selection.

Step 5 Identify the search direction used in the table. Each search always starts from selected rule and selected cell or subcell if one is selected. The starting point itself is not included. If no rule is selected, the search begins from the first rule in the table. If no cell or subcell is selected, the search begins from the selected rule's left-most column if Search Down is selected, or from selected rule's right-most column if Search Up is selected.

Note If no direction is selected, the search behaves similar to Search Down. When the end of the rules table is reached, the search continues at the beginning of the rules table until the start point is reached.

Step 6 (Optional) If you are searching for a text-string, choose whether to match the case. Only Descriptions are case-sensitive.

Step 7 (Optional) Choose whether to search for whole words only. This function can be helpful when you are searching for policy objects.

Step 8 (Optional) Choose whether to allow wildcards.

Note You cannot define your search to allow wildcards and search for whole words. These options are mutually exclusive.

Step 9 Do any of the following:

•Click Find Next to locate the next reference identified in the Find field.

•Click Replace to replace the reference identified in the Find field.

•Click Replace All to replace all references identified in the Find field.

Step 10 Click Save, which saves your changes to the server, but keeps them private.

Using Hit Count

The Hit Count feature collects the number of times that traffic for a device is permitted or denied based on an access rule. Report results are displayed in two forms:

•ACEs (Default)—Shown in the Expanded table, which opens automatically after the report is generated.

•Corresponding CLI for each ACE—Shown in the Raw ACE table.

From Hit Count reports, you can:

•Update report results by clicking the refresh button. Changes to hit count information are displayed in the Delta column of the Expanded results table. No Delta column is displayed when the report is generated for the first time.

•Sort columns in Expanded tables. You can sort on certain columns in the results table. Information is changed in ascending or descending order. Sortable columns are:

–Rule

–Delta

–Hit Count

–Permit

–Service

–Source Address

–Destination Address

•View column results from the Expanded table in complete or partial detail.

ACL hit count information is a critical component for debugging your security system. You can display this information directly from the Access Rules tables. Hit count information is provided for all device platforms supported by Firewall Services.

Note If the Hit Count report generates no information for the selected rule in the Access Rules table, it is possible that the policies in the Security Manager repository and the ACLs on device are out of sync. Make sure that the ACLs in Security Manager match those on the device.

Note Before hit count information can be accurately generated in a report, the policies selected must be assigned and successfully deployed to devices.

Note Currently, if the network object-group optimization feature is enabled, hit count might not work properly if optimization has occurred. This issue is being tracked under defect identifier CSCsi00849.

Related Topics

•Generating Hit Count Reports

•Understanding Hit Count Results

•Changing How Hit Count Results Are Displayed

Generating Hit Count Reports

You can generate a Hit Count report from Device view only. Select the rules from the table to include in the report.

Note You can only generate Hit Count reports for one device at a time.

Before You Begin

•Make sure that the device configuration has been successfully deployed to the device.

•Make sure that the device is reachable.

Related Topics

•Hit Count Selection Summary Dialog Box, page I-145

•Understanding Hit Count Results

•Changing How Hit Count Results Are Displayed

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 Select a rule or multiple rules from the table.

Step 4 Click the Tools button located below the table, then select Hit Count.

Note If no rules are selected, the report displays hit count information for all rules on the device.

The Hit Count report appears. For a description of the GUI elements, see Table I-106 on page I-146.

Step 5 (Optional) Click Refresh Hit Count to calculate the hit count changes since the report was last generated.

After the refresh, the Expanded table adds a Delta column that displays the new data retrieved.

Step 6 Close the page after you view the contents.

Understanding Hit Count Results

The Hit Count report displays ACL hit count information for the rules selected from the Access Rules tables. If no rules are selected, the Hit Count report includes information for all access rules on the device. The report includes policy objects that are used to define the rules selected. If object grouping is enabled, the report displays the hit count for all ACEs in the object group. (See Figure 12-5.)

Note A single policy defined in Security Manager might map to more than one ACL on a device.

Figure 12-5 Hit Count Results Table

Report results are displayed in two forms:

•ACEs (See Figure 12-6.) Default. Shown in the Expanded table, which opens automatically after the report is generated.

•Corresponding CLI for each ACE (See Figure 12-7.) Shown in the Raw ACE table.

Figure 12-6 Expanded Table

Figure 12-7 Raw ACE Table

For a description of the report GUI elements, see Table I-106 on page I-146.

If you inadvertently define a duplicate rule in a table, for example, access rule 1 in the mandatory table is the same as rule 5, the report displays the hit count for the first rule (mandatory_1 hit count = 1000) and the duplicate rule displays the hit count as zero (mandatory_5 hit count = 0).

Tip To determine whether a rule with zero hit counts is a duplicate rule or simply a rule that has not been applied to traffic, run an analysis report. See Figure 12-1.

Note If the Hit Count report generates no information for the selected rule in the Access Rules table, it is possible that the policies in the Security Manager repository and the ACLs on the device are out of sync. Make sure that the ACLs in Security Manager match those on the device.

Related Topics

•Hit Count Selection Summary Dialog Box, page I-145

•Changing How Hit Count Results Are Displayed

•Generating Hit Count Reports

Changing How Hit Count Results Are Displayed

In addition to viewing Hit Count report information from the Expanded table and the Raw ACE table, you can customize report results based on more specific needs.

To change how report information is displayed, see:

•Filtering Columns

•Sorting Columns

•Viewing Complete or Partial Details

Filtering Columns

This procedures describes how to filter hit count result information.

Related Topics

•Hit Count Selection Summary Dialog Box, page I-145

•Generating Hit Count Reports

•Sorting Columns

•Viewing Complete or Partial Details

Procedure

Step 1 From the Hit Count Query Results, right-click the Rule column heading in the Selected Access Rules table, then click Show Columns.

Step 2 Select or deselect from the list of entries as appropriate.

You can only select one heading at a time.

Step 3 Repeat the steps as needed.

The report results are displayed based on your selections.

Step 4 Click OK to close the report.

Sorting Columns

From the Expanded table, you can sort column information in ascending or descending order.

This procedure describes how to sort columns in the Expanded table.

Note You can sort settings only on the following columns: Rule, Delta, Hit Count, Permit, Service, Source Address, and Destination Address.

Tip You can sort on multiple columns at the same time using the Ctrl key.

Related Topics

•Hit Count Selection Summary Dialog Box, page I-145

•Generating Hit Count Reports

•Filtering Columns

•Viewing Complete or Partial Details

Procedure

Step 1 Determine which column in the Expanded table to sort.

Step 2 Click once on the column cell heading.

The information is changed in ascending or descending order.

Step 3 Click again to reverse the order.

Step 4 Click OK to close the report.

Viewing Complete or Partial Details

From the Expanded table, you can view partial rule information (default). You can also view detailed results that expand the columns to display complete rule information.

This procedure describes how to change views from the Expanded table.

Related Topics

•Hit Count Selection Summary Dialog Box, page I-145

•Generating Hit Count Reports

•Figure 12-1

•Filtering Columns

•Sorting Columns

Procedure

Step 1 Select a rule from the Expanded table.

Step 2 Right-click the Rule column heading, then click Show Detail.

The table expands to display all information for the selected rule.

Step 3 To condense the information displayed, select the rule, then click Show Summary.

Step 4 Click OK to close the report.

Importing Rules

The Import Rules feature acts as an accelerator for adding rules to rules tables. You can import rules (ACEs) by pasting them from an external application to the access rule table in Security Manager. You can import rules from Device view and only to Local rules.

Related Topics

•Notes

•Extended Access List: Example 1

•Extended Access List: Example 2

•Standard Access List: Example

•How to Import Rules

•Import Rules - Enter Parameters Dialog Box, page I-127

Notes

•You cannot import rules in Policy view.

•The ability to import ACL policy objects is not supported.

•Only CLI in the device running-configuration format is supported.

•Only one ACL can be imported at a time.

•If you import an ACL that is inactive, it is shown as disabled in Security Manager. If you deploy the same ACL, it will be removed by Security Manager.

•Time range definitions and their references in ACEs are supported as long as they are consistent. ACEs referring to nonexisting time ranges result in an error.

•For PIX/ASA/FWSM:

–One or more ACEs in named/numbered format. Only extended is supported.

–Object group and name commands are supported as long as they are consistent. ACEs referring to nonexisting object groups and names result in an error.

•For IOS: One or more ACEs in named/numbered format. Both standard and extended are supported.

Related Topics

•Extended Access List: Example 1

•Extended Access List: Example 2

•Standard Access List: Example

•How to Import Rules

Extended Access List: Example 1

In the following example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The last line permits incoming ICMP messages for error feedback.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 gt 1023
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
access-list 102 permit icmp 0.0.0.0 255.255.255.255 128.88.0.0 255.255.255.255
Related Topics

•Importing Rules

•Notes

•How to Import Rules

Extended Access List: Example 2

Suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet except to the mail (SMTP) port of a dedicated mail host.

SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will be accepting mail connections on port 25 is what makes possible separate control of incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.

In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Related Topics

•Importing Rules

•Notes

•How to Import Rules

Standard Access List: Example

The following configuration creates a standard access list named Internet_filter and an extended access list named marketing_group:
ip access-list standard Internet_filter
 permit 1.2.3.4
 deny any
ip access-list extended marketing_group
 permit tcp any 171.69.0.0 0.0.255.255 eq telnet
 deny tcp any any
 permit icmp any any
 deny udp any 171.69.0.0 0.0.255.255 lt 1024
 deny ip any any log
Related Topics

•Importing Rules

•Notes

•How to Import Rules

How to Import Rules

Related Topics

•Importing Rules

•Notes

•Import Rules - Enter Parameters Dialog Box, page I-127

Procedure

Step 1 Select Firewall > Access Rules.

The Access Rules table appears.

Step 2 Click the Tools button located below the table, then select Import Rules.

Step 3 Do one of the following (See Notes):

•Manually enter CLI configurations to the text area.

•Copy and paste the CLI configurations from an external application to the text area.

Step 4 Enter the interface information or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. If you are using the Object Selector dialog box, do one of the following, then click OK :

•Select the available interface roles, then click >>.

The objects are moved to the selected column.

•Click the Add button to create an interface role object.

A popup window helps you define the interface role object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 5 Select the traffic direction.

Step 6 (Optional) Select a color from the Category list to help you readily identify the rule when it appears in a rules table. For more information, see Using Category Objects, page 9-4.

Step 7 Click Next, which performs a validation check in search of errors.

Errors are shown in red. You must correct any errors before you may continue. Errors include:

•If you copy invalid device data, for example, a PIX configuration to an IOS device.

•Syntax errors.

•If no ACL definition is present.

•If some ACE refers to non-existent object groups or time ranges.

•If there is more than one ACL.

If no errors, the Import Rules - Status page appears.

Step 8 (Optional) Review the status page, then click Next.

The Import Rules - Preview page appears.

Step 9 Click Finish.

The status page closes and you return to the Access Rules table. The imported rules are displayed in the table.

Using Policy Query

You might want to know how many rules contain a particular network object or service before you create a new rule, or perhaps you want to clean up redundant rules, or identify and delete rules that have no effect on your network. You can compose a query that describes a set of packets. The results of the query identify all rules that could affect the defined packets. Based on the results, you can add or delete rules as needed.

Policy Query operates on the values of the conditions, for example, to show all rules that will impact a packet with a source in network 192.168.1.0/24. The query will return rules that have any in the source as well as a policy object (assuming the policy object contains some part of the 192.168.1.0/24 network).

The elements on which a query is based are:

•Source and destination—You can specify network objects or IP networks.

Discontiguous masks are supported. For more information, see Contiguous and Discontiguous Network Masks, page 9-70.

•Service—You can specify a set of services, service groups, or protocols and associated port or message types.

•Interface—Default is any interface, which is represented as All-Interfaces in the GUI. You can specify incoming interfaces.

•Rule type—Some combination of firewall access, AAA, inspection, web filter, and transparent rules.

•Actions—Depending on the rule type, you can specify different actions (for example firewall rules have permit and deny actions).

Based on the device hierarchy, you have two approaches for determining how to base your query:

•Consider only rules at the local level and above. A single ordered list of rules results. Only a partial set of rules for the devices within the group is displayed. In this instance, you request a policy query from Device view. The query results display all policies that affect that device.

•Consider rules for all devices that are descendents of the current group. Multiple ordered lists result, one for each subgroup or device. In this instance, you request a policy query from Policy view. The query results display all devices affected by that policy.

For a given table, the query is compared to each rule in the table. If an intersection between the query packet and the rule exists, the rule is added to the query results. Calculations are based on a tuplespace (source, destination, and service).

The query mechanism helps to debug how traffic is being processed by the rules. By doing a content match, you can see all rules that could have some affect on traffic. The query results are labeled by how the rule interacts with the query space.

Related Topics

•Generating Policy Query Reports

•Understanding Policy Query Results

•Contiguous and Discontiguous Network Masks, page 9-70

Generating Policy Query Reports

You can generate a Policy Query report by clicking the Tools button located below any of the main firewall rules tables, then selecting Query. The Query Report can be generated from either Device view or Policy view. This procedure assumes you are requesting a query from Device view.

Related Topics

•Using Policy Query

•Understanding Policy Query Results

•Policy Query Page, page I-135

Procedure

Step 1 From any firewall rules table, click the Tools button located below the table, then select Query.

The Querying <Policy | Device > dialog box appears. For a description of the GUI elements, see Table I-103 on page I-136.

Step 2 Complete the dialog box as needed.

Step 3 Click OK, which initializes the query report.

The policy query results are displayed. For more information, see Understanding Policy Query Results.

Understanding Policy Query Results

Policy query results are based on the criteria of the initial query. The results are divided into sections. See Figure 12-8.

Figure 12-8 Policy Query Results

Query Parameters

The top portion of the report shows the query parameters. The left column lists the available options. The right column lists the selected options. You can edit your query by clicking Edit Query. Follow the procedure for Generating Policy Query Reports.

Results Table

The middle portion of the report shows a results table that displays query results based on the rule type selected from the list box. The results table displays the results for the rule type selected, for example, access rules. The results identify the following:

•Match Status

–Complete Match—All elements expressed in the query report match the query results. The query covered the contents of this rule in its entirety.

–Partial Match—Some of the elements expressed in the query report match the query results. The query partially covered the contents of this rule.

Note the following: If you have a rule defined with a source address of 1.1.1.1, a destination address of 2.2.2.2 and a service of IP, if your query is to search for a source of 1.1.1.1, the match status is shown as a partial match (not a complete match) because the query results represent only a portion of the rule's definition.

Similarly, if your query is to search for a source of 1.1.1.1 and the destination and service fields are left blank in the query dialog, the same results will occur. This is because a blank source or destination in the query dialog means "any"; a blank service field means "IP"; and a blank interface field means "all interfaces".

–No Effect—Rules are blocked by other matching rules, or a conflict exists that has no effect. Some examples are:

You might have two matching rules, A and B. Rule A appears in an ACL Details Table list before Rule B. Both rules have the same interface. Rule A's source address, destination address, and services are equivalent to, or contain, those of Rule B. Rule B is blocked by Rule A. Rule B has no effect.

You might have a global mandatory rule that permits a service, but the rule at the device level denies the service. Since rules are recognized on a first-match order, after discovering a match at the mandatory global scope, no other rules are checked. The conflict has no effect.

•Scope—Identifies whether a rule is shared or local, mandatory or default.

•Rule—Identifies the rule number when you are viewing the actual Mandatory and Default or Local rules tables.

•Permit—Shows whether a rule permits or denies traffic based on the conditions set.

–Permit—Shown as a green check mark.

–Deny—Shown as a red circle with slash.

•Source—Identifies the source object names or addresses of hosts. Multiple entries are separated by commas.

•Destination—Identifies the destination object names or addresses of hosts. Multiple entries are separated by commas.

•Service—Identifies service objects that specify the service type of traffic. Multiple entries are separated by commas.

•Interface—Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned.

•Direction—Identifies whether traffic is entering or exiting a network.

•Category—Provides an intermediate level of detail to objects and helps you readily identify rules and objects by use of color-coding.

The bottom portion of the report shows a details table. The details table shows greater detail for the parameters that matched the highlighted rule in the results table. If no match exists for a parameter, details remain blank. You select a folder to display details specific to a parameter.

•Details—Provides greater detail for query parameters, for example, when policy objects are used or parameters are nested. Select from the following folders:

–Sources—Provides greater detail pertaining to the source parameter.

–Destinations—Provides greater detail pertaining to the destination parameter.

–Services—Provides greater detail pertaining to the services parameter.

–Interfaces—Provides greater detail pertaining to the interfaces parameter.

Note Interface details do not apply to Web filter rules.

•Query Value—Shows the parameter used in the query request.

•Relationship—Identifies the relationship between the query and the detailed parameter.

–Identical—The parameter result is identical to that of the query. For example, the query source was "any" and the query results show source as "any".

–Contains—The query results contain the query parameter. For example, the query requested a network object to represent the source and the results display an IP address.

–Is contained by—The parameter is nested within the query parameter. For example, the query requested ACL object A, which is nested within ACL object B.

–Overlaps—The query parameter requested shows results that overlap between more than one policy object. For example, the query parameter was tcp/70-90 and the results show a service defined as tcp/80-100. Or Network A includes IP addresses 1.2.3.4 and 2.3.4.5. Network B includes IP addresses 2.3.4.5 and 3.4.5.6. Network A and Network B overlap, as they both include IP address 2.3.4.5, but no other parameters match the query.

•Rule Value—Provides a more granular description of a parameter result for the highlighted rule in the results table.

Example of Details Table Results

Consider the following:

Two Network Objects are defined in Security Manager:

•Network Object A includes IP addresses 1.2.3.4, 2.3.4.5, and 3.4.5.6.

•Network Object B includes IP addresses 3.4.5.6, and 4.5.6.7.

You request a policy query using Network Object A as the source parameter. The results table shows rules that includes Network Object A as the source. The details table, however, will display the following:

Details

Query Value

Relationship

Rule Value

Sources

Network Object A

contains

Network Object B [3.4.5.6]

Close the page after you view the contents.

Related Topics

•Generating Policy Query Reports

•Policy Query Page, page I-135

Understanding Rule Table Sections

Rule table sections provide a convenient way to group multiple contiguous rules into sections. This can be particularly helpful when your rules tables contain large rule sets. You can collapse or expand a section to hide or view rules contained within it. Sections can be moved up or down within a rules table. Sections can also be deleted to ungroup the rules.

Related Topics

•Notes About Rule Table Sections

•Adding Rule Table Sections

•Adding Rules to an Existing Table Section

•Removing Rules from an Existing Table Section

•Removing a Rule Table Section

Notes About Rule Table Sections

•Sections are managed using the shortcut (right-click) menu.

•Sections cannot be contained (nested) within other sections.

•Sections can be added to the following rules tables: Access Rules, AAA Rules, Inspection Rules, Web Filter Rules, Translation Rules, and MPC Rules; however, sections are not supported in Web Filter Rules tables for IOS devices.

•Sections are retained when you perform policy queries, combine rules, import rules, and find and replace searches.

•Each section can include a section name, number of rules contained within the section, category, and description. An arrow is used to expand and collapse the section.

•When a section is expanded, it displays a visual boundary to identify rules in the section.

•The use of sections has no performance impact.

•The Move Up and Move Down arrows can be used within each section.

•The Move Up and Move Down arrows jump over sections when used on rules that are not included in sections (Local scope). The section is treated as a single rule.

•Sections can be moved up or down within a table.

Related Topics

•Adding Rule Table Sections

•Adding Rules to an Existing Table Section

•Removing Rules from an Existing Table Section

•Removing a Rule Table Section

Adding Rule Table Sections

Before You Begin

Make sure you have at least one rule defined in the rules table.

Related Topics

•Adding Rules to an Existing Table Section

•Removing Rules from an Existing Table Section

•Removing a Rule Table Section

This procedure assumes you have added a rule to the Local scope.

Procedure

Step 1 Right-click a rule in the table, then select Include in New Section.

Note You can select multiple rules at a time using the Ctrl key.

The Add Rule Section dialog box appear. For a description of the GUI elements, see Table I-91 on page I-122.

Step 2 Enter the information in the fields provided, then click OK.

The dialog box closes and you return to the main rules table. The new section name is highlighted and the section is shown in a collapsed state. Also shown are the number of rules currently contained within the new section and any description that was added.

Adding Rules to an Existing Table Section

You can add rules to an existing table section using a variety of methods.

•Right-click a table section name, then select Add Row. After the rule is defined, the new rule is added to the top of the section.

•Right-click a row in the table section, then select Add Row. After the rule is defined, the new rule is added immediately after the selected row.

•Right-click the white space inside the table, then select Add Row. After the rule is defined, the new rule is added at the end of the table.

Related Topics

•Understanding Rule Table Sections

Removing Rules from an Existing Table Section

To remove rules from an existing table section, right-click the rows, then select Remove From Section <Section Name>.

The rules previously contained in the section are relocated to the Local scope.

Related Topics

•Understanding Rule Table Sections

Editing a Rule Table Section

Related Topics

•Understanding Rule Table Sections

Procedure

Step 1 Right-click a rule table section, then select Edit Section.

The Edit Rule Section dialog box appears. For a description of the GUI elements, see Table I-91 on page I-122.

Step 2 Make changes as needed, then click OK.

The dialog box closes and you return to the main rules table with the new section information displayed.

Removing a Rule Table Section

Related Topics

•Understanding Rule Table Sections

Procedure

Step 1 Right-click a rule table section, then select Delete Section.

Step 2 You will be prompted with a warning that the section will be deleted. You can opt to not show the message again.

The section is removed and the rules previously contained in the section are relocated to the Local scope.

Optimizing ACLs in Rules

You can choose to have Security Manager optimize access control lists (ACLs) to remove redundancies and conflicts that are common in real world firewall ACLs. Optimization can also combine several access control entries (ACEs) into a single ACE, making the ACL more concise.

Firewall memory consumption can become a problem, especially on devices with limited, non-expandable memory, such as the FWSM, which can be shared among multiple virtual contexts. ACL optimization, which is done during deployment, reduces the ACL size by removing redundant or conflicting ACEs or merging multiple ACEs into one, if possible. Consider the following examples:

Example 1

access-list acl_mdc_inside_access deny ip host 10.2.1.1 any

access-list acl_mdc_inside_access deny ip 10.2.1.0 255.255.255.0 any

The first ACE is actually a subset of the second ACE. When you deploy the configuration to the device and ACL optimization is turned on, only one ACE is generated: access-list acl_mdc_inside_access deny ip 10.2.1.0 255.255.255.0 any

Example 2

access-list acl_mdc_inside_access permit tcp any any range 110 120

access-list acl_mdc_inside_access deny tcp any any range 115

The second ACE will never be hit. ACL optimization will remove the second ACE and deploy only the first one.

Example 3

access-list myacl permit ip 1.1.1.0 255.255.255.128 any

access-list myacl permit ip 1.1.1.128 255.255.255.128 any

The two ACEs are merged into one: access-list myacl permit ip 1.1.1.0 255.255.255.0 any

You can turn on ACL optimization through a property file, which is located at: <CSCOpx>\MDC\athena\config\csm.properties.

Modification to the property file regarding ACL optimization takes effect during the next deployment. You do not need to restart the Daemon Manager.

You can also specify the optimization level in the property file. Each property matches to one device. The key of the property is OPTIMIZE.<Device name displayed in CS_Manager>.The value of the property is the optimization type. Three types are supported:

•OPTIMIZE.Full: Flattens the object-group used in the ACE and optimizes the five tuples in maximum optimization level.

•OPTIMIZE.Preserve_og: Preserves the object-group. Makes the object-group used in the ACE unimpacted.

•OPTMIZE.deviceA.Preserve_og: Enables full optimization on all devices except device A.

The following is sample CLI found in the property file:

OPTIMIZE.C514583-FWSM3.net.xyz.net=full

OPTIMIZE.C513967-FWSM3.net.xyz.net=preserve_og

In the deployment summary dialog, optimization results are summarized as an informational message that includes the original number of ACEs before optimization and the number of ACEs after optimization. Results are saved to a file on the server at <CSCOpx>\MDC\temp. A job ID is used as part of the filename.

To view the optimization report, turn on Advanced Debugging, which is located in Tools > Security Manager Administration > Deployment. The optimizer takes a policy and tries to reduce the number of ACEs without changing the semantics of the policy, so the "function" of an optimized ACL remains unchanged. That is, the optimized ACL accepts or denies the same set of packets as did its unoptimized form. Four basic cases for optimization are considered. Note that in these cases, ACE[x] is listed before ACE[y].

•Case 1: ACE[y] is a subset of or equal to ACE[x]. ACE[y] is ineffective and is removed.

•Case 2: ACE[y] is a superset of ACE[x]. Both ACEs are compatible. ACE[x] does not have a lower stop rule. ACE[x] is redundant and is removed.

Note A stop rule is one for which the order in which it is listed cannot change relative to the order of another rule. In other words, the order of the rules is significant.

•Case 3: ACE[y] is adjacent to or adjacent_overlaps with ACE[x]. Both ACEs are compatible. ACE[x] does not have a lower stop rule. ACE[x] is removed and merged into ACE[y].

Note An adjacent_overlap rule notes two rules that overlap in one tuple dimension, but are equal in all other dimensions.

•Case 4: ACE[y] is adjacent to or adjacent_overlaps with ACE[x]. Both ACEs are compatible. ACE[y] does not have an upper stop rule. ACE[y] is removed and merged into ACE[x].

Notes about ACL Optimization

•As part of optimization, Security Manager will change the order of ACEs. Although this does not change the ACL semantics, matching the optimized ACEs with the rules in the Security Manager rules tables might become difficult.

•Optimization might make the hit count feature unusable.

•Optimization might make MARS query results harder to follow, because the GUI rule returned by the MARS query might not literally match the actual ACE hit on the device.

•The term "compatible," as it relates to devices, means the following:

–For PIX devices, two ACEs are compatible if they have the same the permit/deny and logging information, and use the same time range object.

–For IOS devices, two ACEs are compatible if they have the same permit/deny, logging information, establish/fragment options, and use the same time range object.

•Optimization applies only to extended access ACLs that are specified in Access Rules tables. Security Manager converts standard IOS access ACLs to extended ACLs, which are also optimized.

•Optimization is done during deployment and affects only the ACEs that are deployed to the device. No changes are made to the Access Rules table in Security Manager.

•Semantics of the access policies are unchanged.

•Object groups are not modified as a result of ACL optimization. Only non-group (plain) dimensions can be used to merge two ACEs. Object Groups are, however, used in subset and superset computations to see if one ACE is shadowed by another.

•When a merge results, remarks are merged and the relative order is preserved.

•When a shadowed or redundant ACE is removed, its associated remarks are also removed.

•Optimization is based on "best effort."

Caveats To ACL Optimization

•The order of ACEs might change as a result of optimization. Although the order does not change the ACL's semantics, matching the optimized ACEs with rules in the rules tables might be more difficult.

•When optimization is enabled, hit count reports might have difficulty matching ACEs, for example, when you select a particular access rule in Security Manager and the device does not have a corresponding ACE entry.

If no rules are selected when you initialize a hit count report, a results window might appear, but no corresponding ACEs are listed for a selected rule in the report rules table.

•Optimization might make the result of a MARS query harder to follow, as a GUI rule returned by the MARS query might not literally match the actual ACE hit on the device.

Related Topics

•Notes about ACL Optimization

•Optimizing ACLs in Rules

Optimizing Policy Objects in Rules

You can elect to have Security Manager optimize network policy objects when you generate configurations for PIX, FWSM, and ASA devices for deployment. Optimization merges adjacent networks and removes redundant network entries.

Optimization helps reduce the size of the runtime access-list data structures on the device and the literal configuration size (to a lesser extent). A reduced runtime memory usage consumed by access-lists is particularly beneficial for FWSM devices, where the network processor memory is tight, and PIX devices that use Turbo ACLs.

Consider the following example for a network policy object named Test that contains the following sources and destinations:
192.168.1.0/24
192.168.1.23
10.1.1.0
10.1.1.1
10.1.1.2/31
When optimization is on, the following CLIs are generated:
object-group network test
network-object 192.168.1.0 255.255.255.0
network-object 10.1.1.0 255.255.255.252
To turn optimization on, select Tools > Security Manager Administration, then select Deployment. Select Optimize Network Object Groups During Deployment (PIX, ASA, FWSM).

Related Topics

•Notes about Policy Object Optimization

Notes about Policy Object Optimization

•Only network policy objects that are referenced by any policy are optimized.

•Nested network policy objects are not flattened. Security Manager optimizes each network policy object's local content. For example, if net2 is nested inside net1, both are optimized independently. After optimization, net1 still references net2.

•Optimization is not supported for any network entry that has discontiguous masks.

•The remark "Optimized by CS-Manager" is added to the description of an optimized network policy object.

•Rediscovery of an optimized policy object reuses the original policy object in Security Manager.

Related Topics

•Optimizing Policy Objects in Rules

Expanding Object Groups During Discovery

You can elect to expand object groups when you import devices. During the discovery process, Security Manager imports the CLI comprising the object group as separate rules.

During device import, you can elect to expand an object group as separate rules instead of importing the object group name. To access this feature, select Tools > Security Manager Administration > Discovery.

Consider the example where CSM_INLINE_55 contains 1.1.1.1, 2.2.2.2, 5.5.5.5. During import, CSM_INLINE_55 will be expanded to one rule in the rule table that will identify 1.1.1.1, 2.2.2.2, and 5.5.5.5 as a source.

Related Topics

•Discovery Page, page A-16

Understanding Access Rules

Firewall policies rely on access rules as one method for defining network security policy; they control the traffic that flows through a firewall device and security appliance. Access rules comprise conditions and actions. A condition describes a traffic stream of packets. You define constraints on the source and destination device, the service (for example, protocols and ports), and the incoming interface. An action describes what should occur based on the conditions set. For example, if the packet stream meets all conditions as described and the action is set to permit traffic, the packets are sent to the destination device.

Access rules filter network traffic by controlling whether routed packets are forwarded or blocked at the firewall's interfaces. Each packet is examined to determine whether to forward or drop the packet based on criteria you specify.

Criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information. No authentication is required.

Access rules use the concept of access control lists (ACLs) to describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.

Access rules are grouped by the interface on which they are configured and enforced. Firewall Services sorts the rules by interface and uses the remaining information in the rule to create the access control entry (ACE) that is included in the ACL for that interface.

Access rules are recognized in the form of an ordered list, which is represented in a rules table. Rules are processed by a firewall device or security appliance from first to last, or first-match basis. When a rule matches the network traffic that a firewall device or security appliance is processing, the device or appliance uses that rule's action to decide if traffic is permitted. After finding a matching ACE, the device looks no further.

When you define an access rule, you are basically defining an ACE in an ACL. Each table row in the Access Rules table represents one ACE. An access rule can represent multiple ACEs if the definition contains multiple sources, destinations, and services. For platforms that support object grouping, each combination of source, destination, and source in a rule is mapped to a single ACE. For platforms that do not support object grouping, such as IOS devices, multiple ACEs are generated.

After you configure an ACE, you can view its command-line equivalent (access-list command) after the device configuration is generated. The access-list commands are then "bound" to an ACL using the access-group command.

Note A one-to-one relationship between an access rule defined in Security Manager and the associated access-list command on the device does not always exist if object grouping or rule optimization is enabled.

After you define access rules for Security Manager to manage, it is likely that the resulting ACLs will have ACEs that are either redundant or conflicting. Because a device uses the first-match method to evaluate ACLs, these extraneous entries do not cause a problem. However, to help you identify if conflicting rules exist, you can generate an analysis report from which you can determine if any ACEs should be changed. For more information, see Using Analysis.

Your organization might dictate the need for using a large number of ACLs, which can affect performance and memory usage in Security Manager and on the device. As a result, you might want to combine rules and group objects of a similar type, thus facilitating your ability to maintain them. For more information, see Combining Rules.

You might want to know whether rules that are defined are used and how often. The Hit Count feature collects the number of times that traffic for a device is permitted or denied based on an access rule. For more information, see Using Hit Count.

You might want to import ACEs by pasting them from an external application to the access rule table, or by importing them from a file. For more information, see Importing Rules.

You might want to identify rules that use a particular policy object, or perhaps you simply want to remove extraneous entries to make your rules tables more manageable. You can compose a query that describes a set of packets. The results of the query identify all rules in the global policy that could affect the defined packets. Based on the results, you can add or delete rules as needed. For more information, see Using Policy Query.

To help you manage the thousands of rules that might be listed in your rules tables, you can search for policy objects and text references that are used to define the rules, thus facilitating your ability to locate rules. For more information, see Adding Access Rules.

Related Topics

•Chapter 12 "Managing Firewall Services"

•How ACL Names Are Generated, page 9-28

•Preserving User-Defined ACL Names, page 9-26

•Understanding Access Rules

•Understanding Settings for Access Controls

How Access Rules Are Recognized on Devices

Devices managed by Security Manager use the Adaptive Security Algorithm (ASA, also referred to as "algorithm") to allow one-way (inside to outside) connections without an explicit configuration for each internal system and application. An example of the algorithm in action is FTP. The algorithm analyzes the contents of the FTP control channel to allow dynamic access to the correct FTP data channels. You can configure exceptions to this algorithm so that certain traffic can access your higher-security interfaces.

The algorithm is a stateful (fixed) approach to security. Every inbound packet is checked against the algorithm and against any connection-state information in memory. This approach is regarded in the industry as being far more secure than a stateless packet-screening approach.

Each interface on the device or appliance is associated with a list of ACEs that are associated with an ACL. An ACL is an ordered list of rules that describe how an entire subnet or specific network host interacts with another to permit or deny a specific service, protocol, or both.

Each ACE describes network traffic based on source IP address, destination IP address, protocol, and possibly ports. Each ACE has an action to permit or deny. When a packet arrives at the firewall device or security appliance, the device checks the ACL for the interface on which the packet has arrived. The device then evaluates the ACEs in the ACL, looking for the first one that matches the packet.

When the firewall device finds a matching ACE, the device performs the associated action either permitting the packet into the firewall device for further processing, or denying entry to the packet. After finding a matching ACE, the device looks no further. If no ACE matches the packet, the packet is denied. An exception to this rule is an IOS device, which permits inbound traffic by default. To deny traffic, an ACE must be assigned to the interface.

Related Topics

•Understanding Access Rules

•Chapter 12 "Managing Firewall Services"

•Notes About Access Rules

Notes About Access Rules

•Access rules are listed sequentially and are applied in the order in which they appear in the table. An unwritten rule denies all traffic that is not explicitly permitted.

•Access rules are grouped by the interface on which they are configured and enforced. Within each group, access rules are evaluated in the same order as you configure them. This is the default method for permitting or blocking traffic.

•A device configured from Firewall Services uses ACLs. ACLs allow you to specify whether your firewall device should permit or block a connection from a network or host on one interface to a network or host on a different interface.

– A PIX Firewall permits traffic from inside to outside only unless specifically denied in an ACL. Traffic is permitted from a higher-security interface to a lower-security interface by default. Traffic is denied from a lower-security interface to a higher-security interface by default.

– A Firewall Services Module (FWSM) denies inbound and outbound traffic unless specifically permitted in an ACL.

– An adaptive security appliance (ASA) denies all packets on the originating interface unless specifically permitted in an ACL.

– An IOS router permits all traffic through an interface unless specifically denied in an ACL.

•Standard ACLs are used in IOS devices for filtering purposes. After device discovery and subsequent deployment, Security Manager converts the standard ACLs to extended ACLs.

•On the outside interface, all hosts are visible to hosts on all other interfaces. Hosts on a medium security interface are, by default, visible to hosts on higher-security interfaces, but not visible to hosts on lower-security interfaces unless the appropriate NAT rules have been created.

•Firewall Services generates only configuration files with ACLs. Conduits and outbound lists are not supported. Therefore, you must use the conversion tool on configurations with conduits and outbound lists before they can be deployed.

Related Topics

•Understanding Access Rules

•Chapter 12 "Managing Firewall Services"

Working with Access Rules

When configuring access rules, you should:

1. Configure the Access Rules table with conditions that describe a traffic stream of packets, and actions that describe what should occur based on those conditions. To configure access rules, select Firewall > Access Rules. For more information, see Understanding Access Rules.

2. Configure Settings to optimize performance. To access settings, select Firewall > Settings > Access Control. For more information, see Understanding Settings for Access Controls.

The following topics will help you work with access rules:

•Logging Events for an ACE

•Adding Access Rules

•Editing Access Rules

•Enabling and Disabling Access Rules

•Cutting, Copying, and Pasting Access Rules

•Moving Access Rules Up and Down

•Deleting Access Rules

Logging Events for an ACE

Firewall Services provides the ability to log events on any specific ACE in the Access Rules tables. Statistics and logging are provided for each flow. A flow is defined by source interface, protocol, source IP address, source port, destination IP address, and destination port. The retained statistics are the number of traffic requests permitted and denied associated with a flow by an ACE over a specified period of time. You can configure the retained statistics for each ACE according to your own needs.

When you configure a rule in the Access Rules table, you can enable logging for each access rule, along with a specified syslog level and interval of time. To log events for an ACE, you must enable the ACL Syslog setting. For more information, see Adding Access Rules.

Related Topics

•Working with Access Rules

•Adding Access Rules

•Add and Edit Access Rule Dialog Boxes, page I-4

Adding Access Rules

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Note To facilitate the process for defining an access rule, the Add Access Rule dialog box is pre-populated with values for sources, destinations, services, and interfaces. You can make any changes as needed.

In the absence of an ACL:

•ASA—Denies all inbound IP traffic.

•PIX—Denies all inbound IP traffic.

•IOS—Permits all traffic through an interface.

•FWSM—Denies all inbound and outbound IP traffic.

Related Topics

•Understanding Rule Table Sections

•Understanding Access Rules

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

•Access Rules Page, page I-1

•Add and Edit Access Rule Dialog Boxes, page I-4

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 Right-click inside the work area, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The Add Firewall Rule dialog box appears. For a description of the GUI elements, see Table I-2 on page I-5.

Step 4 (Optional) Select Enable Rule, which, when selected, indicates that the rule appears after the configuration is generated.

Step 5 Select whether to permit or deny traffic for the rule you are defining.

Step 6 Enter the source addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the source type is a network or interface role, then do one of the following, then click OK :

•Select the available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a source address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 7 Enter the destination addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the destination type is a network or interface role, then do one of the following, then click OK :

•Select the available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a network object or interface role object to use as a destination address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 8 Enter the services or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select the available services, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a services object.

A popup window helps you define the services object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Service Objects, page 9-86.

Step 9 Enter the interface information or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. If you are using the Object Selector dialog box, do one of the following, then click OK :

•Select the available interface roles, then click >>.

The objects are moved to the selected column.

•Click the Add button to create an interface role object.

A popup window helps you define the interface role object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 10 (Optional) Enter a description to help you identify the rule.

Step 11 (Optional) Under Category, select a category to help you identify this rule in the table. See Using Category Objects, page 9-4.

Step 12 Click Advanced to open the Advanced dialog box for configuring additional settings.

Step 13 (Optional) Select Enable Logging (PIX, ASA, FWSM) to select logging behavior. For IOS devices, go to Step 15.

a. Default Logging—logs events based on the default logging behavior of the device. If a packet is denied, message 106023 is generated; if a packet is permitted, no syslog message is generated.

b. Per ACE Logging—logs events on any specific ACE in the Access Rules tables.

Step 14 If you selected logging per ACE:

a. Select the logging level from the list, which identifies the type of syslog used to log events for an ACE.

b. Enter the logging interval.

Note You must select a logging level from the list for the logging interval value to be recognized.

Step 15 (Optional) Select Enable Logging (IOS) to cause an informational logging message about the packet that matches the entry to be sent to the console.

Step 16 (Optional) Select Log Input to include the input interface and source MAC address or VC in the logging output.

Step 17 Enter traffic direction.

•In—Packets entering a network.

•Out—Packets exiting a network.

Step 18 Enter a time range or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select the available object.

•Click the Add button to create an object.

A popup window helps you define the time range object. After you complete the definition, the new object is listed in the Time Range Selector.

For more information, see Understanding Time Range Objects, page 9-108.

Step 19 (Optional) Select from available IOS options:

•None—No options have been selected.

•Fragment—provides additional management of packet fragmentation and improves compatibility with NFS.

•Established—allows outbound connections return access through the firewall device.

Step 20 Click OK.

The Advanced dialog box closes and you return to the Add Access Rules dialog box.

Step 21 Click OK.

The Add Access Rule dialog box closes and you return to the Access Rules table. The new rule information is displayed.

Step 22 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Access Rules

To facilitate the editing process, Firewall Services offers the ability to perform inline editing on access rules shown in the tables. Editing can be performed on a rule in its entirety or individual table cells.

You can edit rules in their entirety by double-clicking a rule number in the table or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard from which to make your changes. You can also right-click a rule number in the table, then select Edit Row. You can edit individual table cells by double-clicking a cell, which opens a dialog box specific to that table cell. You can also right-click a cell, then click the Edit function from the shortcut menu.

You can edit multiple rule entries by selecting multiple rules, then right-clicking a column. You can then Add or Edit a feature, which is applied to the selected column for all selected rows.

You can display a list of all source and destination addresses by clicking on a table cell or specific entry (subfield) within the table cell, then clicking one of the Show Contents options from the shortcut menu. The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can create network/host policy objects from source and destination cell contents using the shortcut menu. Right-click an entry in the table cell, then select Create Network Object from Cell Contents. For more information, see Understanding Network/Host Objects, page 9-68.

You can display a list of all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

You can display each interface role type as a separate listing in the table if you are working from Policy view, or display actual interface names if you are working from Device view.

You can use the table filter to filter the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.

In addition to performing inline editing and displaying a flattened list of table cell contents, you can move rules up or down within a table; cut, copy, and paste rules from which to clone other rule entries; enable or disable defined rules; and delete rules from the table. These functions can be performed from shortcut menus or buttons located on the GUI page.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Note You must have the appropriate user privileges to edit rules. Without appropriate privileges, you can only view rule information from the main rules tables.

Related Topics

•Enabling and Disabling Access Rules

•Cutting, Copying, and Pasting Access Rules

•Moving Access Rules Up and Down

•Deleting Access Rules

•Understanding Access Rules

•Access Rules Page, page I-1

•Add and Edit Access Rule Dialog Boxes, page I-4

Note This procedure assumes you are working from Device view.

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 Right-click the selected row, then select Edit Row. Make any needed changes to the dialog boxes. You can also edit individual entries in the table using any of the editing methods described above.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Enabling and Disabling Access Rules

This procedure assumes you are working from Device view.

Notes

•If a rule is set to disabled, it is shown in the table with hashmarks.

•Disabled rules are downloaded to a device as disabled only if the device supports that option.

Related Topics

•Access Rules Page, page I-1

•Understanding Access Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 From the work area, right-click the appropriate rule number then click Enable or Disable, as appropriate.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Cutting, Copying, and Pasting Access Rules

This procedure assumes you are working from Device view.

Related Topics

•Access Rules Page, page I-1

•Understanding Access Rules

•How Access Rules Are Recognized on Devices

•Working with Access Rules

•Editing Access Rules

•Moving Access Rules Up and Down

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 From the work area, right-click the appropriate rule number, then select Cut or Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C) respectively.

Step 4 Right-click inside the table, then click Paste. You can also use the shortcut keys (Ctrl+V).

The rule is added to the table.

Step 5 Edit the rule by right-clicking an entry in a table cell, then selecting from the menu of available options for that cell. For more information, see Editing Access Rules.

Step 6 To change the order in which the rule appears, see Moving Access Rules Up and Down.

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Note You can print the entire rules table from the File menu.

Moving Access Rules Up and Down

This procedure assumes you are working from Device view.

Related Topics

•Access Rules Page, page I-1

•Understanding Access Rules

•How Access Rules Are Recognized on Devices

•Working with Access Rules

•Editing Access Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 From the work area, right-click the appropriate rule number, then select Move Row Up or Move Row Down as appropriate. You can also use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.

The selected rule moves up or down one row within the table.

Tip You can also select the rule to move, then use the Up and Down arrows.

Step 4 Repeat Step 3 until the rule is positioned in the correct order.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Note You can print the entire rules table from the File menu.

Deleting Access Rules

This procedure assumes you are working from Device view.

Related Topics

•Access Rules Page, page I-1

•Understanding Access Rules

•Working with Access Rules

•Understanding Audit Reports, page 20-11

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Access Rules.

The Access Rules page appears. For a description of the GUI elements, see Table I-1 on page I-2.

Step 3 Right-click the appropriate rule number, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 4 Click Yes.

The rule is removed from the table.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Understanding Inspection Rules

Inspection rules provide an informational list of services, protocols, and port numbers to which a firewall device applies the Adaptive Security Algorithm (ASA). The default ports or those you specify are the ports at which the device listens for each service.

The default configuration of the firewall device includes a set of application inspection entries that associate supported protocols with specific TCP or UDP port numbers and that identify any special handling required. The inspection function does not support NAT or PAT for certain applications because of the constraints imposed by the applications. You can change the port assignments for some applications, but other applications have fixed port assignments that you cannot change.

You can extend the HTTP inspection capabilities to select which HTTP methods defined in the RFC to permit in HTTP traffic. If the device encounters an HTTP method not permitted, it drops the packet and closes the connection to prevent any subsequent data from traversing the security appliance.

Inspection rules are based on Context-Based Access Control (CBAC) to intelligently filter TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. CBAC can inspect traffic for sessions that originate from either side of the firewall, and CBAC can be used for intranet, extranet, and Internet perimeters of your network.

When configuring inspection rules, you should:

1. Populate the Inspection Rules table with device, service, and traffic direction information. To access the Inspection Rules table, select Firewall > Inspection Rules.

2. (For IOS devices) Configure settings for deeper packet inspection. To access settings for inspection rules, select Firewall > Settings > Inspection.

From the Inspection Rules tables, you can generate Policy Query reports to help you identify all rules in the global policy that could affect the defined packets. For more information, see Using Policy Query.

Related Topics

•Working with Inspection Rules

•Supported Features for Inspection

Working with Inspection Rules

When you configure inspection rules on appliances running ASA/PIX 7.0, access-list, policy-map/class-map commands are generated.

When you configure inspection rules on FWSMs and PIX 6.3 devices, fixup commands are generated.

When you configure inspection rules on routers running IOS 12.3 and later,ip-inspect commands are generated.

The following topics will help you work with inspection rules:

•Adding Inspection Rules

•Editing Inspection Rules

•Enabling and Disabling Inspection Rules

•Cutting, Copying, and Pasting Inspection Rules

•Moving Inspection Rules Up and Down

•Deleting Inspection Rules

•Understanding Inspection Rules

•Configuring Settings for Inspection Rules

•Inspection Rules Page, page I-21

Adding Inspection Rules

When adding an inspection rule, you can perform packet inspection globally or on a per-interface basis and identify traffic direction. You can constrain the inspection further based on other criteria that differs depending on the platform for which the rule inspected.

A branching wizard is used to help you configure inspection rules. Basically, the steps in the wizard are the same for all platforms; however, the dialog boxes in the wizard will vary depending on your selections.

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

The following procedure describes how to add an inspection rule.

Related Topics

•Add and Edit Inspection Rule Dialog Boxes, page I-23

•Configuring Default Protocol Ports

•Configuring Custom Destination Ports

•Configuring Destination Address and Port (IOS)

•Configuring Source and Destination Address and Port (ASA, FWSM 3.x)

Procedure

Step 1 Select a device from the Device selector.

Step 2 SelectFirewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 Right-click inside the table, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The Add Inspection Rule page appears. For a description of the GUI elements, see Table I-16 on page I-24.

Step 4 Select the Enable Rule check box, which, when selected, indicates that the rule appears after the configuration is generated.

Step 5 Identify whether the rule is global or per interface.

•For PIX platforms, rules are defined globally. Go to Step 8.

•For ASA platforms, rules are defined either globally or per interface.

–If per interface, go to Step 6.

–If globally, go to Step 8.

•For IOS platforms, rules are defined per interface. Go to Step 7.

•For FWSM platforms, rules are defined globally. Go to Step 8.

Step 6 If the rule is per interface, select the traffic direction, which identifies traffic direction within a network.

Step 7 To enter interface information, click Edit to open the Edit Interfaces dialog box. Enter interface information, or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. If you are using the Object Selector dialog box, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click Add to create a new interface role object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 8 Select the matched traffic criteria. Depending on your selection, the wizard pages will vary.

•Default Protocol Ports. See Configuring Default Protocol Ports. You can also limit inspection between source and destination IP address for ASA platforms. See Configuring Source and Destination Address and Port (ASA, FWSM 3.x).

•Custom Destination Ports. See Configuring Custom Destination Ports.

•Destination Address and Port (IOS). See Configuring Destination Address and Port (IOS).

•Source and Destination Address and Port (ASA). See Configuring Source and Destination Address and Port (ASA, FWSM 3.x).

Note For FWSM 2.x and PIX 6.3(x), you must select the matched traffic criteria as either Default Inspection Traffic or TCP or UDP Destination Ports. If the latter is selected, the protocol selection must be "any".

Step 9 (Optional) Under Category, select a category to help you identify this rule in the table. See Using Category Objects, page 9-4.

Step 10 (Optional) Enter a description to help you identify the rule.

Step 11 Click Next.

The appropriate wizard guides you through the configuration.

Configuring Default Protocol Ports

This procedure assumes you selected Default Protocol Ports as the type of traffic matched for inspection rules. This option configures default inspection traffic.

Related Topics

•Add Inspect/Application FW Rule > Match Traffic to Protocol Page, page I-26

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 To limit inspection between the source and destination, select the check box, then complete the procedure for configuring source and destination IP addresses. (See Configuring Source and Destination Address and Port (ASA, FWSM 3.x).) Otherwise, click Next.

The wizard page listing protocols appears.

Step 2 Select a protocol to inspect. Certain protocols enable you to configure additional information. For those protocols, click Configure, then complete the respective popup window. For more information, see Add Inspect/Application FW Rule > Match Traffic to Protocol Page, page I-26.

Step 3 Click Finish.

The dialog box closes and you return to the Inspection Rules table with the new information displayed.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Configuring Custom Destination Ports

This procedure assumes you selected Custom Destination Ports as the type of traffic matched for inspection rules (IOS). This option configures TCP and UDP.

Related Topics

•Match Traffic by Custom Destination Ports Page, page I-32

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Select the protocol.

Step 2 Enter port information.

Step 3 Click Next.

The page listing protocols appears.

Step 4 Select a protocol to inspect. Certain protocols enable you to configure additional information. For those protocols, click Configure and complete the respective popup window. For a description of the GUI elements, see Table I-17 on page I-26.

Step 5 To enable additional IOS settings, click Enable. Otherwise, go to Step 8.

Step 6 Do any of the following:

•Click Enable Alert Messages, which, when selected, enables Context-based Access Control (CBAC) alert messages, which are displayed on the console.

•Click Enable Audit Trail Messages, which, when selected, shows Context-based Access Control (CBAC) audit trail messages, which are displayed after each CBAC session closes.

Step 7 Enter a timeout value. Values are 5-43200.

Step 8 Click Finish.

The dialog box closes, and you return to the Inspection Rules table with the new rule information displayed.

Step 9 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Configuring Destination Address and Port (IOS)

This procedure assumes you selected Destination IP Address (IOS) as the type of traffic matched for inspection rules.

Related Topics

•Match Traffic by Destination Address and Port (IOS) Page, page I-33

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Enter the destination addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a destination address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 2 Enter protocol information.

Step 3 Enter port information.

Step 4 Click Next.

The page listing protocols appears.

Step 5 Select a protocol to inspect. Certain protocols enable you to configure additional information. For those protocols, click Configure and complete the respective popup window. For a description of the GUI elements, see Table I-17 on page I-26.

Step 6 Click Finish.

The dialog box closes and you return to the Inspection Rules table with the new information displayed.

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Configuring Source and Destination Address and Port (ASA, FWSM 3.x)

This procedure assumes you selected Source and Destination Address and Port (ASA, FWSM 3.x) as the type of traffic matched for inspection rules.

Related Topics

•Match Traffic by Source and Destination Address and Port (ASA, FWSM 3.x) Page, page I-34

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Select whether to permit or deny traffic.

Step 2 Enter the source addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the source type is a network or interface role, then do one of the following, then click OK:

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click Add to create a new network object or interface role object to use as a source address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 3 Enter the destination addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the destination type is a network or interface role, then do one of the following, then click OK:

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click Add to create a new network object or interface role object to use as a destination address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 4 Enter the services or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click Add to create a new service object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Service Objects, page 9-86.

Step 5 Enter a time range, which identifies when the rules are enforced. For more information, see Understanding Time Range Objects, page 9-108.

Step 6 Click Next.

The page listing protocols appears.

Step 7 Select a protocol to inspect. Certain protocols enable you to configure additional information. For those protocols, click Configure and complete the respective popup window. For a description of the GUI elements, see Table I-17 on page I-26.

Step 8 Click Finish.

The dialog box closes and you return to the Inspection Rules table with the new information displayed.

Step 9 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Inspection Rules

To facilitate the editing process, Firewall Services offers the ability to perform inline editing on inspection rules shown in the tables. Editing can be performed on a rule in its entirety or individual table cells.

You can edit rules in their entirety by double-clicking a rule number in the table or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard from which to make your changes. You can also edit individual table cells by right-clicking a cell, then using the shortcut menu, which opens a dialog box specific to that table cell.

Right-click operations are restricted in certain circumstances:

•If a rule's interface is Global, you cannot right-click to change interfaces or direction.

•If the matched traffic criteria is Default Inspection Traffic (option to limit is not selected) or TCP/UDP Destination Ports, you cannot right-click to change permit, direction, sources, destinations, or service.

•If the matched traffic criteria is Default Inspection Traffic with the option to limit selected, you cannot right-click to change service.

•If the matched traffic criteria is Default IP Address, you cannot right-click to change services or sources.

You can edit multiple rule entries by selecting multiple rules, then right-clicking a column. You can then Add or Edit a feature, which is applied to the selected column for all selected rows.

You can display a list of all source and destination addresses by clicking on a table cell or specific entry (subfield) within the table cell, then clicking one of the Show Contents options from the shortcut menu. The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can use the table filter to filter the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.

In addition to performing inline editing, you can move rules up or down within a table; cut, copy, and paste rules from which to clone other rule entries; enable or disable defined rules; and delete rules from the table. These functions can be performed from shortcut menus or buttons located on the GUI page.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Note You must have the appropriate user privileges to edit rules. Without appropriate privileges, you can only view rule information from the main rules tables.

Note Inline editing is not available for all Inspection Rules table cells.

Related Topics

•Add and Edit Inspection Rule Dialog Boxes, page I-23

•Configuring Default Protocol Ports

•Configuring Custom Destination Ports

•Configuring Destination Address and Port (IOS)

•Configuring Source and Destination Address and Port (ASA, FWSM 3.x)

Note The following procedure assumes you are working from Device view.

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 Follow the basic procedure for adding inspection rules using any of the editing methods described above. For more information, see Adding Inspection Rules.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Enabling and Disabling Inspection Rules

This procedure assumes you are working from Device view.

Notes

•If a rule is set to disabled, it is shown in the table with hashmarks.

•Disabled rules are downloaded to a device as disabled only if the device supports that option.

Related Topics

•Inspection Rules Page, page I-21

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 Select a rule to enable or disable, then right-click the appropriate rule number.

Step 4 From the shortcut menu, click Enable or Disable as appropriate.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Cutting, Copying, and Pasting Inspection Rules

This procedure assumes you are working from Device view.

Related Topics

•Inspection Rules Page, page I-21

•Moving Inspection Rules Up and Down

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 From the work area, right-click the appropriate rule number, then select Cut or Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C) respectively.

Step 4 Right-click inside the table, then click Paste. You can also use the shortcut keys (Ctrl+V).

The rule is added to the table.

Step 5 Edit the rule by right-clicking an entry in a table cell, then selecting from the menu of available options for that cell. For more information, see Editing Inspection Rules.

Step 6 To change the order in which the rule appears, see Moving Inspection Rules Up and Down.

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Moving Inspection Rules Up and Down

This procedure assumes you are working from Device view.

Related Topics

•Inspection Rules Page, page I-21

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 Select the rule to move, then right-click the appropriate rule number.

Step 4 From the shortcut menu, select Move Row Up or Move Row Down. You can also use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.

The selected rule moves up or down one row within the table.

Tip You can also select the rule to move, then use the Up and Down arrows.

Step 5 Repeat Step 3 and Step 4 until the rule is positioned in the correct order.

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Deleting Inspection Rules

This procedure assumes you are working from Device view.

Related Topics

•Understanding Audit Reports, page 20-11

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Inspection Rules.

The Inspection Rules page appears. For a description of the GUI elements, see Table I-15 on page I-21.

Step 3 Right-click the appropriate rule number, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 4 Click Yes.

The rule is removed from the table.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Working with AAA Rules

Access control is the way to control who is allowed access to the network server and what services they are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your firewall device or security appliance.

AAA rules control authentication (who the user is), authorization (what the user is allowed to do), and accounting (what the user did) for traffic.

When configuring AAA rules, you should:

1. Configure AAA rules to identify device, service, and traffic direction information. The AAA Rules page is used to define AAA rules for all platforms. To access the AAA Rules table, select Firewall > AAA Rules.

2. Configure settings specific to PIX, ASA, and IOS devices. PIX and ASA devices support HTTPS, proxy, and MAC settings. IOS devices identify AAA servers, define banner information, and set timeout values. To access settings for AAA rules, select:

a. Firewall > Settings > AAA Firewall (PIX/ASA/FWSM).

b. Firewall > Settings > AuthProxy (IOS).

From the AAA Rules tables, you can generate Policy Query reports to help you identify all rules in the global policy that could affect the defined packets. For more information, see Using Policy Query.

Topics to help you work with AAA Rules are:

•Adding AAA Rules

•Editing AAA Rules

•Enabling and Disabling AAA Rules

•Cutting, Copying, and Pasting AAA Rules

•Cutting, Copying, and Pasting AAA Rules

•Moving AAA Rules Up and Down

•Deleting AAA Rules

•AAA Rules Page, page I-54

Topics to help you work with Settings for AAA Rules are:

•Configuring Settings for AAA Firewall (PIX/ASA/FWSM)

•Adding MAC Exempt Address Lists

•Configuring Settings for AAA (IOS)

•AuthProxy Page, page I-113

•AuthProxy Timeout Tab (IOS), page I-116

•Firewall AAA IOS Timeout Value Setting Dialog Box, page I-117

Adding AAA Rules

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Related Topics

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

•Add and Edit AAA Rules Dialog Boxes, page I-56

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > AAA Rules.

The AAA Rule page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 Right-click inside the work area, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The Add AAA Rule page appears. For a description of the GUI elements, see Table I-43 on page I-57.

Step 4 (Optional) Select Enable Rule, which, when selected, indicates that the rule appears after the configuration is generated.

Step 5 Select whether the rule applies to any of the following:

•Authentication—Supported on all platforms.

•Authorization—For PIX/ASA/FWSM platforms only.

•Accounting—For PIX/ASA/FWSM platforms only.

Step 6 Select whether to permit or deny traffic for the rule you are defining.

Step 7 Enter the source addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the source type is a network or interface role, then do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a source address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 8 Enter the destination addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, select whether the destination type is a network or interface role, then do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a destination address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 9 Enter the services or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available services, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new service object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Service Objects, page 9-86.

Step 10 Enter the AAA server group from the list or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new server group object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding AAA Server Group Objects, page 9-10.

Step 11 Enter the interface information, or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. If you are using the Object Selector dialog box, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new interface role object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 12 (Optional) Under Category, select a category to help you identify this rule in the table. See Using Category Objects, page 9-4.

Step 13 (Optional) Enter a description to help you identify the rule.

Step 14 (For IOS devices only) Select the authentication proxy methods.

Step 15 Click OK.

The page closes and you return to the AAA table. The rule information is shown in the table.

Step 16 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing AAA Rules

To facilitate the editing process, Firewall Services offers the ability to perform inline editing on AAA rules shown in the tables. Editing can performed on a rule in its entirety or individual table cells.

You can edit rules in their entirety by double-clicking a rule number in the table or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard from which to make your changes. You can also right-click a rule number in the table, then select Edit Row. You can edit individual table cells by double-clicking a cell, which opens a dialog box specific to that table cell. You can also right-click a cell, then click the Edit function from the shortcut menu.

You can edit multiple rule entries by selecting multiple rules, then right-clicking a column. You can then Add or Edit a feature, which is applied to the selected column for all selected rows.

You can display a list of all source and destination addresses by clicking on a table cell or specific entry (subfield) within the table cell, then clicking one of the Show Contents options from the shortcut menu. The list shows flattened values of all levels of an address, network object, or interface role and sorts the results in ascending order on the IP address, then descending order on the mask.

You can create network/host policy objects from Source and Destination cell contents using the shortcut menu. Right-click an entry in the table cell, then select Create Network Object from Cell Contents. A network object is created that comprises all sources and destinations identified in the table cell.

You can display a list of all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

You can display each interface role type as a separate listing in the table if you are working from Policy view, or display actual interface names if you are working from Device view.

You can use the table filter to filter the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.

In addition to performing inline editing and displaying a flattened list of table cell contents, you can move rules up or down within a table; cut, copy, and paste rules from which to clone other rule entries; enable or disable defined rules; and delete rules from the table. These functions can be performed from shortcut menus or buttons located on the GUI page.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Note You must have the appropriate user privileges to edit rules. Without appropriate privileges, you can only view rule information from the main rules tables.

To edit AAA rules information, follow the procedure for Adding AAA Rules or use any of the methods described above.

The following procedure assumes you are working from Device view.

Related Topics

•Working with AAA Rules

•AAA Rules Page, page I-54

Procedure

Step 1 Select a device from the Device selector.

Step 2 SelectFirewall > AAA Rules.

The AAA Rules page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 Follow the basic procedure for adding inspection rules using any of the editing methods described above. For more information, see Adding AAA Rules.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Enabling and Disabling AAA Rules

This procedure assumes you are working from Device view.

Notes

•If a rule is set to disabled, it is shown in the table with hashmarks.

•Disabled rules are downloaded to a device as disabled only if the device supports that option.

Related Topics

•AAA Rules Page, page I-54

•Working with AAA Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > AAA Rules.

The AAA Rules page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 Select a rule to enable or disable, then right-click on the appropriate rule number.

Step 4 Select Enable or Disable as appropriate.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Cutting, Copying, and Pasting AAA Rules

This procedure assumes you are working from Device view.

Related Topics

•AAA Rules Page, page I-54

•Editing AAA Rules

•Moving AAA Rules Up and Down

•Working with AAA Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > AAA Rules.

The AAA Rules page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 From the work area, right-click the appropriate rule number, then select Cut or Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C) respectively.

Step 4 Right-click inside the table, then click Paste. You can also use the shortcut keys (Ctrl+V).

The rule is added to the table.

Step 5 Edit the rule by right-clicking an entry in a table cell, then selecting from the menu of available options for that cell. For more information, see Editing AAA Rules.

Step 6 To change the order in which the rule appears, see Moving AAA Rules Up and Down.

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Moving AAA Rules Up and Down

Related Topics

•AAA Rules Page, page I-54

•Working with AAA Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > AAA Rules.

The AAA Rules page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 Select the rule to move, then right-click the appropriate rule number.

Step 4 From the shortcut menu, select Move Row Up or Move Row Down. You can also use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.

The selected rule moves up or down one row within the table.

Tip You can also select the rule to move, then use the Up and Down arrows.

Step 5 Repeat Step 3 and Step 4 until the rule is positioned in the correct order.

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Deleting AAA Rules

This procedure assumes you are working from Device view.

Related Topics

•Understanding Audit Reports, page 20-11

•Working with AAA Rules

•Working with AAA Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > AAA Rules.

The AAA Rules page appears. For a description of the GUI elements, see Table I-42 on page I-54.

Step 3 Right-click the appropriate rule number, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 4 Click Yes.

The rule is removed from the table.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Understanding Web Filter Rules

Web filter rules are rules that specify filter URLs using a filtering server such as Websense. You define the rules in the Web Filter Rules table and determine whether to permit or deny traffic if the filter server is unavailable.

Java inspection enables Java applet filtering at the firewall. Java applet filtering distinguishes between trusted and untrusted applets by relying on a list of external sites that you designate as friendly. If an applet is from a friendly site, the firewall device allows the applet through. If the applet is not from a friendly site, the applet is blocked. Alternately, you could permit applets from all sites except sites specifically designated as hostile.

From the Web Filter Rules tables, you can generate Policy Query reports to help you identify all rules in the global policy that could affect the defined packets. For more information, see Using Policy Query.

Related Topics

•Working with Web Filter Rules

Working with Web Filter Rules

When configuring Web Filter rules, you should:

1. Configure Web Filter Rules for the firewall devices. To do this, select Firewall > Web Filter Rules.

Note The Web Filter Rules table will vary depending on the type of device selected.

2. Configure additional settings, which includes Web Filter Server configuration and settings specific to device type. To do this, select Firewall > Settings > Web Filter.

The Web Filter policy for IOS devices contains two subpolicies: IOS Web Filter rules and Exclusive Domains. Under IOS Web Filter rules, you can create rules for enabling Web filtering and Java applet scanning on traffic flows. Under Exclusive Domains, you can specify a set of domain names that will be permitted or denied by the IOS firewall device without having to consult the external URL server.

Topics that support Web Filter Rules for ASA, FWSM, and PIX devices are:

•Adding Web Filter Rules (PIX/ASA)

•Editing Web Filter Rules (PIX/ASA)

•Enabling and Disabling Web Filter Rules (PIX/ASA)

•Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA)

•Moving Web Filter Rules Up and Down (PIX/ASA)

•Deleting Web Filter Rules (PIX/ASA)

•Web Filter Rules Page (PIX/ASA), page I-72

Topics that support Web Filter Rules for IOS devices are:

•Adding Web Filter Rules (IOS)

•Editing Web Filter Rules (IOS)

•Deleting Web Filter Rules (IOS)

•Adding Exclusive Domains (IOS)

•Editing Exclusive Domains (IOS)

•Deleting Exclusive Domains (IOS)

•Web Filter Rules Page (IOS), page I-87

Topics that support Settings for Web Filter Rules are:

•Configuring Settings for Web Filter Servers

•Adding Settings for Web Filter Server Configuration

•Editing Settings for Web Filter Server Configuration

•Deleting Settings for Web Filter Server Configuration

•Web Filter Page, page I-118

Adding Web Filter Rules (PIX/ASA)

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Related Topics

•Add and Edit PIX/FWSM/ASA Rules Dialog Boxes, page I-74

•Understanding Web Filter Rules

•Working with Web Filter Rules

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall >Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 Right-click on the table, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The Add PIX/ASA Web Filter Rule dialog box appears. For a description of the GUI elements, see Table I-57 on page I-74.

Step 4 Select the Enable Rule check box, which, when selected, indicates that the rule appears after the configuration is generated.

Step 5 Select the type of filtering.

•Filter—Limits traffic to particular sites and limits traffic between two entities.

•Filter Except—Exempts specific traffic from filtering.

Step 6 Select the type of action from the list.

Step 7 Enter the source addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a source address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 8 Enter the destination addresses or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new network object or interface role object to use as a destination address.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see:

•Understanding Network/Host Objects, page 9-68

•Understanding Interface Role Objects, page 9-61

Step 9 Enter the services or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK :

•Select from the list of available objects, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new service object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Service Objects, page 9-86.

Note You cannot select services if you selected Filter Except as your filtering type.

Step 10 (Optional) To allow traffic if the URL filter server is unavailable, select the check box.

Step 11 (Optional) To block a connection to the HTTP proxy server, select the check box.

Step 12 (Optional) To truncate CGI requests by removing CGI parameters, select the check box, which, when selected, sends a CGI script as a URL.

Step 13 (Optional) To block outbound traffic if the absolute FTP path is not provided, select the check box, which, when selected, prevents users from connecting to the FTP server through an interactive FTP program.

Step 14 Determine how to handle long URLs.

•Drop—Discards the URL request.

•Truncate—Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit.

•Deny—Denies the URL request if the URL is over the URL buffer-size limit or the URL buffer is not available.

Step 15 (Optional) Enter a description to help you identify the rule.

Step 16 (Optional) Under Category, select a category to help you identify this rule in the table. See Using Category Objects, page 9-4.

Step 17 Click OK.

The PIX/ASA dialog box closes and you return to the Web Filter Rules page. The rule information is shown in the table.

Step 18 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Web Filter Rules (PIX/ASA)

To facilitate the editing process, Firewall Services offers the ability to perform inline editing on Web Filter rules shown in the tables. Editing can be performed on a rule in its entirety or individual table cells.

You can edit rules in their entirety by double-clicking a rule number in the table or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard from which to make your changes. You can also right-click a rule number in the table, then select Edit Row. You can edit individual table cells by double-clicking a cell, which opens a dialog box specific to that table cell. You can also right-click a cell, then click the Edit function from the shortcut menu.

You can edit multiple rule entries by selecting multiple rules, then right-clicking a column. You can then Add or Edit a feature, which is applied to the selected column for all selected rows.

You can display a list of all source and destination addresses. The list shows flattened values of all levels of an address, network object, or interface role object and sorts the results in ascending order on the IP address, then descending order on the mask.

You can display a list of all services and port information. The list shows flattened values of all levels of the Service and Port List objects and sorts the results on: protocol, destination port, and source port.

You can use the table filter to filter the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.

In addition to performing inline editing and displaying a flattened list of table cell contents, you can move rules up or down within a table; cut, copy, and paste rules from which to clone other rule entries; enable or disable defined rules; and delete rules from the table. These functions can be performed from shortcut menus or buttons located on the GUI page.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Note You must have the appropriate user privileges to edit rules. Without appropriate privileges, you can only view rule information from the main rules tables.

This procedure assumes you are working from Device view.

Note Although you can access table cells and table rows to edit content using several methods as noted above, this procedure mentions only one method.

Related Topics

•Web Filter Rules Page (PIX/ASA), page I-72

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Policies > Firewall >Web Filter Rules (PIX/ASA).

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 Follow the basic procedure for adding inspection rules using any of the editing methods described above. For more information, see Adding Web Filter Rules (PIX/ASA).

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Enabling and Disabling Web Filter Rules (PIX/ASA)

This procedure assumes you are working from Device view.

Notes

•If a rule is set to disabled, it is shown in the table with hashmarks.

•Disabled rules are downloaded to a device as disabled only if the device supports that option.

Related Topics

•Web Filter Rules Page (PIX/ASA), page I-72

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 Right-click the appropriate rule number, then select Enable or Disable as appropriate.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Cutting, Copying, and Pasting Web Filter Rules (PIX/ASA)

Related Topics

•Editing Web Filter Rules (PIX/ASA)

•Moving Web Filter Rules Up and Down (PIX/ASA)

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 From the work area, right-click the appropriate rule number, then select Cut or Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C) respectively.

Step 4 Right-click inside the table, then click Paste. You can also use the shortcut keys (Ctrl+V).

The rule is added to the table.

Step 5 Edit the rule by right-clicking an entry in a table cell, then selecting from the menu of available options for that cell. For more information, see Editing Web Filter Rules (PIX/ASA).

Step 6 To change the order in which the rule appears, see Moving Web Filter Rules Up and Down (PIX/ASA).

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Moving Web Filter Rules Up and Down (PIX/ASA)

Related Topics

•Web Filter Rules Page (PIX/ASA), page I-72

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 Select the rule to move, then right-click the appropriate rule number.

Step 4 Select Move Row Up or Move Row Down as appropriate. You can also use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.

The selected rule moves up or down one row within the table.

Tip You can also select the rule to move, then use the Up and Down arrows.

Step 5 Repeat Step 3 and Step 4 until the rule is positioned in the correct order.

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Deleting Web Filter Rules (PIX/ASA)

This procedure assumes you are working from Device view.

Related Topics

•Web Filter Rules Page (PIX/ASA), page I-72

•Understanding Audit Reports, page 20-11

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page appears. For a description of the GUI elements, see Authentication Tab, page K-59.

Step 3 Right-click the appropriate rule number, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 4 Click Yes.

The rule is removed from the table.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Adding Web Filter Rules (IOS)

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Related Topics

•IOS Web Filter Rule and Applet Scanner Dialog Box, page I-91

•Exclusive Domain Name Dialog Box, page I-93

•Understanding Web Filter Rules

•Working with Web Filter Rules

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall >Web Filter Rules.

The Web Filter Rules page for IOS devices appears. The Web Filter Rules tab opens by default the first time the page is accessed. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Right-click inside the work area, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The IOS Web Filter Rule and Applet Scanner dialog box appears. For a description of the GUI elements, see Table I-70 on page I-92.

Step 4 (Optional) Select Enable Web Filtering, which when selected, limits traffic to particular sites and limits traffic between two entities.

Step 5 Enter the interface information or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. If you are using the Object Selector dialog box, do one of the following, then click OK :

•Select from the list of available interface roles, then click OK.

•Click the Add button to create a new interface role. A popup window helps you define the object.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 6 Select the traffic direction.

Step 7 (Optional) Select Enable Java Applet Scanner, which, when selected, the IOS device checks for the presence of Java applets in HTTP traffic coming from web servers to internal hosts.

Step 8 (Optional) Select whether to permit or deny traffic from a source network.

Step 9 Enter the Applet Sources or click Select, which opens the Object Selector dialog box from which to make your selection. If the latter, do one of the following, then click OK:

•Select from the available networks, then click >>.

The objects are moved to the selected column.

•Click the Add button to create a new object.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

The object selector dialog box closes and you return to the IOS Web Filter Rule and Applet Scanner dialog box. For more information, see Understanding Network/Host Objects, page 9-68.

Step 10 Click OK.

The IOS Web Filter Rule and Applet Scanner dialog box closes and you return to the Web Filter Rules page. The rule information is shown in the table.

Step 11 Do one of the following:

•Click Save, which saves your changes to the server, but keeps them private.

•Click the Exclusive Domains tab.

Step 12 Right-click inside the work area, then select Add Row. You can also use the shortcut keys (Ctrl+R).

The IOS Web Filter Exclusive Domain Name dialog box appears. For a description of the GUI elements, see Table I-71 on page I-94.

Step 13 Select whether to permit or deny traffic.

Step 14 Enter the domain name.

Step 15 Click OK.

The IOS Web Filter Exclusive Domain Name dialog box closes and you return to the Web Filter Rules page. The new information is shown in the table.

Step 16 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Web Filter Rules (IOS)

Unlike many of the rules tables, the IOS Web Filter Rules table does not enable editing on a per-table cell basis. The basic procedure for editing Web Filter Rules for IOS devices is the same as adding rules.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

This procedure assumes you are working from Device view.

Related Topics

•Web Filter Rules Page (IOS), page I-87

•IOS Web Filter Rule and Applet Scanner Dialog Box, page I-91

•Adding Web Filter Rules (IOS)

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall >Web Filter Rules.

The Web Filter Rules page for IOS devices appears. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Right-click the appropriate rule number, then click Edit Row. You can also use the shortcut key (Ctrl+E).

The IOS Web Filter Rule and Applet Scanner dialog box appears. For a description of the GUI elements, see Table I-70 on page I-92.

Step 4 Follow the basic procedure for adding web filter rules. For more information, see Adding Web Filter Rules (IOS).

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

Deleting Web Filter Rules (IOS)

Related Topics

•Web Filter Rules Page (IOS), page I-87

•Understanding Audit Reports, page 20-11

•Understanding Web Filter Rules

•Working with Web Filter Rules

This procedure assumes you are working from Device view.

Procedure

Step 1 Select a device from the Object selector.

Step 2 Select Firewall >Web Filter Rules.

The Web Filter Rules page for IOS devices appears. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Right-click the appropriate rule number, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 4 Click Yes.

The rule is removed from the table.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Adding Exclusive Domains (IOS)

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Exclusive Domain policies enable you to specify a list of domain names (exclusive domains) eliminating the need for the firewall to create a lookup request for HTTP traffic destined for one of the domains in the exclusive list. Thus, you can avoid sending look-up requests to the web server for HTTP traffic that is destined for a host allowed to all users. You can enter the complete domain name or a partial domain name.

Related Topics

•Web Filter Rules Page (IOS), page I-87

•Exclusive Domain Name Dialog Box, page I-93

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page for IOS devices appears. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Select the Exclusive Domains tab. For a description of the GUI elements, see Table I-69 on page I-91.

Step 4 Right-click inside the work area, then select Add Row. You can also use the shortcut keys (Ctrl+R).

The IOS Web Filter Exclusive Domain Name dialog box appears. For a description of the GUI elements, see Table I-71 on page I-94.

Step 5 Specify whether to permit or deny traffic for the rule you are defining.

Step 6 Enter a domain name.

•Complete Domain Name—If you add a complete domain name, such as www.cisco.com, to the exclusive domain list, all HTTP traffic whose URLs are destined for this domain (for example, www.cisco.com/news and www.cisco.com/index) are excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs are permitted or denied.

•Partial Domain Name—If you add only a partial domain name to the exclusive domain list, such as cisco.com, all URLs whose domain names end with this partial domain name (such as www.cisco.com/products and www.cisco.com/eng) are excluded from the URL filtering policies of the vendor server (Websense or N2H2), and on the basis of the configuration, the URLs are permitted or denied.

Step 7 Click OK.

The dialog box closes and you return to the Exclusive Domain table. The rule information is shown in the table.

Step 8 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Exclusive Domains (IOS)

Unlike many of the rules tables, the Exclusive Domains table does not enable editing on a per-table cell basis. The basic procedure for editing Web Filter Settings for IOS Rules is the same as adding settings.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

This procedure assumes you are working from Device view.

Related Topics

•Exclusive Domain Name Dialog Box, page I-93

•Adding Exclusive Domains (IOS)

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select an IOS device from the Object selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page for IOS devices appears. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Select the Exclusive Domains tab. For a description of the GUI elements, see Table I-69 on page I-91.

Step 4 Right-click the appropriate rule number, then click Edit Row.

The IOS Web Filter Exclusive Domain Name dialog box appears. For a description of the GUI elements, see Table I-71 on page I-94.

Step 5 Follow the basic procedure for adding web filter. For more information, see Adding Web Filter Rules (IOS).

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Deleting Exclusive Domains (IOS)

This procedure assumes you are working from Device view.

Related Topics

•Understanding Audit Reports, page 20-11

•Web Filter Rules Page (IOS), page I-87

•Understanding Web Filter Rules

•Working with Web Filter Rules

Procedure

Step 1 Select an IOS device from the Device selector.

Step 2 Select Firewall > Web Filter Rules.

The Web Filter Rules page for IOS devices appears. For a description of the GUI elements, see Table I-67 on page I-88.

Step 3 Select the Exclusive Domains tab. For a description of the GUI elements, see Table I-69 on page I-91.

Step 4 Right-click the appropriate rule, then click Delete Row. You can also use the shortcut keys (Ctrl+D).

You are prompted to confirm the deletion the first time you delete a row and any additional time, unless you request not to be prompted.

Step 5 Click Yes.

The rule is removed from the table.

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

You can verify the deletion of the rule by viewing an audit report. To generate an audit report, select Tools > Audit Report.

Working with Transparent Firewall Rules

Transparent Firewall is a feature that enables you to add a transparent firewall device into an existing network without having to reconfigure statically defined devices. Thus, the tedious and costly overhead that is required to renumber devices on the trusted network is eliminated.

Transparent firewall rules enable you to specify VLAN-based Layer 2 (L2) interfaces. Use of firewall devices is within the same subnet. Only EtherType rules are configured as firewall policies. To configure other types of transparent firewall features, selectPlatform > Bridging.

Transparent Firewall includes the following features:

•L3 packet filtering and inspection on a bridged (L2) interface. To set the interface in L2 mode, you must modify certain device settings.

–PIX, ASA, and FWSM devices require that you turn on transparent mode.

–IOS devices require that you configure the interface as a bridged interface.

•MAC (EtherType) filtering on L2 frames.

•The ability to create another L2 ACL to filter Ethernet frames based on EtherType code.

•The ability to disable MacLearning (PIX/ASA/FWSM).

•The ability to specify static MAC table entries and disable learning new entries from a particular interface.

•ARP inspection (PIX/ASA/FWSM).

•The ability to specify static ARP table entries and check new ARP responses against those static entries.

•The ability to forward DHCP traffic across the bridge without inspection (IOS).

When configuring EtherType rules, you should:

1. (For PIX/ASA/FWSM) Set the device interface in L2 mode.

2. (For all devices) Configure the Transparent Rules table. To access the table, select Firewall > Transparent Rules.

3. (For IOS devices) Configure Settings. To access settings, select Firewall > Settings > Transparent.

From the Transparent Rules tables, you can generate Policy Query reports to help you identify all rules in the global policy that could affect the defined packets. For more information, see Using Policy Query.

The following topics will help you work with transparent rules:

•Adding Transparent Rules

•Editing Transparent Rules

•Enabling and Disabling Transparent Rules

•Cutting, Copying, and Pasting Transparent Rules

•Cutting, Copying, and Pasting Transparent Rules

•Moving Transparent Rules Up and Down

•Deleting Transparent Rules

Adding Transparent Rules

This procedure assumes you are adding a rule from Device view. To add a rule from Policy view, see Creating a New Shared Policy, page 7-39, then complete this procedure. After you complete the procedure, you can share the global policy and assign devices to it. For more information, see Modifying Policy Assignments in Policy View, page 7-39.

Related Topics

•Transparent Rules Page, page I-94

•Add and Edit Transparent Firewall Rule Dialog Boxes, page I-96

•Working with Transparent Firewall Rules

•Copying Policies Between Devices, page 7-21

•Working with Shared Policies in Device View, page 7-24

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see Table I-72 on page I-94.

Step 3 Right-click the Transparent Rules table, then click Add Row. You can also use the shortcut keys (Ctrl+R).

The Add Transparent Firewall Rule dialog box appears. For a description of the GUI elements, see Table I-73 on page I-96.

Step 4 Select the Enable Rule check box, which, when selected, indicates that the rule appears after the configuration is generated.

Step 5 Select whether to permit or deny traffic for the rule you are defining.

Step 6 Enter the interface information or click Select, which opens the Object Selector dialog box from which to make your selection. The interface identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned.

If you are using the Object Selector dialog box, do one of the following, then click OK:

•Select from the available interface roles, then click >>.

The objects are moved to the selected column.

•To create a new interface role, click Create.

A popup window helps you define the object. After you complete the definition, the new object is listed in the selected column.

For more information, see Understanding Interface Role Objects, page 9-61.

Step 7 Select the traffic direction, which identifies traffic direction within a network.

Step 8 Enter the EtherType.

Step 9 Enter the wildcard mask.

Step 10 (Optional) Under Category, select a category to help you identify this rule in the table. See Using Category Objects, page 9-4.

Step 11 (Optional). Enter a description to help you identify the rule.

For PIX/FWSM/ASA, the description is mapped to access-list remark.

Step 12 Click OK.

The dialog box closes and you return to the Transparent Rules page.

Step 13 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment".

After you define policy settings in Device view, you can use it locally on the device, or share it with multiple devices. For more information, see Working with Shared Policies in Device View, page 7-24.

Note You can print the entire rules table from the File menu.

Editing Transparent Rules

To facilitate the editing process, Firewall Services offers the ability to perform inline editing on transparent rules shown in the tables. Editing can performed on a rule in its entirety or individual table cells.

You can edit rules in their entirety by double-clicking a rule number in the table or using the shortcut key (Ctrl+E), which opens the rule dialog box or wizard from which to make your changes. You can also edit individual table cells by right-clicking a cell, then using the shortcut menu, which opens a dialog box specific to that table cell.

You can edit multiple rule entries by selecting multiple rules, then right-clicking a column. You can then Add or Edit a feature, which is applied to the selected column for all selected rows.

You can use the table filter to filter the information displayed in the table. Click the arrow to display the filtering bar, which enables you to set filtering parameters. See Filtering Tables, page 3-17.

In addition to performing inline editing, you can move rules up or down within a table; cut, copy, and paste rules from which to clone other rule entries; enable or disable defined rules; and delete rules from the table. These functions can be performed from shortcut menus or buttons located on the GUI page.

An inherited rule can be modified only inside the parent policy in which it was defined. It cannot be modified inside a child policy.

Note You must have the appropriate user privileges to edit rules. Without appropriate privileges, you can only view rule information from the main rules tables.

This procedure assumes you are working from Device view.

Note Although you can access table cells and table rows to edit content using several methods as noted above, this procedure mentions only one method.

Related Topics

•Adding Transparent Rules

•Transparent Rules Page, page I-94

•Add and Edit Transparent Firewall Rule Dialog Boxes, page I-96

•Working with Transparent Firewall Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see Table I-72 on page I-94.

Step 3 Follow the basic procedure for adding transparent rules using any of the editing methods described above. For more information, see Adding Transparent Rules.

Step 4 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Enabling and Disabling Transparent Rules

This procedure assumes you are working from Device view.

Notes

•If a rule is set to disabled, it is shown in the table with hashmarks.

•Disabled rules are downloaded to a device as disabled only if the device supports that option.

Related Topics

•Transparent Rules Page, page I-94

•Working with Transparent Firewall Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see Table I-72 on page I-94.

Step 3 Select a rule to enable or disable, then right-click the appropriate rule number.

Step 4 Select Enable or Disable as appropriate.

Step 5 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Cutting, Copying, and Pasting Transparent Rules

This procedure assumes you are working from Device view.

Related Topics

•Transparent Rules Page, page I-94

•Editing Transparent Rules

•Moving Transparent Rules Up and Down

•Working with Transparent Firewall Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see Table I-72 on page I-94.

Step 3 From the work area, right-click the appropriate rule number, then select Cut or Copy as appropriate. You can also use the shortcut keys (Ctrl+X) and (Ctrl+C) respectively.

Step 4 Right-click inside the table, then click Paste. You can also use the shortcut keys (Ctrl+V).

The rule is added to the table.

Step 5 Edit the rule by right-clicking an entry in a table cell, then selecting from the menu of available options for that cell. For more information, see Editing Transparent Rules.

Step 6 To change the order in which the rule appears, see Moving Transparent Rules Up and Down.

Step 7 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Moving Transparent Rules Up and Down

This procedure assumes you are working from Device view.

Related Topics

•Transparent Rules Page, page I-94

•Working with Transparent Firewall Rules

Procedure

Step 1 Select a device from the Device selector.

Step 2 Select Firewall > Transparent Rules.

The Transparent Rules page appears. For a description of the GUI elements, see Table I-72 on page I-94.

Step 3 Select the rule to move, then right-click the appropriate rule number.

Step 4 From the shortcut menu, select Move Row Up or Move Row Down. You can also use the shortcut keys (Ctrl+Up) and (Ctrl+Down) respectively.

The selected rule moves up or down one row within the table.

Tip You can also select the rule to move, then use the Up and Down arrows.

Step 5 Repeat Step 3 and Step 4 until the rule is positioned in the correct order.

Step 6 Click Save, which saves your changes to the server, but keeps them private.

Changes must be submitted and approved before they are committed to the database, which enables all other users to view the changes. For more information, see Chapter 7, "Managing Policies".

Changes are applied to the assigned device configuration files when they are generated. The configuration files are then downloaded to the devices at deployment. For more information, see Chapter 18, "Managing Deployment"

Deleting Transparent Rules

This procedure assumes you are working from Device view.

Related Topics

•Understanding Audit Reports, page 20-11

•Transparent Rules Page, page I-94

•Working with Transparent Firewall Rules

Procedure

Step 1