Table Of Contents
Managing Objects
Introduction to Objects
Creating Objects
Guidelines for Managing Objects
Understanding the Policy Object Manager Window
Object Type Selector
Policy Object Manager—Work Area
Managing Existing Objects
Editing Objects
Deleting Objects
Managing Object Overrides
Duplicating Objects
Generating Object Usage Reports
Viewing Object Details
Understanding AAA Server Group Objects
Predefined AAA Authentication Server Groups
Default AAA Server Groups and IOS Devices
Creating AAA Server Group Objects
Understanding AAA Server Objects
Supported AAA Server Types
AAA Support on ASA Devices
Creating AAA Server Objects
Understanding Access Control List Objects
Understanding the GUI
Creating Access Control List Objects
Creating Extended Access Control List Objects
Creating Standard Access Control List Objects
Creating Web Access Control List Objects
Understanding ASA User Group Objects
Creating ASA User Group Objects
Understanding Category Objects
Editing Category Objects
Understanding Credential Objects
Creating Credential Objects
Understanding FlexConfig Objects
Creating FlexConfig Objects
Understanding IKE Proposal Objects
Creating IKE Proposal Objects
Understanding Inspection Map Objects
Creating DNS Class Map Objects
Creating FTP Class Map Objects
Creating H.323 Class Map Objects
Creating HTTP Class Map Objects
Creating IM Class Map Objects
Creating SIP Class Map Objects
Understanding DCE/RPC Policy Maps
Creating DCE/RPC Map Objects
Understanding DNS Policy Maps
Creating DNS Map Objects
Understanding ESMTP Policy Maps
Creating ESMTP Map Objects
Understanding FTP Policy Maps
Creating FTP Map Objects
Understanding GTP Policy Maps
Creating GTP Map Objects
Understanding H.323 Policy Maps
Creating H.323 Map Objects
Understanding HTTP Policy Map Objects
Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)
Configuring the General Tab
Configuring the Entity Length Tab
Configuring the RFC Request Method Tab
Configuring the Extension Request Method Tab
Configuring the Port Misuse Tab
Configuring the Transfer Encoding Tab
Creating HTTP Map Objects (ASA 7.2/PIX 7.2)
Understanding IM Map Objects
Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices
Creating IM Map Objects for IOS Devices
Understanding IPsec Pass Through Policy Maps
Creating IPSec Pass Through Map Objects
Understanding NetBIOS Policy Maps
Creating NetBIOS Map Objects
Understanding SIP Map Objects
Creating SIP Map Objects
Understanding Skinny Policy Maps
Creating Skinny Map Objects
Understanding SNMP Policy Maps
Creating SNMP Map Objects
Creating Regular Expression Group Objects
Creating Regular Expression Objects
Metacharacters Used to Build Regular Expressions
Notes
Creating TCP Map Objects
Understanding Interface Role Objects
Creating Interface Role Objects
Specifying Interfaces During Policy Definition
Exceptional Cases When Using Interface Roles
Understanding IPsec Transform Set Objects
IPsec Protocols
IPsec Modes
Creating IPsec Transform Set Objects
Understanding LDAP Attribute Map Objects
Creating LDAP Attribute Map Objects
Understanding Network/Host Objects
Supported IP Address Formats
Contiguous and Discontiguous Network Masks
Creating Network/Host Objects
Using Unspecified Network/Host Objects
Specifying IP Addresses During Policy Definition
Understanding PKI Enrollment Objects
Creating PKI Enrollment Objects
Defining CA Server Properties
Defining PKI Enrollment Parameters
Defining Additional PKI Attributes
Defining the Trusted CA Hierarchy
Understanding Port Forwarding List Objects
Creating Port Forwarding List Objects
Understanding Port List Objects
Creating Port List Objects
Understanding Secure Desktop Configuration Objects
Creating Secure Desktop Configuration Objects
Understanding Service Group Objects
Creating Service Group Objects
Understanding Service Objects
Creating Service Objects
Understanding Single Sign-On Server Objects
Creating Single Sign-On Server Objects
Understanding SLA Monitor Objects
Creating SLA Monitor Objects
Understanding Style Objects
Creating Style Objects
Understanding Text Objects
Creating Text Objects
Understanding Time Range Objects
Creating Time Range Objects
Creating Traffic Flow Objects
Understanding IP Precedence Bits
Understanding URL List Objects
Creating URL List Objects
Understanding User Group Objects
Creating User Group Objects
Understanding SSL VPN Customization Objects
Creating SSL VPN Customization Objects
Understanding SSL VPN Gateway Objects
Creating SSL VPN Gateway Objects
Understanding WINS Server List Objects
Creating WINS Server List Objects
Overriding Global Objects for Individual Devices
Allowing a Global Object to Be Overridden
Creating Device-Level Object Overrides
Creating Object Overrides for a Single Device
Creating Object Overrides for Multiple Devices
Deleting Device-Level Object Overrides
Deleting Overrides from the Device Properties Window
Deleting Overrides from the Policy Object Manager window
Selecting Objects for Policies
How Policy Objects are Provisioned as PIX/ASA Object Groups
How Network/Host Objects are Provisioned as PIX/ASA Object Groups
How Port List Objects are Provisioned as PIX/ASA Object Groups
How Service Objects are Provisioned as PIX/ASA Object Groups
How Service Group Objects are Provisioned as PIX/ASA Object Groups
Managing Objects
Introduction to Objects
Objects enable you to define logical collections of elements. They are reusable, named components that can be used by other objects and policies. Objects aid policy definition by eliminating the need to define that component each time you define a policy. When used, an object becomes an integral component of the object or policy. This means that if you change the definition of an object, this change is reflected in all objects and policies that reference the object.
Objects facilitate network updates, because you can identify objects separately but maintain them in a central location. For example, you can identify the servers in your network as a network/host object called MyServers, and the protocols to allow on these servers in a service group object. You can then create an access rule that permits the service group to access the MyServers network/host object. If a change is made to these servers, you need only update the network/host object and redeploy, instead of trying to locate and edit each rule in which the servers are used.
By default, objects are defined globally. This means that the definition of an object is the same for every object and policy that references it. However, many object types (for example, interface roles) can be overridden at the device level. This enables you to customize an object to match the configuration of a particular device in your network. For more information, see Overriding Global Objects for Individual Devices.
Note 
Objects were known as building blocks in the VPN/Security Management Solution (VMS) bundle, which predated the Cisco Security Manager.
Related Topics
•Creating Objects
•Guidelines for Managing Objects
•Understanding the Policy Object Manager Window
•Managing Existing Objects
Creating Objects
Security Manager provides predefined objects of various types that you can use to define policies. Additionally, you can create your own objects, as required.
You can access the dialog boxes for creating objects in one of two ways:
•Using the Policy Object Manager window. This option is best suited for situations where you are defining one or more objects outside of the context of defining a particular policy. See Understanding the Policy Object Manager Window.
•Using object selectors. When you define a policy that uses objects, object selectors include buttons for creating and editing objects without your having to first leave the policy that you are defining. See Selecting Objects for Policies.
The following topics describe the types of objects that are available in Security Manager and how to create them:
•Understanding AAA Server Group Objects
•Understanding AAA Server Objects
•Understanding Access Control List Objects
•Understanding ASA User Group Objects
•Understanding Category Objects
•Understanding Credential Objects
•Understanding FlexConfig Objects
•Understanding IKE Proposal Objects
•Understanding Inspection Map Objects
•Understanding Interface Role Objects
•Understanding IPsec Transform Set Objects
•Understanding LDAP Attribute Map Objects
•Understanding Network/Host Objects
•Understanding PKI Enrollment Objects
•Understanding Port Forwarding List Objects
•Understanding Port List Objects
•Understanding Secure Desktop Configuration Objects
•Understanding Service Group Objects
•Understanding Service Objects
•Understanding Single Sign-On Server Objects
•Understanding SLA Monitor Objects
•Understanding Style Objects
•Understanding Text Objects
•Understanding Time Range Objects
•Understanding URL List Objects
•Understanding User Group Objects
•Understanding SSL VPN Customization Objects
•Understanding SSL VPN Gateway Objects
•Understanding WINS Server List Objects
Note For information about FlexConfig objects, see Understanding FlexConfig Policy Objects, page 20-2.
Related Topics:
•Introduction to Objects
•Guidelines for Managing Objects
•Understanding the Policy Object Manager Window
•Managing Existing Objects
Guidelines for Managing Objects
You should keep in mind the following guidelines when working with objects:
•Object names are not case-sensitive and are limited to 128 characters. You must begin object names with a letter or an underscore. You can use a mix of letters, numbers, special characters, and spaces for the remainder of the object name. Supported special characters include hyphens (-), underscores (_), periods (.), and plus signs (+).
Note Certain object types, such as AAA Server Groups, ASA User Groups, Inspect Maps, and Traffic Flows, have different naming guidelines. For more details, refer to the online help when you are creating each object type.
•You can rename an object that is referenced by policies or other objects. Security Manager synchronizes the references with the new object name.
•Objects are defined on the global level and are available for use with all relevant policies and other objects. To override the definitions of certain types of objects for specific devices, see Overriding Global Objects for Individual Devices.
•If you change the definition of an object, this change is reflected in all policies that reference that object.
•Your ability to create multiple objects with the same definition depends on a setting on the Policy Objects page in the Security Manager Administration window (Tools > Security Manager Administration). By default, Security Manager warns you when you create an object whose definition is identical to that of an existing object, but it does not prevent you from proceeding. For more information, see Policy Objects Page, page A-42.
•You cannot delete an object that is referenced by policies or other objects.
•In certain situations, you might not be allowed to delete an object, even though the usage report indicates that it is not being used by any other objects or policies. For example, if you configured a device with a local policy that uses network/host object A and later replace that local policy with a shared policy that does not use that object, you will still be prevented from deleting object A. This can also happen when Security Manager creates an internal object from the configuration of a discovered device, and the device is later deleted. If you are prevented from deleting an object and you do not find any policies or objects that use that object, we recommend that you submit or discard all pending changes, then try again.
Related Topics
•Introduction to Objects
•Creating Objects
•Understanding the Policy Object Manager Window
•How Policy Objects are Provisioned as PIX/ASA Object Groups
•Understanding Locking and Objects, page 7-57
Understanding the Policy Object Manager Window
You manage objects in Security Manager using the Policy Object Manager window. This window enables you to view, create, edit, copy, and delete objects of each type. Additionally, the Policy Object Manager window enables you to run a usage report that details how each object is being used by Security Manager.
To open the Policy Object Manager window, click the Policy Object Manager button on the toolbar, or select Tools > Policy Object Manager.
Figure 9-1 Policy Object Manager Window
1
|
Object Type selector
|
3
|
Work area
|
2
|
Filtering bar
|
|
|
The Policy Object Manager window is divided into the following sections:
•Object Type selector (see Object Type Selector)
•Filtering bar (see Filtering Tables, page 3-24)
•Work area (see Policy Object Manager—Work Area)
Related Topics
•Introduction to Objects
•Managing Existing Objects
Object Type Selector
The Object Type selector, which is located on the left side of the Policy Object Manager window, contains a list of each available object type. A unique icon is displayed next to the name of each object type. This icon identifies objects of that type whenever they appear, such as in rules tables.
Related Topics
Understanding the Policy Object Manager Window
Policy Object Manager—Work Area
Select an object type in the Object Type selector to display a table of existing objects of that type in the work area, which is located on the right side of the Policy Object Manager window. The icons of user-defined objects include a special badge that distinguish them from the predefined objects that are provided with Security Manager.
The table displays key information about each object, including:
•Object type icon.
•Object name.
•Defined category.
•Object description.
Additional information in the table differs for each object type. For example, the table for service objects includes the protocol, the source and destination ports, the ICMP message type (if applicable), and whether the global settings for this object can be overridden for individual devices.
To learn how to filter the information displayed in the work area, see Filtering Tables, page 3-24.
To sort the information in the work area, click a column header. Click the header again to sort the information in reverse order.
Related Topics
•Understanding the Policy Object Manager Window
Managing Existing Objects
The following topics describe the actions that you can perform on the objects defined in the Policy Object Manager:
•Editing Objects
•Deleting Objects
•Managing Object Overrides
•Duplicating Objects
•Generating Object Usage Reports
•Viewing Object Details
You can access the options for performing all these actions by right-clicking an object in the Policy Object Manager and selecting from the displayed shortcut menu. Not all options are available for all objects. For example, predefined objects cannot be edited, and certain object types cannot be overridden for individual devices.
Related Topics
•Guidelines for Managing Objects
•Understanding the Policy Object Manager Window
•"Managing Objects"
Editing Objects
You can edit any user-defined object as required. Changes that you make to the object are reflected in all policies (and other objects) that use the object. This procedure describes how to edit an object.
Note Predefined objects cannot be edited, but they can be copied. See Duplicating Objects.
Tip You can also edit objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Determine if the object is being used, and which policies, objects, and devices would be affected by the changes. You can generate a usage report for this purpose. See Generating Object Usage Reports.
Related Topics
•Understanding the Policy Object Manager Window
•Understanding AAA Server Group Objects
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select an object type from the Object Type selector.
Step 3 In the work area, right-click the object you want to edit, then select Edit Object.
Step 4 Modify the fields in the Edit dialog box for that object type as required, then click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Deleting Objects
You can delete user-defined objects only when they are not being used by policies or other objects. Predefined objects cannot be deleted. If you delete an object for which device-level overrides are defined, all overrides are also deleted.
This procedure describes how to delete user-defined objects.
Note You might be prevented from deleting an unreferenced object from the database, if, for example, you replace a local policy that used the object with a shared policy that does not. If object deletion fails, submit or discard all pending changes (in Workflow mode, submit or discard all pending activities), then try again to delete the object. Alternatively, you can leave unreferenced objects in the database, because they will not affect Security Manager operation.
Before You Begin
•Determine if the object is currently being used and which policies, objects, and devices would be affected by the deletion. You can generate a usage report for this purpose. See Generating Object Usage Reports.
Related Topics
•Managing Existing Objects
Step 1 Select Tools > Policy Object Manager.
Step 2 Select an object type from the Object Type selector.
Step 3 In the work area, right-click a user-defined object, then select Delete Object.
Tip You can select multiple objects by pressing Ctrl and clicking on the desired objects.
Step 4 When prompted, click Yes to confirm the deletion.
Note To verify that the object was deleted, select Tools > Audit Report and view the generated report.
Managing Object Overrides
From the Policy Object Manager window, you can select a global object that can be overridden and generate a table of device-level overrides that are defined for that global object. For example, you can select a global AAA server group object and view a table of all devices for which you defined a local variation of the global object.
For more information, see Overriding Global Objects for Individual Devices.
Object override definitions are displayed in the Policy Object Override window. This procedure describes how to create, edit, and delete object overrides from this window.
Related Topics
•Managing Existing Objects
•Creating Object Overrides for a Single Device
•Creating Object Overrides for Multiple Devices
•Understanding the Policy Object Manager Window
Step 1 Select Tools > Policy Object Manager.
Step 2 Select an object type from the Object Type selector to display the table of existing objects of that type.
Step 3 In the work area, select a global object for which device-level overrides have been permitted. These objects are indicated by a green checkmark in the Overridable column. See Allowing a Global Object to Be Overridden.
Step 4 Double-click the checkmark, or right-click the object and select Edit Device Overrides. The Policy Object Overrides window is displayed.
Each device-level override defined for the selected object is displayed in a table containing the name of the device to which the override applies, the category assigned to the object, and the object definition. See Policy Object Overrides Window, page F-597 for a description of the fields in this window.
Step 5 (Optional) Do one of the following:
•To create a device-level override, click the New Object button. For more information, see Creating Device-Level Object Overrides.
•To edit a device-level override, select the object from the table, then click the Edit Object button.
•To delete a device-level override, select the object from the table, then click the Delete Object button. For more information, see Deleting Device-Level Object Overrides.
Step 6 Click Close to return to the Policy Object Manager window.
Duplicating Objects
An alternative to creating a policy object from scratch is to duplicate an existing object. The new object contains all the attributes of the copied object and a default name. You can then modify the name and all attributes as required.
Duplicating is useful for creating objects that are based on predefined objects that cannot be edited.
This procedure describes how to duplicate an object.
Related Topics
•Managing Existing Objects
•Understanding the Policy Object Manager Window
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select an object type from the Object Type selector.
Step 3 In the work area, right-click the object you want to duplicate, then select Create Duplicate.
The dialog box for that object type appears. The Name field contains the following default name for the new object: Copy of name of copied object. The remaining fields contain the same values as the copied object.
Step 4 Modify the name of the new object and its configuration, as required.
Step 5 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Generating Object Usage Reports
Before you make any changes to a user-defined object, you should determine if the object is being used. You can do this by generating usage reports that show which policies, objects, and devices are using the selected object and would therefore be affected by changes to that object. Usage reports contain any references to the selected object in your current activity as well as references found in the data committed to the Security Manager database.
This procedure describes how to generate a usage report.
Related Topics
•Managing Existing Objects
•Understanding the Policy Object Manager Window
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select an object type from the Object Type selector.
Step 3 In the work area, right-click the object for which you want to generate a report, then select Find Usage.
The Usage Reports window appears, displaying all references to the selected object. See Table F-357 on page F-596 for a description of the fields in this window.
Tip Click a column header to sort the table according to the contents of that column. Click the column header again to sort the table in reverse order.
Step 4 (Optional) Filter the information displayed in the usage report by deselecting one or more of the following check boxes:
•Devices
•Policies
•Other Objects
The deselected entries are removed from the report.
Viewing Object Details
You can view detailed object information in read-only mode, even when the object is locked by another activity. This is useful when you need to view complete configuration details for complex objects whose definitions cannot be fully displayed in the Policy Object Manager window or when your user privileges allow you only to view object information.
Note You can display object details without opening an activity.
This procedure describes how to display complete configuration details for a selected object in read-only mode.
Related Topics
•Managing Existing Objects
•Understanding the Policy Object Manager Window
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window is displayed.
Step 2 Select an object type from the Object Type selector.
Step 3 In the work area, right-click the object that you want to view configuration details for, then select View Object.
The dialog box for that object appears in read-only mode.
Understanding AAA Server Group Objects
In Security Manager, policies requiring AAA (such as Easy VPN, Remote Access VPNs, and router platform policies such as Secured Device Provisioning and 802.1x) refer to AAA server group objects. These objects contain multiple AAA servers that use the same protocol, such as RADIUS or TACACS+. In essence, AAA server groups represent collections of authentication servers focused on enforcing specific aspects of your overall network security policy. For example, you can group those servers dedicated to authenticating internal traffic, external traffic, or remote dial-in users, as well as servers that authorize the administration of your firewall devices.
AAA server groups objects are typically made up of individual AAA server objects. For more information, see Understanding AAA Server Objects. Security Manager policies always refer to the AAA server group, rather than individual AAA servers.
The following topics describe how to work with AAA server group objects:
•Predefined AAA Authentication Server Groups
•Default AAA Server Groups and IOS Devices
•Creating AAA Server Group Objects
Related Topics
•Creating Objects
Predefined AAA Authentication Server Groups
Security Manager contains several predefined AAA server groups that define an authentication method without specifying particular AAA servers. In policies such as IPsec proposals, you can use these predefined server groups to define the types of AAA authentication to perform and the order in which to perform them.
Table 9-1 lists the predefined AAA authentication server groups.
Table 9-1 Predefined AAA Authentication Server Groups
Name
|
Description
|
Enable
|
Uses the enable password for authentication.
|
KRB5
|
Uses Kerberos 5 for authentication.
Note For Cisco IOS routers, Security Manager supports Kerberos 5 client configuration only on selected platforms running IOS Software versions that support this protocol. Server configuration is not supported. The device must include an Advanced series feature set (k9 crypto image).
|
Line
|
Uses the line password for authentication.
|
Local
|
Uses the local username database for authentication.
|
None
|
Uses no authentication.
|
RADIUS
|
Does not apply to Cisco IOS routers.
Uses RADIUS authentication.
Note This AAA server group does not contain any AAA servers at the global level. To use this AAA server group when defining a policy, you must create a device-level override and define the AAA servers to associate with the group. For more information, see Creating Device-Level Object Overrides.
|
TACACS+
|
Does not apply to Cisco IOS routers.
Uses TACACS+ authentication.
Note This AAA server group does not contain any AAA servers at the global level. To use this AAA server group when defining a policy, you must create a device-level override and define the AAA servers to associate with the group. For more information, see Creating Device-Level Object Overrides.
|
Related Topics
•Creating AAA Server Group Objects
•Default AAA Server Groups and IOS Devices
•Understanding AAA Server Group Objects
Default AAA Server Groups and IOS Devices
IOS software enables you to define AAA servers either as members of AAA server groups or as individual servers. Security Manager, however, requires all AAA servers to belong to a AAA server group.
Therefore, when you discover an IOS device whose device configuration contains individual AAA servers that do not belong to a AAA server group, Security Manager creates the following server groups to contain these servers:
•For RADIUS: CSM-rad-grp
•For TACACS+: CSM-tac-grp
Both of these special AAA server groups are marked in the Policy Object Manager as the default groups for their protocol. This is indicated by the Make this Group the Default AAA Server Group check box.
These groups are created solely for the purpose of management by Security Manager. During deployment, the AAA servers in these special groups are deployed back to the IOS device as individual servers, not as part of the group.
Note If you use one of these default AAA server groups in a policy defined for a PIX/ASA/FWSM device, the AAA servers are deployed as a group to that device, not as individual servers. This is because all AAA servers on PIX/ASA/FWSM devices must belong to a AAA server group.
Caution We recommend that you use caution when using these default AAA server groups in a policy definition. There are certain commands (for example,
ip radius and
ip tacacs, which are configured using the Interface field in the AAA Server dialog box) that can be defined once for each AAA server group and once for all individual AAA servers. Because the AAA servers in the default group are deployed to IOS devices as individual servers, you might inadvertently change the
ip radius or
ip tacacs settings for all the individual AAA severs configured on the device, including servers that are not being managed by Security Manager (and whose configurations would otherwise be left undisturbed).
Related Topics
•Predefined AAA Authentication Server Groups
•Creating AAA Server Group Objects
•Understanding AAA Server Group Objects
•Understanding AAA Server Objects
Creating AAA Server Group Objects
You can create AAA server group objects for Security Manager policies requiring AAA services, such as authentication and authorization. Each AAA server group object can contain multiple AAA servers, all of which use the same protocol, such as RADIUS or TACACS+. For example, if you want to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you must create at least two AAA server group objects, one for RADIUS servers and one for TACACS+ servers.
In addition, only one source interface can be defined for the AAA servers in the group. An error is displayed when you submit your changes if different AAA servers in the group use different source interfaces.
Note The error is triggered by the actual interface defined as the source, not the name of the interface role that represents the interface. That is, two AAA servers can have different interface roles defined as the source interface as long as they both resolve to the same device interface. An error is also displayed if the interface role defined for the source interface matches more than one actual interface on the device.
The number of AAA server group objects that can be created and the number of AAA server objects that can be included in each group object depend on the selected platform. For example, ASA devices support up to 18 single-mode server groups (with up to 16 servers each) and 7 multi-mode server groups (with up to 4 servers each). PIX firewalls support up to 14 server groups, each containing up to 14 servers.
Objects are defined at the global level, which means that they are applied identically to every object and policy that references them. However, you can override AAA server group object definitions at the device level. For more information, see Managing Object Overrides.
This procedure describes how to create AAA server group objects.
Note Security Manager includes a predefined AAA server group object that you can use when you perform authentication locally inside the Cisco IOS router.
Tip You can also create AAA server group objects when you define policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Predefined AAA Authentication Server Groups
•Default AAA Server Groups and IOS Devices
•Understanding AAA Server Group Objects
•Understanding the Policy Object Manager Window
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Server Groups from the Object Type selector.
Step 3 Right-click inside the work area, then select New Object.
The AAA Server Group dialog box appears. For a description of the fields in this dialog box, see Table F-6 on page F-13.
Step 4 Enter a name for the object. The maximum name length is 16 characters if you plan to use this object with firewall devices and 128 characters for Cisco IOS routers. Spaces are not supported.
Note Cisco IOS routers do not support the following AAA server group names: RADIUS, TACACS, TACACS+. In addition, we do not recommend using an abbreviation of one of these names, such as rad or tac.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Select the protocol to be used by the servers in the group.
Step 7 Enter the names of the AAA servers to include in the group, or click Select to display a selector (see Selecting Objects for Policies). Only those servers corresponding to the selected protocol are displayed.
Tip If the required AAA server is not listed, click the Create button or the Edit button in the selector to open the AAA Server Dialog Box, page F-17. From here you can define a AAA server to include in the server group.
When you finish, click OK to return to the AAA Server Group dialog box. Your selections are displayed in the AAA Servers field.
Step 8 (IOS devices only) Select the check box if this group is to be the default group in the network for RADIUS or TACACS+. Use this option if you intend to have a single global server group for this protocol for all policies requiring AAA.
The default group can be used in most cases, except when you need to configure multiple AAA server groups that use the same protocol. For example, you might want to define multiple RADIUS groups so that one group can be used for authentication and another group for authorization. Service providers may want to define multiple groups with the same protocol in order to provide customer separation when using VRF.
Note Default groups are created automatically when you discover individual AAA servers configured on an IOS router. These server groups are created solely for the purpose of management by Security Manager. For more information, see Default AAA Server Groups and IOS Devices.
Step 9 (PIX/ASA/FWSM devices only) Configure the following settings:
a. Specify the number of connection attempts that can fail before a server is considered inactive.
b. Select the method for reactivating failed servers in the group:
•Depletion—All servers in the group are permitted to fail before all the servers are reactivated (known as depletion). This is the default.
•Timed—Causes failed servers to be reactivated after 30 seconds of downtime. This option is useful when customers use the first server in a server list as the primary server and prefer that it is online whenever possible.
Note The Timed option must be used when simultaneous accounting has been enabled, as described in d. below.
c. (When Depletion is selected) You can configure the deadtime, which determines how long (in minutes) the system waits after the last server in the group has become inactive before beginning reactivation.
d. Select the method to use for sending accounting messages (single or simultaneous). This setting applies only to RADIUS to TACACS+.
Step 10 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Understanding Category Objects.
Step 11 (Optional) Select the Allow Value Override per Device check box to allow the properties of this object to be redefined on individual devices. See Allowing a Global Object to Be Overridden.
Step 12 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Tip To perform additional actions on the object, see Managing Existing Objects.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding AAA Server Objects
You can create AAA server objects in Security Manager. AAA enables devices to determine who the user is (authentication), what the user is permitted to do (authorization), and what the user actually did (accounting), as described below:
•Authentication—Authentication is the way a user is identified before being allowed access to the network and network services. It controls access by requiring valid user credentials, which are typically a username and password. All authentication methods, except for local, line password, and enable authentication, must be defined through AAA. You can use authentication alone or with authorization and accounting.
•Authorization—After authentication is complete, authorization controls the services and commands available to each authenticated user. Authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Were you not to use authorization, authentication alone would provide the same access to services to all authenticated users. You must use authorization together with authentication.
•Accounting—Accounting is used to track the services users are accessing, as well as the amount of network resources they are consuming. When AAA accounting is activated, the network access server reports user activity to the RADIUS or TACACS+ security server (depending on which security method you have implemented) in the form of accounting records. Accounting information includes when sessions start and stop, usernames, the number of bytes that pass through the device for each session, the service used, and the duration of each session. This data can then be analyzed for network management, client billing, and/or auditing. You can use accounting alone or together with authentication and authorization.
AAA provides an extra level of protection and control for user access over using ACLs alone. For example, you can create an ACL allowing all outside users to access Telnet on a server on the DMZ network. If you want only some users to access the server (and you might not always know the IP addresses of these users), you can enable AAA to allow only authenticated and/or authorized users to make it through the device.
AAA server objects are collected into AAA server group objects. In Security Manager, all policies requiring AAA (such as EzVPN, Remote Access VPNs, and router platform policies such as Secured Device Provisioning and 802.1x) use AAA server group objects. See Understanding AAA Server Group Objects.
The following topics describe how to work with AAA server objects:
•Supported AAA Server Types
•AAA Support on ASA Devices
•Creating AAA Server Objects
Related Topics
•Creating Objects
Supported AAA Server Types
Security Manager supports AAA servers using one of the following protocols:
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. RADIUS is a fully open protocol, distributed in source code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its AAA security model. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, and local username lookup. RADIUS is supported on all Cisco platforms, but some RADIUS-supported features run only on specified platforms.
TACACS+
Terminal Access Controller Access Control System (TACACS+) is a security application that provides centralized validation of users attempting to gain access to a router or network access server. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently.
Related Topics
•AAA Support on ASA Devices
•Creating AAA Server Objects
•Understanding AAA Server Objects
AAA Support on ASA Devices
In addition to supporting RADIUS and TACACS+, ASA devices can support AAA servers running the following protocols:
•AAA Support on ASA Devices
•AAA Support on ASA Devices
•AAA Support on ASA Devices
•AAA Support on ASA Devices
•AAA Support on ASA Devices
Note For more information, see Configuring AAA Servers and the Local Database at this URL:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063be93.html
Kerberos
ASA devices can use Kerberos servers for VPN authentication. When a user attempts to establish VPN access through the ASA device, and the traffic matches an authentication statement, the device consults the Kerberos server for user authentication and grants or denies user access based on the response from the server. 3DES, DES, and RC4 encryption types are supported.
NT
ASA devices can use NT servers for VPN authentication. When a user attempts to establish VPN access and the applicable tunnel-group policy specifies an NT authentication server group, the ASA device consults the Microsoft Windows domain server for user authentication and grants or denies user access based on the response from the domain server.
SDI Servers
SecurID servers from RSA Security, Inc. are known as SDI servers. When a user attempts to establish VPN access and the applicable tunnel-group policy specifies an SDI authentication server group, the ASA device sends the username and one-time password to the SDI server. The device then grants or denies user access based on the response from the server. Version 5.0 of SDI introduced the concept of SDI master and slave servers that share a single-node secret file (SECURID). As a result, when you configure an SDI server as a AAA server object in Security Manager, you must specify whether the server is version 5.0 or an earlier version.
LDAP
ASA devices can use Lightweight Directory Access Protocol (LDAP) servers for VPN authorization. ASA devices support LDAP version 3 and are compatible with any v3 or v2 directory server. However, password management is supported only on the Sun Microsystems JAVA System Directory Server and the Microsoft Active Directory.
With any other type of LDAP server (such as Novell or OpenLDAP), all LDAP functions are supported except for password management. Therefore, if someone tries to log in to an ASA device using one of these other servers for authentication and their password has expired, the ASA device drops the connection and a manual password reset is required.
You can configure Simple Authentication and Security Layer (SASL) mechanisms to authenticate an LDAP client (in this case, the ASA device) to an LDAP server. Both ASA devices and LDAP servers can support multiple mechanisms. If both mechanisms (MD5 and Kerberos) are available, the ASA device uses the stronger mechanism, Kerberos, for authentication.
When user authentication for VPN access has succeeded and the applicable tunnel-group policy specifies an LDAP authorization server group, the ASA device queries the LDAP server and applies the authorizations it receives to the VPN session.
HTTP-Form
The security appliance can use the HTTP Form protocol for single sign-on (SSO) authentication of WebVPN users only. Single sign-on support lets WebVPN users enter a username and password only once to access multiple protected services and Web servers. The WebVPN server running on the security appliance acts as a proxy for the user to the authenticating server. When a user logs in, the WebVPN server sends an SSO authentication request, including username and password, to the authenticating server using HTTPS. If the server approves the authentication request, it returns an SSO authentication cookie to the WebVPN server. The security appliance keeps this cookie on behalf of the user and uses it to authenticate the user to secure websites within the domain protected by the SSO server.
Table 9-2 describes the AAA services that are supported by each protocol:
Table 9-2 AAA Services Supported by ASA Devices
AAA Service
|
Database Type
|
|
Local
|
RADIUS
|
TACACS+
|
SDI
|
NT
|
Kerberos
|
LDAP
|
HTTP Form
|
Authentication of...
|
VPN users
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes1
|
Firewall sessions
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
Yes
|
No
|
Administrators
|
Yes
|
Yes
|
Yes
|
Yes2
|
Yes
|
Yes
|
Yes
|
No
|
Authorization of...
|
VPN users
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
Yes
|
No
|
Firewall sessions
|
No
|
Yes3
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Administrators
|
Yes4
|
No
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Accounting of...
|
VPN connections
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Firewall sessions
|
No
|
Yes
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Administrators
|
No
|
Yes5
|
Yes
|
No
|
No
|
No
|
No
|
No
|
Related Topics
•Supported AAA Server Types
•Creating AAA Server Objects
•Understanding AAA Server Objects
Creating AAA Server Objects
You can create AAA server objects to populate the AAA server group objects that are referenced by Security Manager policies, such as Easy VPN and 802.1x. When creating a AAA server object, you must specify the IP address of the external AAA server, the key used for data encryption, the protocol used by the server, and the timeout interval.
This procedure describes how to create AAA server objects.
Note On PIX/ASA/FWSM devices, AAA objects in a device configuration that are not referenced by any policies are removed from the device during the next deployment. However, the predefined AAA objects named RADIUS and TACACS+ are never removed from PIX 6.3 devices, even if they are unreferenced by any policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
•Configure the external AAA server that will be referenced by the AAA server object.
Related Topics
•Supported AAA Server Types
•AAA Support on ASA Devices
•Understanding the Policy Object Manager Window
•Understanding AAA Server Objects
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select AAA Servers from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The AAA Server dialog box appears. For a description of the fields in this dialog box, see Table F-8 on page F-18.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 In the Connect to Host Using field, do one of the following:
•Enter the IP address of the AAA server in the IP Address field, or click Select to display a selector. See Selecting Objects for Policies.
•(ASA 7.2 devices only) Enter the DNS name of the AAA server.
Step 7 (Optional) In the Interface field, enter the interface or interface role whose IP address that should be used for all outgoing RADIUS or TACACS packets, or click Select to display a selector. See Selecting Objects for Policies.
When you enter the name of an interface, make sure the policy that uses this AAA object is assigned to a device containing an interface with this name. Otherwise, deployment will fail.
When you enter the name of an interface role, make sure the role represents a single interface, not multiple interfaces. Otherwise, an error message is displayed.
Tip If the required interface role is not listed, click the Create button or the Edit button to open the Interface Role Dialog Box, page F-464. From here, you can define an interface role to use in the object. The interface role you define must correspond to a single interface on the device.
Step 8 Enter the amount of time to wait until a AAA server is considered unresponsive.
Step 9 Select the protocol used by the AAA server and configure protocol-specific properties. For details about these properties, see Table F-8 on page F-18.
Note The Kerberos, LDAP, NT, SDI, and HTTP-FORM protocols can be used only with ASA, PIX 7.x, and FWSM 3.1 and above devices.
Step 10 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Understanding Category Objects.
Step 11 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Tip To perform additional actions on the object, see Managing Existing Objects.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding Access Control List Objects
An Access Control List (ACL) object is a reusable component that encapsulates one or more Access Control Entries (ACEs) or ACL objects. Each ACE is an individual permit or deny statement within an ACL. The component (also referred to as a policy object) is platform independent and can be referenced by a host of Security Manager policies.
Although there are several types of ACLs, three types are supported by the policy object tool for this release.
•Extended—Defines an extended type access list that can be used by various policies within Security Manager. Each ACE of extended type includes an action element (permit or deny) and filter criteria such as source address, destination address, protocol, and protocol-specific parameters. For use cases, see Extended ACL.
•Standard—Defines a standard type access list that can be used by various policies within Security Manager. Each ACE of standard type includes an action element (permit or deny) and a filter criteria based on source address. For use cases, see Standard ACL.
•Web—Defines a web type access list that can be used by various policies within Security Manager. Each ACE of web type includes an action element (permit or deny) and filter criteria such as source address, destination address, protocol, and protocol-specific parameters. For use cases, see Web ACL.
Extended ACL
Extended IP ACLs allow you to permit or deny traffic from specific IP addresses to a specific destination IP address and port. It also allows you to have granular control by specifying controls for different types of protocols such as ICMP, TCP, UDP, etc., within the ACL statements. Extended IP ACLs range from 100 to 199. In Cisco IOS Software Release 12.0.1, extended ACLs began to use additional numbers (2000 to 2699).
Extended ACL example:
access-list 110 - Applied to traffic leaving the office (outgoing)
ACL 110 permits traffic originating from any address on the 92.128.2.0 network. The "any" statement means that the traffic is allowed to have any destination address with the limitation of going to port 80. The value of 0.0.0.0/255.255.255.255 can be specified as "any".
Uses:
•Identifying addresses for NAT (policy NAT and NAT exemption)—Policy NAT lets you identify local traffic for address translation by specifying the source and destination addresses in an extended access list. You can also specify the source and destination ports. Regular NAT can only consider local addresses. An access list that is used with policy NAT cannot be configured to deny an ACE.
•Identifying addresses for IOS dynamic NAT—For user-defined ACLs, the NAT plug-in generates its own ACL CLIs when deducing NAT traffic from VPN traffic.
•Filtering traffic that will be intercepted by Network Admission Control (NAC).
•Identifying traffic in a traffic class-map for modular policy—Access lists can be used to identify traffic in a class-map, which is used for features that support Modular Policy Framework. Features that support Modular Policy Framework include TCP and general connection settings, inspection, IPS, and QoS. You can use one or more access lists to identify specific types of traffic.
•For transparent mode, enabling protocols that are blocked by a routed mode security appliance, including BGP, DHCP, and multicast streams. Because these protocols do not have sessions on the security appliance to allow return traffic, these protocols also require access lists on both interfaces.
•Establishing VPN access—You can use an extended access list in VPN commands to identify the traffic that should be tunneled on the device for an IPsec site-to-site tunnel or to identify the traffic that should be tunneled on the device for a VPN client. Use in conjunction with the policy objects and settings shown in Table 9-3:
Table 9-3 Policy Objects and Settings
|
|
Device
|
Purpose
|
VPN Topology
|
Any
|
Selecting Protected Networks.
|
ASA User Group
|
Any
|
Filter ACL.
|
ASA User Group
|
ASA
|
Inbound Firewall Policy; Filter ACL.
|
ASA User Group
|
ASA
|
Outbound Firewall Policy.
|
Traffic Flow
|
•ASA 7.x
•PIX 7.x
|
Service Policy Rules (MPC). The traffic flow BB (class-map) uses Extended ACL as one of its traffic match types.
|
User Group
|
•IOS
•Catalyst 6500/7600
•PIX 6.3
|
Selecting Protected Networks. Enables you to specify an ACL that represents protected subnets for the purpose of split tunneling.
|
Standard ACL
A Standard Access List allows you to permit or deny traffic FROM specific IP addresses. The destination of the packet and the ports involved can be anything. Standard IP ACLs range from 1 to 99.
Standard ACL example:
access-list 10 permit 192.168.2.0 0.0.0.255
Uses:
•Identifying OSPF route redistribution. Standard access lists include only the destination address (Single Context Mode only).
•Filtering users of a community string using SNMP.
•Establishing VPN access—You can use a standard access list in VPN commands to identify a network list for split-tunneling. Use in conjunction with the following policy objects and settings:
|
|
Device
|
Purpose
|
User Group
|
•PIX 6.3 and later
•IOS 12.3 and later
|
Split Tunnel ACL
|
Web ACL
Web ACLs, also referred to as WebVPN, lets you establish a secure, remote-access VPN tunnel to the security appliance using a web browser. There is no need for either a software or hardware client. WebVPN provides easy access to a broad range of web resources and both web-enabled and legacy applications from almost any computer that can reach HTTPS Internet sites. WebVPN uses Secure Socket Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide a secure connection between remote users and specific, supported internal resources that you configure at a central site.
Table 9-4 shows examples of Web VPN ACLs.
Table 9-4 Examples of Web VPN ACLs
Action
|
Filter
|
Effect
|
Deny
|
url http://*.yahoo.com/
|
Denies access to all of Yahoo!
|
Deny
|
url cifs://fileserver/share/directory
|
Denies access to all files in the specified location.
|
Deny
|
url https://www.company.com/ directory/file.html
|
Denies access to the specified file.
|
Permit
|
url https://www.company.com/directory
|
Permits access to the specified location
|
Deny
|
url http://*:8080/
|
Denies HTTPS access to anywhere via port 8080.
|
Deny
|
url http://10.10.10.10
|
Denies HTTP access to 10.10.10.10.
|
Permit
|
url any
|
Permits access to any URL. Usually used after an ACL that denies url access.
|
The following topics will help you work with ACL objects:
•Understanding the GUI
•Creating Access Control List Objects
Understanding the GUI
The ACL Object GUI structure differs slightly from that of other policy objects.
1. First, you define the ACL object. After the object is defined, it is listed in the Extended ACL object table or Standard ACL object table.
From this table, you can request to add a new object, edit an existing object, or delete an object. These functions are performed using either the shortcut menus or the buttons located below the tables. You can also create a duplicate object, copy an ACL or ACE entry contained within that object and paste it in another table, or generate a report that indicates whether the objects are in use by another object, policy, or device. These functions are performed using the shortcut menu.
Note You cannot directly add or edit an ACL or ACE entry from this table.
2. Next, you define the ACL entry associated with the object. After the entry is defined, it is listed in the Add Extended Access List or Add Standard Access List table.
From this table, you can request to add a new ACE or ACL entry, edit an existing entry, or delete an entry. These functions are performed using either the shortcut menus or the buttons located below the tables. You can also move an entry up or down in the table, and copy and paste an entry within the table.
After you define an ACL object and associated ACE and ACL entries, the information is displayed in the Extended ACL or Standard ACL tables. You can click the arrows to expand or compress the listed information.
Creating Access Control List Objects
An Access Control List (ACL) object is made up of one or more ACEs, one or more ACL objects, or a combination of both.
•Extended type ACEs enable you to specify source and destination addresses and protocol, and, based on the protocol type, the ports (for TCP or UDP), or the ICMP type (for ICMP) can be specified.
•Standard type ACEs use the source IP address for matching operations.
•Web type ACEs use destination service and port or URL filter.
Note You can define an ACL object from the Policy Object Manager and use it from multiple policies belonging to multiple devices.
Related Topics
•Creating Extended Access Control List Objects
•Creating Standard Access Control List Objects
•Creating Web Access Control List Objects
Creating Extended Access Control List Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Access Control List Objects
•Access Control Lists Page, page F-31
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. The Extended tab opens by default. For a description of the GUI elements, see Table F-17 on page F-33.
Step 3 Right-click inside the work area, then select New Object.
The Add Extended Access List dialog box appears. For a description of the GUI elements, see Table F-18 on page F-34.
Step 4 Enter the name of the object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view Access Control Lists table.
Step 6 Right-click inside the table, then select Add.
The Add Extended Access Control Entry dialog box appears. For a description of the GUI elements, see Table F-19 on page F-38.
Step 7 Select Type.
•Access Control Entry—Identifies the entry as an ACE.
•Access Control Lists—Identifies the entry as an ACL object. This allows ACL objects that have already been defined to be used in the newly created object.
Step 8 Select whether to permit or deny the traffic.
Step 9 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 10 Enter the source addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a source address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Understanding Network/Host Objects.
Step 11 Enter the destination addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a destination address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Understanding Network/Host Objects.
Step 12 Enter the services or click Select to display a list of services. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new service object.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Understanding Service Objects.
Step 13 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the Add Extended Access List table.
Step 14 Click OK to save your changes.
The dialog box closes and you return to the Add Extended Access List page. The new entry is shown in the table.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 16 Click OK to save your changes.
The Add Extended Access List page closes and you return to the Access Control Lists page. The new ACL is shown in the table.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating Standard Access Control List Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Access Control List Objects
•Access Control Lists Page, page F-31
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. For a description of the GUI elements, see Table F-16 on page F-31.
Step 3 Click the Standard tab. For a description of the GUI elements, see Table F-20 on page F-41.
Step 4 Right-click inside the work area, then select New Object.
The Add Standard Access List dialog box appears. For a description of the GUI elements, see Table F-21 on page F-43.
Step 5 Enter the name of the object.
Step 6 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the Access Control List table.
Step 7 Right-click inside the table, then select Add.
The Add Standard Access Control Entry dialog box appears. For a description of the GUI elements, see Table F-22 on page F-46.
Step 8 Select Type.
•Access Control Entry—Identifies the entry as an ACE.
•Access Control Lists—Identifies the entry as an ACL object. This allows ACL objects that have already been defined to be used in the newly created object.
Step 9 Select whether to permit or deny the traffic.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 11 Enter the source addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a source address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
For more information, see Understanding Network/Host Objects.
Step 12 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the Add Standard Access List table.
Step 13 Select whether you want logging turned on or off.
Step 14 Click OK to save your changes.
The dialog box closes and you return to the Add Standard Access List dialog box. The new entry is shown in the table.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 16 Click OK to save your changes.
The Add Standard Access List page closes and you return to the Access Control Lists page. The new ACL is shown in the table.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating Web Access Control List Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Access Control List Objects
•Access Control Lists Page, page F-31
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Access Control Lists.
The Access Control List page appears. For a description of the GUI elements, see Table F-16 on page F-31.
Step 3 Click the Web tab. For a description of the GUI elements, see Table F-23 on page F-48.
Step 4 Right-click inside the work area, then select New Object.
The Add WebType Access List dialog box appears. For a description of the GUI elements, see Table F-24 on page F-50.
Step 5 Enter the name of the object.
Step 6 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the Access Control Lists table.
Step 7 Right-click inside the table, then select Add.
The Add WebType Access Control Entry dialog box appears. For a description of the GUI elements, see Table F-25 on page F-52.
Step 8 Select Type.
•Access Control Entry—Identifies the entry as an ACE.
•Access Control Lists—Identifies the entry as an ACL object. This allows ACL objects that have already been defined to be used in the newly created object.
Step 9 Select whether to permit or deny the traffic.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 11 Enter the source addresses or click Select to display a list of defined network/host objects. If the latter, do either of the following, then click OK:
•Select from the list of available objects, then click >>.
The objects are moved to the selected column.
•Click Create to create a new object to use as a source address.
A popup window helps you define the object. When you complete the definition, the new object is listed in the selected column.
Step 12 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the table.
Step 13 Select whether you want logging turned on or off.
Step 14 Click OK to save your changes.
The dialog box closes and you return to the Add WebType Access List page. The new entry is shown in the table.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object. For more information, see Understanding Category Objects.
Step 16 Click OK to save your changes.
The Add WebType Access List page closes and you return to the Access Control Lists page. The new ACL is shown in the table.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding ASA User Group Objects
ASA User Groups objects are group policies that you use to manage Virtual Private Networks (VPN) group policies.
ASA user groups are configured on ASA security appliances in Easy VPN topologies, remote access VPNs, and SSL VPNs. When you configure an Easy VPN, remote access VPN or SSL VPN connection, you must create user groups to which remote clients will belong. A user group policy is a set of user-oriented attribute/value pairs for SSL VPN connections that are stored either internally (locally) on the device or externally on an AAA server. The tunnel group uses a user group policy that sets terms for user connections after the tunnel is established. Group policies let you apply whole sets of attributes to a user or a group of users, rather than having to specify each attribute individually for each user.
An ASA user group object comprises the following attributes:
•Group policy source—Identifies whether the user group's attributes and values are stored internally (locally) on the security appliance or externally on an AAA server. If the user group is an external type, no other settings need to be configured for it. For more information, see ASA User Group Dialog Box, page F-56.
•Client Configuration settings, which specify the Cisco client parameters for the user group in an Easy VPN or remote access VPN. For more information, see ASA User Group Dialog Box—Client Configuration Settings, page F-59.
•Client Firewall Attributes, which configure the firewall settings for VPN clients in an Easy VPN or remote access VPN. For more information, see ASA User Group Dialog Box—Client Firewall Attributes, page F-60.
•Hardware Client Attributes, which configure the VPN 3002 Hardware Client settings in an Easy VPN or remote access VPN. For more information, see ASA User Group Dialog Box—Hardware Client Attributes, page F-63.
•IPsec settings, which specify tunneling protocols, filters, connection settings, and servers for the user group in an Easy VPN or remote access VPN. For more information, see ASA User Group Dialog Box—IPsec Settings, page F-65.
•Clientless settings, which configure the Clientless mode of access to the corporate network in an SSL VPN, for the ASA user group. For more information, see ASA User Group Dialog Box—SSL VPN Clientless Settings, page F-68.
•Thin Client settings, which configure the Thin Client mode of access to the corporate network in an SSL VPN, for the ASA user group. For more information, see ASA User Group Dialog Box—SSL VPN Thin Client Settings, page F-70.
•Full Tunnel settings, which configure the Full Tunnel mode of access to the corporate network in an SSL VPN, for the ASA user group. For more information, see ASA User Group Dialog Box—SSL VPN Full Tunnel Settings, page F-71.
•General settings that are required for Clientless and Thin Client access modes in an SSL VPN. For more information, see ASA User Group Dialog Box—SSL VPN General Settings, page F-73.
•DNS/WINS settings that define the DNS and WINS servers and the domain name that should be pushed to remote clients associated with the ASA user group. For more information, see ASA User Group Dialog Box—DNS/WINS Settings, page F-76.
•Split tunneling that lets a remote client conditionally direct packets over an IPsec or SSL VPN tunnel in encrypted form or to a network interface in clear text form. For more information, see ASA User Group Dialog Box—Split Tunneling, page F-78.
•Remote access or SSL VPN session connection settings for the ASA user group. For more information, see ASA User Group Dialog Box—General Settings, page F-80.
To create ASA user group objects, see Creating ASA User Group Objects.
Related Topics
•Configuring a Tunnel Group Policy for Easy VPN, page 10-118
•Tunnel Group Policies in Remote Access VPNs, page 11-8
•Configuring ASA User Groups Policy in Your SSL VPN, page 12-42
•Creating Objects
•Understanding the Policy Object Manager Window
Creating ASA User Group Objects
Use the ASA User Groups Objects page to create ASA user group objects for use in an Easy VPN or remote access VPN, or SSL VPN, or shared between a remote access VPN and SSL VPN.
Note You must select the technology (Easy VPN/Remote Access VPN, or SSL VPN, or both) for which you are creating the ASA user group object. If you are editing an existing ASA user group object, the technology is already selected, and you cannot change it. Depending on the selected technology, the appropriate settings are available for configuration.
Tip You can also create ASA User Group objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
This procedure describes how to create ASA User Group objects.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding ASA User Group Objects
•ASA User Groups Page, page F-55
•ASA User Group Dialog Box, page F-56
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select ASA User Groups.
The ASA User Groups page appears. For a description of the elements on this page, see Table F-26 on page F-55.
Step 3 From the work area, right-click inside the table, then select New Object.
The Add ASA User Group dialog box appears, displaying a list of settings that you can configure for the ASA user group object. For a description of the elements on this dialog box, see Table F-27 on page F-57.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description to help you identify the object. A maximum of 1024 characters is allowed and special characters are permitted. If a description is entered, an icon is displayed when you view the ASA User Groups table.
Step 6 Select whether to store the ASA user group's attributes and values locally on the device, or on an external server.
Note If you selected to store the ASA user group's attributes on an external server, you do not need to configure any Technology settings. After you specify the AAA server group that will be used for authentication and a password to the AAA server, click OK to save your definitions and close the ASA User Group dialog box.
Step 7 If you selected to store the ASA user group's attributes locally on the device, select the type of VPN for which you are creating the ASA user group from the Technology list.
Step 8 To configure the user group for an Easy VPN or remote access VPN, from the Easy VPN/Remote Access VPN folder in the Settings pane:
a. Select Client Configuration to configure the Cisco client parameters for the ASA user group. For a description of the elements required to configure these parameters, see Table F-28 on page F-59.
b. Select Client Firewall Attributes to configure the firewall settings for VPN clients for the ASA user group. For a description of the elements required to configure these settings, see Table F-29 on page F-61.
c. Select Hardware Client Attributes to configure the VPN 3002 Hardware Client settings for the ASA user group. For a description of the elements required to configure these settings, see Table F-30 on page F-64.
d. Select IPsec to specify tunneling protocols, filters, connection settings, and servers for the ASA user group. For a description of the elements required to configure these settings, see Table F-31 on page F-66.
Step 9 To configure the user group for an SSL VPN, from the SSL VPN folder in the Settings pane:
a. Select Clientless to configure the Clientless mode of access to the corporate network in an SSL VPN, for the ASA user group object. For a description of the elements required to configure the Clientless mode settings, see Table F-33 on page F-69.
b. Select Thin Client to configure the Thin Client mode of access to the corporate network in an SSL VPN, for the ASA user group object. For a description of the elements required to configure the Thin Client mode settings, see Table F-34 on page F-71.
c. Select Full Tunnel to configure the Full Tunnel mode of access to the corporate network in an SSL VPN, for the ASA user group object. For a description of the elements required to configure the Full Tunnel mode settings, see Table F-35 on page F-72.
d. Select Settings to configure the general settings that are required for Clientless and Thin Client access modes in an SSL VPN, for the ASA user group object. For a description of the elements required to configure these settings, see Table F-36 on page F-74.
Step 10 Specify the following settings for an ASA user group in an Easy VPN, remote access VPN or SSL VPN configuration, in the Settings pane:
a. Select DNS/WINS to define the DNS and WINS servers and the domain name that should be pushed to clients associated with the ASA user group. For a description of the elements required to configure the DNS and WINS servers, see Table F-38 on page F-77.
b. Select Split Tunneling to specify a secure tunnel to the central site and simultaneous clear text tunnels to the Internet. For a description of the elements required to configure split tunneling, see Table F-39 on page F-79.
c. Select General Settings to configure the SSL VPN connection settings for the ASA user group, such as the session and idle timeouts, including the banner text. For a description of the elements required to configure these settings, see Table F-40 on page F-81.
Step 11 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 Click OK to save your definitions and close the ASA User Group dialog box. The new ASA user group object appears in the table on the ASA User Groups page in the Policy Object Manager window.
Tip To perform additional actions on the object, see Managing Existing Objects.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding Category Objects
The categories feature provides an intermediate level of detail to objects, which helps you easily identify rules and objects in rules tables through the use of color. You can assign a category to a rule or object when you create the rule, or you can edit the rule or object to include category information later.
Default categories and color combinations are provided; however, you can edit these predefined categories, if required.
The benefits of using category objects are:
•Visibility is improved when you view rules tables using objects that are color-coded.
•Objects can be filtered in the rules tables, facilitating rule maintenance.
For example, you might want to create a network/host object and keep track of its use for administrative purposes. When you define this network/host object, you associate it with a category. When you view the access rules table, you can easily identify those rules that use your network/host object. You can also filter the table to display only those items associated with the category.
The following topic describes how to work with category objects:
•Editing Category Objects
Related Topics
•Understanding the Policy Object Manager Window
•Creating Objects
Editing Category Objects
You can edit the name and description of each predefined category object. These names and descriptions make it easier to identify the purpose of the category when it appears in various rules tables.
This procedure describes how to edit a category object.
Related Topics
•Understanding the Policy Object Manager Window
•Understanding Category Objects
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select Categories from the Object Type selector.
Step 3 In the work area, right-click an object, then select Edit Object.
The Category Editor dialog box appears. For a description of the fields in this dialog box, see Table F-42 on page F-84.
Step 4 Modify the names and descriptions of the predefined category objects, as required. Names can have a maximum of 128 characters, including special characters and spaces. Descriptions can have a maximum of 1024 characters.
Step 5 Click OK to save your changes.
Understanding Credential Objects
Credential objects are used when authenticating user access to the network and network services. A credential object comprises user credentials, typically a username and password that identify the user during authentication.
In Security Manager, credential objects are used in Easy VPN configuration during IKE Extended Authentication (Xauth). When negotiating tunnel parameters for establishing IPsec tunnels in an Easy VPN configuration, Xauth identifies the user who requests the IPsec connection. If the VPN server is configured for Xauth, the client waits for a "username/password" challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. You can save the Xauth credentials (username and password) on the device itself so you do not need to enter them manually each time the Easy VPN tunnel is established.
To create Credential objects, see Creating Credential Objects.
Related Topics
•Easy VPN and IKE Extended Authentication (Xauth)
•Credentials Page, page F-84
•Creating Objects
•Understanding the Policy Object Manager Window
Creating Credential Objects
You can create credential objects to use for IKE Extended Authentication (Xauth) in Easy VPN configurations. For more information, see Understanding Credential Objects.
Credential objects are defined at the global level, which means that they are applied identically to every object and policy that references them. However, you can override credential object definitions at the device level. For more information, see Managing Object Overrides.
This procedure describes how to create a credential object.
Tip You can also create credential objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding the Policy Object Manager Window
•Understanding Credential Objects
•Credentials Dialog Box, page F-85
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Credentials. The Credentials page opens, displaying the currently defined credential objects. For a description of the elements on this page, see Table F-43 on page F-85.
Step 3 Right-click in the work area, then select New Object.
The Credentials dialog box appears. For a description of the elements in this dialog box, see Table F-44 on page F-86.
Step 4 Enter a name for the Credentials object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 Specify a name that will be used to identify the user during Xauth authentication.
Step 7 Enter a password that will be used to identify the user during Xauth authentication.
Step 8 Enter the password again to confirm it.
Step 9 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Understanding Category Objects.
Step 10 (Optional) Select the Allow Value Override per Device check box to allow the properties of this object to be redefined on individual devices. See Allowing a Global Object to Be Overridden.
Step 11 Click OK to save your definitions. The new object appears in the table in the Credentials page.
Tip To perform additional actions on the object, see Managing Existing Objects.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding FlexConfig Objects
FlexConfig objects are reusable, named components that can be referenced by other objects and policies. You create FlexConfig objects by entering configuration commands, either with or without additional scripting language instructions, in the FlexConfig Editor.
Because of their complexity and interdependency, FlexConfig objects are described with FlexConfig policies. For more information, see Chapter 20, "Managing FlexConfigs"
For help creating, duplicating, editing, viewing, generating usage reports for, and deleting FlexConfig objects, see Creating FlexConfig Objects.
Creating FlexConfig Objects
You can create FlexConfig objects to configure features on devices that are not directly supported by Security Manager. For more information about FlexConfigs, see Chapter 20, "Managing FlexConfigs".
Tip You can also create FlexConfig objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
This procedure describes how to create FlexConfig objects.
Before You Begin
•Read and understand Guidelines for Managing Objects.
•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices. Therefore, ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
•If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, it is not recommended to use beginning and ending commands to configure interfaces.
Related Topics
•FlexConfig Editor Dialog Box, page P-11
•Understanding the Policy Object Manager Window
•Understanding FlexConfig Objects
Step 1 Select Tools > Policy Object Manager.
Step 2 Select FlexConfigs from the Object Type selector.
The Policy Object Manager window appears.
Step 3 Right-click inside the work area, then click New Object.
The Add FlexConfig Object dialog box appears. See Table P-6 on page P-12 for a description of the fields in this dialog box.
Step 4 Click OK to save your changes.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding IKE Proposal Objects
Internet Key Exchange (IKE) proposal objects contain the parameters required for IKE proposals when defining remote access VPN policies. IKE is a key management protocol that facilitates the management of IPsec-based communications. It is used to authenticate IPsec peers, negotiate and distribute IPsec encryption keys, and automatically establish IPsec security associations (SAs).
The IKE negotiation comprises two phases. Phase 1 negotiates a security association between two IKE peers, which enables the peers to communicate securely in Phase 2. During Phase 2 negotiation, IKE establishes security associations (SAs) for other applications, such as IPsec. Both phases use proposals when they negotiate a connection.
For more information about IKE proposals, see Understanding IKE, page 10-67. To create an IKE proposal object, see Creating IKE Proposal Objects.
Related Topics
•Understanding the Policy Object Manager Window
•Creating Objects
Creating IKE Proposal Objects
You can create IKE proposal objects to use when you define IKE proposals for remote access VPN policies. When you create an IKE proposal object, you must enter the priority of the proposal and define the encryption and authentication methods to use. Additionally, you can modify the default lifetime of the SA, if required.
This procedure describes how to create IKE proposal objects.
Tip You can also create IKE proposal objects when defining policies that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding the Policy Object Manager Window
•Understanding IKE Proposal Objects
Step 1 Select Tools > Policy Object Manager. The Policy Object Manager window appears.
Step 2 Select IKE Proposals from the Object Type selector.
Step 3 Right-click in the work area, then select New Object.
The IKE Proposal dialog box appears. For a description of the fields in this dialog box, see Table F-46 on page F-89.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description for the object. The maximum length is 1024 characters (special characters are permitted).
Step 6 (Optional) Enter a priority value for the IKE proposal. Lower values indicate higher priorities. If the remote IPsec peer does not support the parameters selected in your first priority policy, the device tries to use the parameters defined in the policy with the next lowest priority number.
Note If you leave this field blank, Security Manager assigns the lowest unassigned value starting with 1, then 5, then continuing in increments of 5.
Step 7 Select the encryption algorithm to use to establish the Phase 1 SA for protecting Phase 2 negotiations. See Deciding Which Encryption Algorithm to Use, page 10-68.
Step 8 Select the hash algorithm to use for authentication and ensuring data integrity. See Deciding Which Hash Algorithm to Use, page 10-69.
Step 9 In the Modulus Group field, select the Diffie-Hellman group to use for deriving a shared secret between two IPsec peers without transmitting it to each other. See Deciding Which Diffie-Hellman Group to Use, page 10-69.
Step 10 Enter the SA lifetime, in seconds. As a general rule, the shorter the lifetime (up to a point), the more secure your IKE negotiations will be. However, with longer lifetimes, future IPsec security associations can be set up more quickly than with shorter lifetimes.
Step 11 Select the method of authentication to use to establish the identity of each IPsec peer. See Deciding Which Authentication Method to Use, page 10-70.
Step 12 (Optional) Under Category, select a color to help you identify this object in the Objects table and in rule tables. See Understanding Category Objects.
Step 13 Click OK to save your definitions. The new object appears in the table in the Policy Object Manager window.
Tip To perform additional actions on the object, see Managing Existing Objects.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding Inspection Map Objects
Inspection map objects comprise class maps and policy maps. The Inspection Maps policy object is subdivided into several entries. The Class Maps folder contains all Layer 7 class-maps that are supported in ASA 7.2 and PIX7.2 devices. The Policy Maps folder contains all Layer 7 policies that are supported. Also included in the Inspect Maps folder are entries for TCP Map objects, Regular Expression objects, and Regular Expression Group objects.
Class Maps
An inspection class map matches application traffic with criteria specific to the application, such as a URL string. You then identify the class map in the inspect map and enable actions. The difference between creating a class map and defining the traffic match directly in the inspect map is that you can create more complex match criteria and you can reuse class maps. Security Manager currently supports the following applications that support inspection class maps: DNS, FTP, HTTP, IM, and SIP.
To create class maps, refer to the following:
•Creating DNS Class Map Objects
•Creating FTP Class Map Objects
•Creating H.323 Class Map Objects
•Creating HTTP Class Map Objects
•Creating IM Class Map Objects
•Creating SIP Class Map Objects
Policy Maps
The algorithm the security appliance uses for stateful application inspection ensures the security of applications and services. Some applications require special handling, and specific application inspection engines are provided for this purpose. Applications that require special application inspection engines are those that embed IP addressing information in the user data packet or open secondary channels on dynamically assigned ports.
Application inspection engines work with NAT to help identify the location of embedded addressing information. This allows NAT to translate these embedded addresses and to update any checksum or other fields that are affected by the translation.
Each application inspection engine also monitors sessions to determine the port numbers for secondary channels. Many protocols open secondary TCP or UDP ports to improve performance. The initial session on a well-known port is used to negotiate dynamically assigned port numbers. The application inspection engine monitors these sessions, identifies the dynamic port assignments, and permits data exchange on these ports for the duration of the specific session.
In addition, stateful application inspection audits the validity of the commands and responses within the protocol being inspected. The security appliance helps to prevent attacks by verifying that traffic conforms to the RFC specifications for each protocol that is inspected.
You can create inspect maps for specific protocol inspection engines. You use an inspect map to store the configuration for a protocol inspection engine. You then enable the configuration settings in the inspect map by associating the map with a specific type of traffic using a global security policy or a security policy for a specific interface.
Security Manager currently supports the following applications that support inspect maps: DCE/RPC, DNS, ESMTP, FTP, GTP, H.323, HTTP, IM, IPsec, NetBIOS, SIP, Skinny, and SNMP.
To create policy inspection maps, refer to the following:
•Creating DCE/RPC Map Objects
•Creating DNS Map Objects
•Creating ESMTP Map Objects
•Creating FTP Map Objects
•Creating GTP Map Objects
•Creating H.323 Map Objects
•Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)
•Creating HTTP Map Objects (ASA 7.2/PIX 7.2)
•Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices
•Creating IM Map Objects for IOS Devices
•Creating IPSec Pass Through Map Objects
•Creating NetBIOS Map Objects
•Creating SIP Map Objects
•Creating Skinny Map Objects
•Creating SNMP Map Objects
To create inspection maps that are not associated with Layer 7 class maps or policy maps, refer to the following:
•Creating Regular Expression Group Objects
•Creating Regular Expression Objects
•Creating TCP Map Objects
Creating DNS Class Map Objects
The DNS Class Map panel lets you configure DNS class maps for DNS inspection.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•DNS Class Maps Page, page F-91
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > DNS Class Maps.
The DNS Class Maps page appears. For a description of the GUI elements, see Table F-47 on page F-92.
Step 3 Right-click inside the work area, then select New Object.
The Add DNS Class Map dialog box appears. For a description of the GUI elements, see Table F-48 on page F-93.
Step 4 Enter the name of the DNS Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the DNS Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-49 on page F-95.
Step 7 Select the criterion from the list. For more information regarding criterion, see Step 9.
Step 8 Select the match type from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•DNS Class—Matches a DNS query or resource record class. For a description of the GUI elements, see Table F-50 on page F-97.
•DNS Type—Matches a DNS query or resource record type. For a description of the GUI elements, see Table F-51 on page F-98.
•Domain Name—Match a domain name from a DNS query or resource record. For a description of the GUI elements, see Table F-52 on page F-99.
•Header Flag—Match a DNS flag in the header. Header Flag criterion values specify the value details for the DNS header flag match. For a description of the GUI elements, see Table F-53 on page F-100.
•Question—Match a DNS question. For a description of the GUI elements, see Table F-54 on page F-102.
•Resource Record—Match a DNS resource record. For a description of the GUI elements, see Table F-55 on page F-103.
Step 10 Click OK.
The Add Match Criterion dialog box closes and you return to the Add DNS Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add DNS Class Map dialog box closes and you return to the DNS Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating FTP Class Map Objects
An FTP class map object lets you configure FTP class maps for FTP inspection.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•FTP Class Maps Page, page F-103
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > FTP Class Maps.
The FTP Class Maps page appears. For a description of the GUI elements, see Table F-56 on page F-104.
Step 3 Right-click inside the work area, then select New Object.
The Add FTP Class Map dialog box appears. For a description of the GUI elements, see Table F-57 on page F-106.
Step 4 Enter the name of the FTP Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the FTP Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-58 on page F-108.
Step 7 Select the criterion from the list. For more information regarding criterion, see Step 9.
Step 8 Select the match type from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•Request Command—Matches an FTP request command. For a description of the GUI elements, see Table F-59 on page F-109.
•File Name—Matches a filename for FTP transfer. For a description of the GUI elements, see Table F-60 on page F-111.
•File Type—Matches a file type for FTP transfer. For a description of the GUI elements, see Table F-61 on page F-112.
•Server—Matches an FTP server. For a description of the GUI elements, see Table F-62 on page F-113.
•User Name—Matches an FTP user. For a description of the GUI elements, see Table F-63 on page F-114.
Step 10 Click OK to save your changes.
The Add Match Criterion dialog box closes and you return to the Add FTP Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add FTP Class Map dialog box closes and you return to the FTP Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating H.323 Class Map Objects
The H.323 Class Map panel lets you configure H.323 class maps for H.323 inspection.
Related Topics
•Understanding Inspection Map Objects
•H.323 Class Maps Page, page F-115
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > H.323 Class Maps.
The H.323 Class Maps page appears. For a description of the GUI elements, see Table F-63 on page F-116.
Step 3 Right-click inside the work area, then select New Object.
The Add H.323 Class Map dialog box appears. For a description of the GUI elements, see Table F-179 on page F-288.
Step 4 Enter the name of the H.323 Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the H.323 Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-49 on page F-95.
Step 7 Select the criterion from the list.
Step 8 Select the match type from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•Called Party—For a description of the GUI elements, see Table F-65 on page F-119.
•Calling Party—For a description of the GUI elements, see Table F-66 on page F-121.
•Media Type—For a description of the GUI elements, see Table F-67 on page F-122.
Step 10 Click OK.
The Add Match Criterion dialog box closes and you return to the Add H.323 Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Creating Device-Level Object Overrides.
Note Selecting this check box does not automatically define override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add H.323 Class Map dialog box closes and you return to the H.323 Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating HTTP Class Map Objects
An HTTP class map object lets you configure HTTP class maps for HTTP inspection.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•HTTP Class Maps Page, page F-122
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > HTTP Class Maps.
The HTTP Class Maps page appears. For a description of the GUI elements, see Table F-68 on page F-123. The page lists system generated HTTP class maps that cannot be edited.
Step 3 Right-click inside the work area, then select New Object.
The Add HTTP Class Map dialog box appears. For a description of the GUI elements, see Table F-69 on page F-125.
Step 4 Enter the name of the HTTP Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the HTTP Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-70 on page F-126.
Step 7 Select the criterion from the list. For more information on criterion, see Step 9.
Step 8 Select the match preference from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request. For a description of the GUI elements, see Table F-71 on page F-130.
•Request Arguments—Applies the regular expression match to the arguments of the request. For a description of the GUI elements, see Table F-72 on page F-131.
•Request Body—Applies the regular expression match to the body of the request. For more information, For a description of the GUI elements, see Table F-73 on page F-132.
•Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified. For a description of the GUI elements, see Table F-74 on page F-133.
•Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers. For a description of the GUI elements, see Table F-75 on page F-134.
•Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified. For a description of the GUI elements, see Table F-76 on page F-135.
•Request Header Field—Applies the regular expression match to the header of the request. For a description of the GUI elements, see Table F-77 on page F-136.
•Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields. For a description of the GUI elements, see PIM Page, page L-195.
•Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified. For a description of the GUI elements, see Table F-78 on page F-140.
•Request Header Content Type—For a description of the GUI elements, see Table F-79 on page F-141.
•Request Header Transfer Encoding—For a description of the GUI elements, see Table F-80 on page F-143.
•Request Header Non-ASCII—Matches non-ASCII characters in the header of the request. See Table F-81 on page F-145.
•Request Method—Applies the regular expression match to the method of the request. For a description of the GUI elements, see Table F-82 on page F-146.
•Request URI—Applies the regular expression match to the URI of the request. For a description of the GUI elements, see Table F-83 on page F-147.
•Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified. For a description of the GUI elements, see Table F-84 on page F-149.
•Response Body ActiveX—Specifies to match on ActiveX. For a description of the GUI elements, see Table F-85 on page F-150.
•Response Body Java Applet—Specifies to match on a Java Applet. For a description of the GUI elements, see Table F-86 on page F-151.
•Response Body—Applies the regular expression match to the body of the response. For a description of the GUI elements, see Table F-87 on page F-152.
•Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified. For a description of the GUI elements, see Table F-88 on page F-153.
•Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers. For a description of the GUI elements, see Table F-89 on page F-154.
•Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified. For a description of the GUI elements, see Table F-90 on page F-155.
•Response Header Field—Applies the regular expression match to the header of the response. For a description of the GUI elements, see Table F-91 on page F-156.
•Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields. For a description of the GUI elements, see Table F-92 on page F-158.
•Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified. For a description of the GUI elements, see Table F-93 on page F-160.
•Response Header Content Type—For a description of the GUI elements, see Table F-94 on page F-161.
•Response Header Transfer Encoding—For a description of the GUI elements, see Table F-95 on page F-163.
•Response Header Non-ASCII—Matches non-ASCII characters in the header of the response. For a description of the GUI elements, see Table F-96 on page F-165.
•Response Status Line—Applies the regular expression match to the status line. For a description of the GUI elements, see Table F-97 on page F-166.
Step 10 Click OK to save your changes.
The Add Match Criterion dialog box closes and you return to the Add HTTP Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add HTTP Class Map dialog box closes and you return to the HTTP Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating IM Class Map Objects
An IM Class Map object lets you configure IM class maps for IM inspection.
Related Topics
•Understanding Inspection Map Objects
•IM Class Maps Page, page F-166
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > IM Class Maps.
The IM Class Maps page appears. For a description of the GUI elements, see Table F-98 on page F-167.
Step 3 Right-click inside the work area, then select New Object.
The Add IM Class Map dialog box appears. For a description of the GUI elements, see Table F-99 on page F-169.
Step 4 Enter the name of the IM Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the IM Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-100 on page F-171.
Step 7 Select the criterion from the list.
Step 8 Select the match type from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•Filename—Matches the filename from the IM file transfer service. For a description of the GUI elements, see Table F-101 on page F-173.
•Client IP Address—Matches a source IP address. For a description of the GUI elements, see Table F-102 on page F-174.
•Client Login Name—Matches the client login name from the IM service. For a description of the GUI elements, see Table F-103 on page F-175.
•Peer IP Address—Matches a destination IP address. For a description of the GUI elements, see Table F-104 on page F-176.
•Peer Login Name—Matches the client peer login name from the IM service. For a description of the GUI elements, see Table F-105 on page F-177.
•Protocol—Matches IM protocols. For a description of the GUI elements, see Table F-106 on page F-178.
•Service—Matches IM services. For a description of the GUI elements, see Table F-107 on page F-179.
•File Transfer Service Version—Matches the IM file transfer service version. For a description of the GUI elements, see Table F-108 on page F-180.
Step 10 Click OK to save your changes.
The Add Match Criterion dialog box closes and you return to the Add IM Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
Step 14 The Add IM Class Map dialog box closes and you return to the IM Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating SIP Class Map Objects
A SIP class map object lets you configure SIP class maps for SIP inspection.
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•SIP Class Maps Page, page F-181
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Class Maps > SIP Class Maps.
The SIP Class Maps page appears. For a description of the GUI elements, see Table F-109 on page F-182.
Step 3 Right-click inside the work area, then select New Object.
The Add SIP Class Map dialog box appears. For a description of the GUI elements, see Table F-110 on page F-184.
Step 4 Enter the name of the SIP Class Map.
Step 5 (Optional) Enter a description to help you identify the class map. If a description is entered, an icon is displayed when you view the SIP Class Maps table.
Step 6 Right-click inside the match criteria table, then select Add Row.
The Add Match Criterion dialog box appears. For a description of the GUI elements, see Table F-111 on page F-186.
Step 7 Select the criterion from the list. For more information regarding criterion, see Step 9.
Step 8 Select the match type from the list.
Step 9 Complete the dialog box with appropriate values. The dialog box values vary based on your selection in the Criterion list. See the following tables for descriptions of the criterion elements.
•Called Party—Matches the called party as specified in the To header. For a description of the GUI elements, see Table F-112 on page F-188.
•Calling Party—Matches the calling party as specified in the From header. For a description of the GUI elements, see Table F-113 on page F-189.
•Content Length—Matches the Content Length header. For a description of the GUI elements, see Configuring a Firewall Services Module (FWSM) Interface with VPNSM or VPN SPA, page 10-48.
•Content Type—Matches the Content Type header. For a description of the GUI elements, see Table F-115 on page F-191.
•IM Subscriber—Matches the SIP IM subscriber. For a description of the GUI elements, see Table F-116 on page F-193.
•Message Path—Matches the SIP Via header. For a description of the GUI elements, see Table F-117 on page F-194.
•Third Party Registration—Matches the requester of a third-party registration. For a description of the GUI elements, see Table F-118 on page F-195.
•URI Length—Matches a URI in the SIP headers. For a description of the GUI elements, see Table F-119 on page F-197.
•Request Method—Match the SIP request method. For a description of the GUI elements, see Table F-120 on page F-198.
Step 10 Click OK to save your changes.
The dialog box closes and you return to the Add SIP Class Map dialog box.
Step 11 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add SIP Class Map dialog box closes and you return to the SIP Class Maps page. The new class map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding DCE/RPC Policy Maps
DCE/RPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well-known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
DCE/RPC inspection maps inspect for native TCP communication between the EPM and client on well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
From the DCE/RPC Maps page, you can create, view, and manage DCE/RPC inspection maps.
Related Topics
•Creating DCE/RPC Map Objects
•Understanding Inspection Map Objects
•DCE/RPC Maps Page, page F-200
Creating DCE/RPC Map Objects
A DCE/RPC inspection policy map lets you change the default configuration values used for DCE/RPC inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding DCE/RPC Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > DCE/RPC Maps.
The DCE/RPC Maps page appears. For a description of the GUI elements, see DCE/RPC Maps Page, page F-200.
Step 3 Right-click inside the work area, then select New Object.
The Add DCE/RPC Map dialog box appears. For a description of the GUI elements, see Add and Edit DCE/RPC Dialog Box, page F-201.
Step 4 Enter the name of the DCE/RPC Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the DCE/RPC Maps table.
Step 6 Configure values for Parameters. For a description of the GUI elements, see Add and Edit DCE/RPC Dialog Box, page F-201.
Step 7 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 8 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically define override values to use; however, before you can set the override values, you must first save the policy object.
Step 9 Click OK to save your changes.
The Add DCE/RPC Map dialog box closes and you return to the DCE/RPC Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding DNS Policy Maps
DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped, and/or logged, while others are blocked. Zone transfer can be restricted between servers with this function, for example.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can be queried also restricts the domain names which can be queried, which protects the public server further.
A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable check to enforce a Transaction Signature be attached to all DNS messages is also supported.
From the DNS Maps page, you can create, view, and manage DNS inspect maps.
Related Topics
•Creating DNS Map Objects
•Understanding Inspection Map Objects
•DNS Maps Page, page F-203
Creating DNS Map Objects
A DNS map lets you change the default configuration values used for DNS application inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding DNS Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > DNS Maps.
The DNS Maps page appears. For a description of the GUI elements, see Table F-123 on page F-203.
Step 3 Right-click inside the work area, then select New Object.
The Add DNS Map dialog box appears. For a description of the GUI elements, see Table F-124 on page F-205.
Step 4 Enter the name of the DNS Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the DNS Maps table.
Step 6 Configure values for protocol conformance. For a description of the GUI elements, see Table F-125 on page F-207.
Note The Protocol Conformance tab opens by default the first time the dialog box is accessed.
Step 7 Click the Filtering tab to configure the values for filtering. For a description of the GUI elements, see Table F-126 on page F-209.
Step 8 Click the Mismatch Rate tab to configure the values for mismatch rate. For a description of the GUI elements, see Table F-127 on page F-211.
Step 9 Click the Match Condition and Action tab to configure the values for match criterion. For a description of the GUI elements, see Table F-128 on page F-212.
a. Right-click inside the table, then select Add Row.
b. The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-129 on page F-214.
Step 10 If you select Use Specified Values as your match type, select the criterion. Options are:
•DNS Class—Matches a DNS query or resource record class. For a description of the GUI elements, see Table F-130 on page F-216.
•DNS Type—Matches a DNS query or resource record type. For a description of the GUI elements, see Table F-131 on page F-218.
•Domain Name—Matches a domain name from a DNS query or resource record. For a description of the GUI elements, see Table F-132 on page F-220.
•Header Flag—Matches a DNS flag in the header. For a description of the GUI elements, see Table F-133 on page F-221.
•Question—Matches a DNS question. For a description of the GUI elements, see Table F-134 on page F-223.
•Resource Record—Matches a DNS resource record. For a description of the GUI elements, see Table F-55 on page F-103.
Step 11 If you select Use Values in Class Map as your match type:
a. Enter the name of the class map or click Select, which opens the DNS Class Map Selector from which to make your selection.
b. Select the action to be performed when the criteria are met.
Step 12 Click OK to save your changes.
The Add Match Condition and Action dialog box closes and you return to the Add DNS Map dialog box.
Step 13 (Optional) Select a category from the list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 14 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 15 Click OK to save your changes.
The Add DNS Map dialog box closes and you return to the DNS Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding ESMTP Policy Maps
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer overflow/underflow attacks. It also provides support for application security and protocol conformance, which enforce the sanity of the ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay.
From the ESMTP Maps page, you can create, view, and manage ESMTP inspect maps.
Related Topics
•Creating ESMTP Map Objects
•Understanding Inspection Map Objects
•Table F-137 on page F-227
Creating ESMTP Map Objects
An ESMTP policy map lets you change the default configuration values used for ESMTP inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding ESMTP Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > ESMTP Maps.
The ESMTP Maps page appears. For a description of the GUI elements, see Table F-137 on page F-227.
Step 3 Right-click inside the work area, then select New Object.
The Add ESMTP Map dialog box appears. For a description of the GUI elements, see Table F-138 on page F-229.
Step 4 Enter the name of the ESMTP Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the ESMTP Maps table.
Step 6 Configure values for parameters. For a description of the GUI elements, see Table F-139 on page F-230.
Step 7 Click the Match Condition and Action tab to configure the values for match criterion. For a description of the GUI elements, see Table F-140 on page F-232.
a. Right-click inside the table, then select Add Row.
b. The Add Match Condition and Action dialog box appears.
Step 8 Select the criterion to use as your match type. Options are:
•Body Length—For a description of the GUI elements, see Table F-141 on page F-233.
•Body Line Length—For a description of the GUI elements, see Table F-142 on page F-234.
•Commands—For a description of the GUI elements, see Table F-143 on page F-236.
•Command Recipient Count—For a description of the GUI elements, see Table F-144 on page F-238.
•Command Line Length—For a description of the GUI elements, see Table F-145 on page F-239.
•EHLO Reply Parameters—For a description of the GUI elements, see Table F-146 on page F-240.
•Header Length—For a description of the GUI elements, see Table F-147 on page F-242.
•Header Line Length—For a description of the GUI elements, see Table F-148 on page F-243.
•To: Recipients Count—For a description of the GUI elements, see Table F-149 on page F-245.
•Invalid Recipients Count—For a description of the GUI elements, see Table F-150 on page F-246.
•MIME File Type—For a description of the GUI elements, see Table F-151 on page F-247.
•MIME Filename Length—For a description of the GUI elements, see Table F-152 on page F-249.
•MIME Encoding—For a description of the GUI elements, see Table F-153 on page F-250.
•Sender Address—For a description of the GUI elements, see Table F-154 on page F-252.
•Sender Address Length—For a description of the GUI elements, see Table F-155 on page F-254.
Step 9 Click OK to save your changes.
The Add Match Condition and Action dialog box closes and you return to the Add ESMTP Map dialog box.
Step 10 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 11 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically define override values to use; however, before you can set the override values, you must first save the policy object.
Step 12 Click OK to save your changes.
The Add ESMTP Map dialog box closes and you return to the ESMTP Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding FTP Policy Maps
An FTP class map lets you view previously configured FTP application inspection maps. An FTP policymap object lets you change the default configuration values used for FTP application inspection.
FTP is a common protocol used for transferring files over a TCP/IP network, such as the Internet. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.
From the FTP Maps page, you can create, view, and manage FTP inspect maps.
Related Topics
•Understanding Inspection Map Objects
•Creating FTP Map Objects
•FTP Maps Page, page F-254
Creating FTP Map Objects
Related Topics
•Understanding Inspection Map Objects
•FTP Maps Page, page F-254
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > FTP Maps.
The FTP Maps page appears. For a description of the GUI elements, see Table F-156 on page F-255.
Step 3 Right-click inside the work area, then select New Object.
The Add FTP Map dialog box appears. For a description of the GUI elements, see Table F-157 on page F-257.
Step 4 Enter the name of the FTP Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the FTP Maps table.
Step 6 Configure values for parameters. For a description of the GUI elements, see Table F-158 on page F-258.
Note The Parameters tab opens by default the first time the dialog box is accessed.
Step 7 Click the Match Condition and Action tab to configure the values for match criterion.
a. Right-click inside the table, then select Add Row.
b. The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-160 on page F-260.
Step 8 If you select Use Specified Values as your match type, select the criterion. Options are:
•Request Command—Matches an FTP request command. For a description of the GUI elements, see Table F-161 on page F-261.
•File Name—Matches a filename for FTP transfer. For a description of the GUI elements, see Table F-162 on page F-263.
•File Type—Matches a file type for FTP transfer. For a description of the GUI elements, see Table F-163 on page F-265.
•Server—Matches an FTP server. For a description of the GUI elements, see Table F-164 on page F-266.
•Username—Matches an FTP user. For a description of the GUI elements, see Table F-165 on page F-268.
Step 9 If you select Use Values in Class Map as your match type:
a. Enter the class map name or click Select, which opens the class map selector from which to make your selection.
b. Select the action to be performed when the criteria are met.
Step 10 Click OK to save your changes and close the dialog box.
Step 11 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 (Optional) Select platform information for which to perform validation, then click Validate to initialize the validation process.
Step 14 Click OK to save your changes.
Step 15 The dialog box closes and you return to the FTP Maps page. The new object is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding GTP Policy Maps
The GPRS Tunnel Protocol (GTP) provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. GTP uses a tunneling mechanism to provide a service for carrying user data packets.
A GTP map object lets you change the default configuration values used for GTP application inspection. The GTP Map object page lets you create, view, and manage GTP inspect maps. GTP is a relatively new protocol designed to provide security for wireless connections to TCP/IP networks, such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.
After a configuration is generated for the device, the gtp-map command is shown.
Note GTP inspection requires a special license. If the gtp-map command is entered on a security appliance without the required license, the security appliance displays an error message.
From the GTP Maps page, you can create, view, and manage GTP inspect maps.
Related Topics
•Creating GTP Map Objects
•Understanding Inspection Map Objects
•GTP Maps Page, page F-269
Creating GTP Map Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•GTP Maps Page, page F-269
•Understanding GTP Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > GTP Maps.
The GTP Maps page appears. For a description of the GUI elements, see Table F-167 on page F-270.
Step 3 Right-click inside the work area, then select New Object.
The Add GTP Map dialog box appears. For a description of the GUI elements, see Table F-168 on page F-272.
Note The Parameters tab opens by default the first time the dialog box is accessed.
Step 4 Enter the name of the object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the GTP Maps table.
Step 6 (Optional) Configure Country and Network Code settings.
a. Right-click inside the table, then click Add Row.
b. Enter the Mobile Country Code and Mobile Network Code. For a description of the GUI elements, see Table F-170 on page F-276.
c. Click OK.
The Add Country and Network Codes dialog box closes and you return to the Add GTP Map dialog box.
Step 7 (Optional) To permit GTP responses from a GSN that is different from the one to which the response was sent, complete the Permit Response table.
a. Right-click inside the table, then click Add Row.
The Add Permit Response dialog box appears. For a description of the GUI elements, see Table F-171 on page F-277.
b. Enter the To Object Group name and From Object Group name.
c. Click OK.
The Add Permit Response dialog box closes and you return to the Add GTP Map dialog box.
Step 8 Enter the request queue, which specifies the maximum requests allowed in the queue.
Step 9 Enter the tunnel limit, which specifies the maximum number of tunnels allowed.
Step 10 (Optional) Select Permit Errors, which permits packets with errors or different GTP versions that are invalid or that encountered an error during inspection to be sent through the security appliance instead of being dropped.
Step 11 Click Edit Timeouts.
The GTP Timeouts dialog box appears. For a description of the GUI elements, see Exclusive Domain Name Dialog Box, page J-132.
Step 12 Enter the appropriate values.
Step 13 Click OK.
The GTP Timeouts dialog box closes and you return to the Add GTP Map dialog box.
Step 14 Click the Match Conditions and Actions tab to configure the values for match criterion.
a. Right-click inside the table, then select Add Row.
The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-173 on page F-279.
b. Configure values for match criterion. Options are:
•Access Point Name—Defines the access points to drop when GTP application inspection is enabled. For a description of the GUI elements, see Table F-174 on page F-281.
•Message ID—Specifies the numeric identifier for the message that you want to drop. For a description of the GUI elements, see Table F-175 on page F-283.
•Message Length—Changes the default for the maximum message length for the UDP payload that is allowed. For a description of the GUI elements, see Table F-176 on page F-284.
•Version—Specifies the GTP version for messages that you want to drop. For a description of the GUI elements, see Table F-177 on page F-285.
c. Click OK to save your changes.
The Match Condition and Action dialog box closes and you return to the Add GTP Map dialog box.
Step 15 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 16 Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 17 (Optional) Select platform information for which to perform validation, then click Validate to initialize the validation process.
Step 18 Click OK to save your changes.
The Add GTP Map dialog box closes and you return to the GTP Maps page. The new object is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding H.323 Policy Maps
H.323 inspection supports H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance. The two major functions of H.323 inspection are as follows:
•NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the security appliance uses an ASN.1 decoder to decode the H.323 messages.
•Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
From the H.323 Maps page, you can create, view, and manage H.323 inspect maps.
Related Topics
•Creating H.323 Map Objects
•Understanding Inspection Map Objects
•Table F-178 on page F-287
Creating H.323 Map Objects
An H.323 policy map lets you change the default configuration values used for H.323 inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding H.323 Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > H.323 Maps.
The H.323 Maps page appears. For a description of the GUI elements, see Table F-178 on page F-287.
Step 3 Right-click inside the work area, then select New Object.
The Add H.323 Map dialog box appears. For a description of the GUI elements, see Table F-179 on page F-288.
Step 4 Enter the name of the H.323 Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the H.323 Maps table.
Step 6 Configure values for parameters. For a description of the GUI elements, see Table F-180 on page F-290.
a. Right-click inside the table, then select Add Row.
The Add HSI Group dialog box appears.
b. Enter the Group ID.
c. Enter the IP address of the HSI host.
d. Right-click inside the table, then select Add Row.
The Add HSI Endpoint IP Address dialog box appears.
e. Enter the IP address of the HSI host
f. Enter the endpoint interface number of the HSI host.
g. Click OK.
The Add HSI Endpoint IP Address dialog box closes.
h. Click OK again.
The Add HSI Group dialog box closes.
Step 7 Click the Match Condition and Action tab to configure the values for match criterion. For a description of the GUI elements, see Table F-128 on page F-212.
a. Right-click inside the table, then select Add Row.
b. The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-183 on page F-292.
Step 8 If you select Use Specified Values as your match type, select the criterion. Options are:
•Called Party—For a description of the GUI elements, see Table F-184 on page F-293.
•Calling Party—For a description of the GUI elements, see Table F-185 on page F-295.
•Media Type—For a description of the GUI elements, see Table F-186 on page F-296.
Step 9 If you select Use Values in Class Map as your match type:
a. Enter the name of the class map or click Select, which opens the H.323 Class Map Selector from which to make your selection.
b. Select the action to be performed when the criteria are met.
Step 10 Click OK to save your changes.
The Add Match Condition and Action dialog box closes and you return to the Add H.323 Map dialog box.
Step 11 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically define override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add H.323 Map dialog box closes and you return to the H.323 Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding HTTP Policy Map Objects
An HTTP map object lets you change the default configuration values used for HTTP application inspection. An HTTP Map object defines different HTTP packet criteria to be inspected, as well as the action to be taken when the criteria are met. The HTTP Map object only defines general HTTP protocol-related parameters; it is not specific to any particular traffic flow. This ensures that the same HTTP Map object can be reused for different devices or different traffic flow within a single device.
The enhanced HTTP inspection feature, also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined and supported extension methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
Note When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled.
In many cases, you can configure the criteria and how the security appliance responds when the criteria are not met. The criteria that you can apply to HTTP messages include the following:
•Does not include any method on a configurable list.
•Message body size is within configurable limits.
•Request and response message header size is within a configurable limit.
•URI length is within a configurable limit.
•Content-type in the message body matches the header.
•Content-type in the response message matches the accept-type field in the request message.
•Content-type in the message is included in a predefined internal list.
•Message meets HTTP RFC format criteria.
•Presence or absence of selected supported applications.
•Presence or absence of selected encoding types.
Note The actions you can specify for messages that fail the criteria set using the different configuration commands include allow, reset, or drop. In addition to these actions, you can specify to log the event or not.
From the HTTP Maps page, you can create, view, and manage HTTP inspect maps.
Related Topics
•Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)
•Creating HTTP Map Objects (ASA 7.2/PIX 7.2)
Creating HTTP Map Objects (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS)
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS) Page, page F-297
•Understanding HTTP Policy Map Objects
•Configuring the General Tab
•Configuring the Entity Length Tab
•Configuring the RFC Request Method Tab
•Configuring the Extension Request Method Tab
•Configuring the Port Misuse Tab
•Configuring the Transfer Encoding Tab
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > HTTP Maps (ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS).
The HTTP Maps page appears. For a description of the GUI elements, see Table F-188 on page F-299.
Step 3 Right-click inside the work area, then select New Object.
The Add HTTP Map dialog box appears. For a description of the GUI elements, see Table F-189 on page F-301.
Step 4 Configure settings for any of the following:
•General tab—For a description of the GUI elements, see Table F-190 on page F-303.
•Entity Length tab—For a description of the GUI elements, see Table F-191 on page F-305.
•RFC Request Method tab—For a description of the GUI elements, see Table F-192 on page F-308.
•Extension Request Method tab—For a description of the GUI elements, see Table F-193 on page F-310.
•Port Misuse tab—For a description of the GUI elements, see Table F-194 on page F-313.
•Transfer Encoding tab—For a description of the GUI elements, see Table F-195 on page F-316.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Configuring the General Tab
The General tab lets you define the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the GUI elements, see Table F-190 on page F-303.
Related Topics
•Add and Edit HTTP Map > General Tab, page F-302
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 (Optional) Select Take action for non-RFC 2616 compliant traffic, which specifies the action taken by the security appliance when it receives traffic that fails to comply with RFC 2616.
Step 4 Select the action taken when a message fails the inspection.
Step 5 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives a packet that uses a non-compliant method.
Step 6 (Optional) Select Verify Content-type field belongs to the supported internal content-type list, which enables content verification based on comparing the content type field in the HTTP response to the preconfigured list of supported content types.
Step 7 (Optional) Select Verify Content-type field for response matches the ACCEPT field of request, which enables content verification based on comparing the content type field in the HTTP response to the type specified in the Accept field in the HTTP request.
Step 8 Select the action taken when a message fails the inspection.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives a packet that uses a non-compliant method.
Step 10 (Optional) Select Override Global TCP Idle Timeout (IOS only) to change the TCP idle timeout setting, then enter the new timeout value in the field provided.
Step 11 (Optional) Select Override Global Audit Trail Setting (IOS only) to change the audit trail setting.
Step 12 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 13 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Configuring the Entity Length Tab
The Entity Length tab lets you define the permitted lengths for the URI, HTTP header, and HTTP body. For a description of the GUI elements, see Table F-189 on page F-301.
Related Topics
•Add and Edit HTTP Map > Entity Length Tab, page F-304
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 (Optional) Select Inspect URI Length, which causes the security appliance to inspect the length of the URI in each HTTP request.
Step 4 Enter the maximum number of bytes allowed for the length of the HTTP request URI.
Step 5 Select the action that the security appliance should take when inspection for the URI length fails.
Step 6 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a URI that exceeds the permitted maximum length.
Step 7 (Optional) Select Inspect Maximum Header Length, which causes the security appliance to inspect the length of the header in each HTTP request or response.
Step 8 Enter the request bytes, which specifies the maximum number of bytes allowed for the length of the header in the HTTP request.
Step 9 Enter the response bytes, which specifies the maximum number of bytes allowed for the length of the header in the HTTP response.
Step 10 Select the action that the security appliance should take when inspection for the HTTP header length fails.
Step 11 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a header that exceeds the permitted maximum length.
Step 12 (Optional) Select Inspect Body Length, which causes the security appliance to inspect the size recognized as being within configurable limits.
Step 13 Enter the minimum and maximum threshold values in bytes.
Step 14 Select the action that the security appliance should take when inspection for the body length fails.
Step 15 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message when it receives the HTTP request with a body length that exceeds the permitted threshold values.
Step 16 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 17 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Configuring the RFC Request Method Tab
The RFC Request Method tab lets you define the action that the security appliance should take when specific request methods are used in the HTTP request. For a description of the GUI elements, see Table F-190 on page F-303.
Related Topics
•Add and Edit HTTP Map > RFC Request Method Tab, page F-307
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 Select from the list of available methods to specify when you want the security appliance to take different actions in response to HTTP requests using different methods.
Step 4 Select the action that the security appliance should take when it receives an HTTP message containing the selected method. Each of the selected methods can have a separate action.
Step 5 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. You can specify a different option for each selected method.
Step 6 Click >>. The method selected, along with action and syslog information, is displayed in the table.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 7 Select Specify the action to be applied for the remaining available methods above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 3.
Step 8 Select the action that the security appliance should take when it receives the HTTP request containing any method that is not included in the method table.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. You can specify a different option for each selected method.To generate a syslog message, select the check box.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 11 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Configuring the Extension Request Method Tab
The Extension Request Method tab lets you define the action taken when specific extension request methods are used in the HTTP request. For a description of the GUI elements, see Table F-191 on page F-305.
Related Topics
•Add and Edit HTTP Map > Extension Request Method Tab, page F-310
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 Select from the list of available methods to specify when you want the security appliance to inspect packets for specific methods only.
Step 4 Select the action that the security appliance should take when it receives an HTTP message containing the selected method. Each selected method can have a separate action.
Step 5 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. You can specify a different option for each selected method.
Step 6 Click >>. The method selected, along with action and syslog information, is displayed in the table.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 7 Select Specify the action to be applied for the remaining available methods above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 3.
Step 8 Select the action taken by the security appliance when it receives the HTTP request containing any method that is not included in the method table.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message.You can specify a different option for each selected method.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 11 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Configuring the Port Misuse Tab
The Port Misuse tab lets you enable application firewall inspection. For a description of the GUI elements, see Table F-192 on page F-308.
Related Topics
•Add and Edit HTTP Map > Port Misuse Tab, page F-312
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 Select from the list of available categories that you can specify when you want the security appliance to take different actions in response to HTTP requests using different categories.
Step 4 Select the action taken by the security appliance when it receives the HTTP request containing one of the categories in the category table.
Step 5 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message if the HTTP message includes any category in the category table.
Step 6 Click >>. The category is moved to the table and the action and syslog information is displayed.
Timesaver You can select multiple categories at a time if the action and syslog requests are the same for each.
Step 7 Select Specify the action to be applied for the remaining available categories above to inspect packets for all other categories by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific categories selected in Step 3.
Step 8 Select the action taken by the security appliance when it receives the HTTP request containing any category that is not in the category table.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. You can specify a different option for each of the selected categories.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 11 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Configuring the Transfer Encoding Tab
The Transfer Encoding tab lets you define the action that the security appliance should take when specific transfer encoding types are used in the HTTP request. For a description of the GUI elements, see Table F-193 on page F-310.
Related Topics
•Understanding Inspection Map Objects
•Understanding HTTP Policy Map Objects
Step 1 Enter the name of the object.
Step 2 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 3 Select from the list of available transfer encoding types that you can specify when you want the security appliance to take different actions in response to HTTP requests using different transfer encoding types.
Step 4 Select the action taken by the security appliance when it receives the HTTP request containing one of the transfer encoding types in the transfer encoding type table.
Step 5 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message if the HTTP message includes any transfer encoding type in the transfer encoding type table.
Step 6 Click >>. The method is moved to the table and the action and syslog information is displayed.
Timesaver You can select multiple methods at a time if the action and syslog requests are the same for each.
Step 7 Select Specify the action to be applied for the remaining available encoding types above to inspect packets for all other methods by using a default action.
Note If you do not set a default action, packet inspection is performed only for the specific methods selected in Step 3.
Step 8 Select the action taken by the security appliance when it receives the HTTP request containing any method that is not included in the method table.
Step 9 (Optional) Select Generate Syslog, which causes the security appliance to generate a syslog message. You can specify a different option for each selected method.
Step 10 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 11 Click OK to save your changes and close the dialog box, or select another tab.
Note Settings are not saved to the database until you click OK.
Creating HTTP Map Objects (ASA 7.2/PIX 7.2)
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•Understanding HTTP Policy Map Objects
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > HTTP Maps (ASA 7.2/PIX 7.2).
The HTTP Maps page appears. For a description of the GUI elements, see Table F-196 on page F-319.
Step 3 Right-click inside the work area, then select New Object.
The Add HTTP Map dialog box appears. For a description of the GUI elements, see Table F-197 on page F-320.
Step 4 Enter a name for the object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the HTTP Maps table.
Step 6 Complete the information in the Parameters tab. For a description of the GUI elements, see Table F-198 on page F-322.
Note The Parameters tab opens by default the first time the dialog box is accessed.
Step 7 Click the Match Condition and Action tab to configure the values for match criterion. For a description of the GUI elements, see Table F-199 on page F-324.
a. Right-click inside the table, then select Add Row.
The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-200 on page F-326.
b. Select the match type from the list.
•If you select Use Specified Values as your match type, you can select a criterion from the list. The dialog box values vary based on your criterion selection. Go to Step 8.
•If you select Use Values in Class Map as your match type, you can enter a class map name. Go to Step 9.
Step 8 If you select Use Specified Values as your match type, select the criterion. Options are:
•Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request. For a description of the GUI elements, seeTable F-201 on page F-330.
•Request Arguments—Applies the regular expression match to the arguments of the request. For a description of the GUI elements, see Table F-202 on page F-332.
•Request Body—Applies the regular expression match to the body of the request. For more information, For a description of the GUI elements, see Table F-203 on page F-333.
•Request Body Length—Applies the regular expression match to the body of the request with field length greater than the bytes specified. For a description of the GUI elements, see Table F-204 on page F-335.
•Request Header Count—Applies the regular expression match to the header of the request with a maximum number of headers. For a description of the GUI elements, see Table F-205 on page F-336.
•Request Header Length—Applies the regular expression match to the header of the request with length greater than the bytes specified. For a description of the GUI elements, see Table F-206 on page F-338.
•Request Header Field—Applies the regular expression match to the header of the request. For a description of the GUI elements, see Table F-207 on page F-339.
•Request Header Field Count—Applies the regular expression match to the header of the request with a maximum number of header fields. For a description of the GUI elements, see Table F-208 on page F-342.
•Request Header Field Length—Applies the regular expression match to the header of the request with field length greater than the bytes specified. For a description of the GUI elements, see Table F-209 on page F-344.
•Request Header Content Type—For a description of the GUI elements, see Table F-210 on page F-346.
•Request Header Transfer Encoding—For a description of the GUI elements, see Table F-211 on page F-348.
•Request Header Non-ASCII—Matches non-ASCII characters in the header of the request. See Table F-212 on page F-350.
•Request Method—Applies the regular expression match to the method of the request. For a description of the GUI elements, see Table F-213 on page F-351.
•Request URI—Applies the regular expression match to the URI of the request. For a description of the GUI elements, see Table F-214 on page F-353.
•Request URI Length—Applies the regular expression match to the URI of the request with length greater than the bytes specified. For a description of the GUI elements, see Table F-215 on page F-355.
•Response Body ActiveX—Specifies to match on ActiveX. For a description of the GUI elements, see Table F-216 on page F-356.
•Response Body Java Applet—Specifies to match on a Java Applet. For a description of the GUI elements, see Table F-217 on page F-357.
•Response Body—Applies the regular expression match to the body of the response. For a description of the GUI elements, see Table F-218 on page F-358.
•Response Body Length—Applies the regular expression match to the body of the response with field length greater than the bytes specified. For a description of the GUI elements, see Table F-219 on page F-360.
•Response Header Count—Applies the regular expression match to the header of the response with a maximum number of headers. For a description of the GUI elements, see Table F-220 on page F-361.
•Response Header Length—Applies the regular expression match to the header of the response with length greater than the bytes specified. For a description of the GUI elements, see Table F-221 on page F-363.
•Response Header Field—Applies the regular expression match to the header of the response. For a description of the GUI elements, see Table F-222 on page F-364.
•Response Header Field Count—Applies the regular expression match to the header of the response with a maximum number of header fields. For a description of the GUI elements, see Table F-223 on page F-366.
•Response Header Field Length—Applies the regular expression match to the header of the response with field length greater than the bytes specified. For a description of the GUI elements, see Table F-224 on page F-368.
•Response Header Content Type—For a description of the GUI elements, see Table F-225 on page F-370.
•Response Header Transfer Encoding—For a description of the GUI elements, see Table F-226 on page F-372.
•Response Header Non-ASCII—Matches non-ASCII characters in the header of the response. For a description of the GUI elements, see Table F-227 on page F-374.
•Response Status Line—Applies the regular expression match to the status line. For a description of the GUI elements, see Table F-228 on page F-376.
When completed, go to Step 10.
Step 9 If you select Use Values in Class Map as your match type:
a. Enter the name of the class map or click Select, which opens the class map selector from which to make your selection.
b. Select the action to be performed when the criteria are met.
Step 10 Click OK to save your changes.
The Add Match Condition and Action dialog box closes and you return to the Add HTTP Map dialog box. The new information is shown in the table.
Step 11 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add HTTP Map dialog box closes and you return to the HTTP Maps (ASA 7.2/PIX 7.2) page. The new information is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding IM Map Objects
Instant Messaging, although a great tool, causes concern due to its use of clear text when conducting business and the potential for network attacks and the spreading of viruses. As a result, network administrators can block certain types of instant messages from occurring, while allowing others.
The IM map object lets you view previously configured Instant Messaging (IM) application inspection maps. An IM map lets you change the default configuration values used for IM application inspection.
IM application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and propagations of network threats. A regular expression database search representing various patterns for IM protocols to be filtered is applied. A syslog is generated if the flow is not recognized.
The scope can be limited by using an access list to specify any traffic streams to be inspected. For UDP messages, a corresponding UDP port number is also configurable. Inspection of Yahoo! Messenger, MSN Messenger, and AOL instant messages are supported.
Related Topics
•Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices
•Creating IM Map Objects for IOS Devices
Creating IM Map Objects for ASA 7.2 and PIX 7.2 Devices
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•Creating IM Class Map Objects
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > IM Maps (ASA 7.2/PIX 7.2).
The IM Maps (ASA 7.2/PIX 7.2) page appears. For a description of the GUI elements, see Table F-230 on page F-378.
Step 3 Right-click inside the work area, then select New Object.
The Add IM Map dialog box appears. For a description of the GUI elements, see Table F-231 on page F-380.
Step 4 Enter the name of the map.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the IM Maps table.
Step 6 Right-click inside the table, then select Add Row.
The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-232 on page F-382.
Step 7 Select the match type from the list.
•If you select Use Specified Values as your match type, you can select a criterion from the list. The dialog box values vary based on your criterion selection. Go to Step 8.
•If you select Use Values in Class Map as your match type, you can enter a class map name. Go to Step 9.
Step 8 If you select Use Specified Values as your match type, select the criterion from the list, then complete the dialog box accordingly. Options are:
•Filename—Matches the filename from the IM file transfer service. For a description of the GUI elements, see Table F-233 on page F-385.
•Client IP Address—Matches a source IP address. For a description of the GUI elements, see Table F-234 on page F-386.
•Client Login Name—Matches the client login name from the IM service. For a description of the GUI elements, see Table F-235 on page F-388.
•Peer IP Address—Matches a destination IP address. For a description of the GUI elements, see Table F-236 on page F-389.
•Peer Login Name—Matches the client peer login name from the IM service. For a description of the GUI elements, see Table F-237 on page F-390.
•Protocol—Matches IM protocols. For a description of the GUI elements, see Table F-238 on page F-392.
•Service—Matches IM services. For a description of the GUI elements, see Table F-239 on page F-393.
•File Transfer Service Version—Matches the IM file transfer service version. For a description of the GUI elements, see Table F-240 on page F-395.
When completed, go to Step 10.
Step 9 If you select Use Values in Class Map as your match type:
a. Enter the name of the class map or click Select, which opens the IM Class Map selector from which to make your selection.
b. Select the action to be performed when the criteria are met.
Step 10 Click OK to save your changes.
The Add Match Condition and Action dialog box closes and you return to the Add IM Map dialog box. The new information is shown in the table.
Step 11 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 12 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 13 Click OK to save your changes.
The Add IM Map (ASA 7.2/PIX 7.2) dialog box closes and you return to the IM Maps (ASA 7.2/PIX 7.2) page. The new object is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Creating IM Map Objects for IOS Devices
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > IM Maps (IOS).
The IM Maps (IOS) page appears. For a description of the GUI elements, see Table F-242 on page F-398.
Step 3 Right-click inside the work area, then select New Object.
The Add IM Map (IOS) dialog box appears. For a description of the GUI elements, see Table F-243 on page F-399.
Note The Yahoo tab opens by default the first time the dialog box is accessed.
Step 4 Enter the name of the map.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the IM Maps table.
Step 6 Complete the Add IM Map (IOS) dialog box. Options are:
•Yahoo!—Matches Yahoo! Messenger instant messages. For a description of the GUI elements, see Table F-244 on page F-401.
•MSN—Matches MSN Messenger instant messages. For a description of the GUI elements, see Table F-245 on page F-404.
•AOL—Matches AOL instant messages. For a description of the GUI elements, see Table F-246 on page F-406.
Step 7 (Optional) Select a color from the Category list to help you readily identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 8 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 9 Click OK to save your changes.
Step 10 The Add IM (IOS) dialog box closes and you return to the IM Maps page. The new object is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding IPsec Pass Through Policy Maps
The IPSec Pass Through inspection engine lets the security appliance pass ESP (IP protocol 50) and AH (IP protocol 51) traffic that is formed between two hosts because of successful IKE (UDP port 500) negotiation without the requirement of specific ESP or AH access lists.
The inspection engine works on IKE UDP port 500 to create the control flow. The inspect ipsec-pass-thru command is attached to an UDP flow as defined in the MPF framework. When an ESP or AH packet between the two peers arrives at the device, or an UDP packet with either source or destination port equal to 500, the packet is sent to the inspect module.
The ESP or AH traffic is permitted by the inspection engine with the configured idle timeout if there is an existing control flow and it is within the connection limit defined in the MPF framework. A new control flow is created for IKE UDP port 500 traffic with the configured UDP idle timeout if there isn't one, or it uses the existing flow.
To ensure that the packet arrives into the inspection engine, a hole is punched for all such traffic (ESP and AH). This inspect is attached to the control flow. The control flow is present as long as there is at least one data flow (ESP or AH) established, but the traffic always flows on the same connection. Since this IKE connection is kept open as long as data flows, a rekey would always succeed. The flows are created irrespective of NAT or no NAT.
Note PAT is not supported.
Related Topics
•Creating IPSec Pass Through Map Objects
•Understanding Inspection Map Objects
•IPsec Pass Through Maps Page, page F-408
Creating IPSec Pass Through Map Objects
An IPsec Pass Through policy map lets you change the default configuration values used for IPsec Pass Through inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding IPsec Pass Through Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > IPSec Pass Through Maps.
The IPSec Pass Through Maps page appears. For a description of the GUI elements, see Table F-247 on page F-409.
Step 3 Right-click inside the work area, then select New Object.
The Add IPSec Pass Through Map dialog box appears. For a description of the GUI elements, see Table F-248 on page F-411.
Step 4 Enter the name of the IPSec Pass Through Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the IPSec Maps table.
Step 6 Configure values for parameters. For a description of the GUI elements, see Table F-248 on page F-411.
Step 7 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 8 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically recognize override values to use; however, before you can set the override values, you must first save the policy object.
Step 9 Click OK to save your changes.
The Add IPSec Pass Through Map dialog box closes and you return to the IPSec Pass Through Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding NetBIOS Policy Maps
The NetBIOS inspection engine translates IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration.
From the NetBIOS Maps page, you can create, view, and manage NetBIOS inspect maps.
Related Topics
•Creating NetBIOS Map Objects
•Understanding Inspection Map Objects
•NetBIOS Maps Page, page F-412
Creating NetBIOS Map Objects
A NetBIOS policy map lets you change the default configuration values used for NetBIOS inspection.
Related Topics
•Understanding Inspection Map Objects
•Understanding NetBIOS Policy Maps
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > NetBIOS Maps.
The NetBIOS Maps page appears. For a description of the GUI elements, see Table F-249 on page F-413.
Step 3 Right-click inside the work area, then select New Object.
The Add NetBIOS Map dialog box appears. For a description of the GUI elements, see Table F-250 on page F-414.
Step 4 Enter the name of the NetBIOS Map object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the IPSec Maps table.
Step 6 Configure values for parameters.
Step 7 (Optional) Select a category from the list to help you identify the object when it appears in the object or rules tables. For more information, see Understanding Category Objects.
Step 8 (Optional) Select Allow Value Override per Device to allow the global properties of this object to be redefined on individual devices. For more information, see Allowing a Global Object to Be Overridden.
Note Selecting this check box does not automatically define override values to use; however, before you can set the override values, you must first save the policy object.
Step 9 Click OK to save your changes.
The Add NetBIOS Map dialog box closes and you return to the NetBIOS Maps page. The new map is shown in the table.
You can now select override values for the policy object. For more information, see Managing Object Overrides.
Note By default, Security Manager displays a warning if you define an object that matches an existing object. For more information, see Policy Objects Page, page A-42.
Understanding SIP Map Objects
A SIP map object lets you view previously configured SIP application inspection maps. A SIP map lets you change the default configuration values used for SIP application inspection.
SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats.
SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
Related Topics
•Understanding Inspection Map Objects
•Creating SIP Map Objects
Creating SIP Map Objects
Before You Begin
•Read and understand Guidelines for Managing Objects.
Related Topics
•Understanding Inspection Map Objects
•Creating SIP Class Map Objects
Step 1 Select Tools > Policy Object Manager.
The Policy Object Manager window appears.
Step 2 From the Object Type selector, select Inspect Maps > Policy Maps > SIP Maps.
The SIP Maps page appears. For a description of the GUI elements, see Table F-251 on page F-416.
Step 3 Right-click inside the work area, then click New Object.
The Add SIP Map dialog box appears. For a description of the GUI elements, see Table F-252 on page F-418.
Step 4 Enter the name of the object.
Step 5 (Optional) Enter a description to help you identify the object. If a description is entered, an icon is displayed when you view the SIP Maps table.
Step 6 Complete the information in the Parameters tab. For a description of the GUI elements, see Table F-253 on page F-419.
Note The Parameters tab opens by default the first time the dialog box is accessed.
Step 7 Click the Match Condition and Action tab to configure the values for match criterion.
a. Right-click inside the table, then select Add Row.
The Add Match Condition and Action dialog box appears. For a description of the GUI elements, see Table F-254 on page F-422.
b. Select the match type from the list.
•If you select Use Specified Values as your match type, you can select a criterion from the list. The dialog box values vary based on your criterion selection. Go to Step 8.
•If you select Use Values in Class Map as your match type, you can enter a class map name. Go to Step 9.
Step 8 If you select Use Specified Values as your match type, select the criterion from the list, then complete the dialog box accordingly. Options are:
•Called Party—Matches the called party as specified in the To header. For a description of the GUI elements, see Table F-255 on page F-425.
•Calling Party—Matches the calling party as specified in the From header. For a description of the GUI elements, see Table F-256 on page F-427.
•Content Length—Matches the Content Length header. For a description of the GUI elements, see Table F-257 on page F-429.
•Content Type—Matches the Content Type header. For a description of the GUI elements, see Table F-258 on page F-430.
•IM Subscriber—Matches the SIP IM subscriber. For a description of the GUI elements, see Table F-259 on page F-432.
•Message Path—Matches the SIP Via header. For a description of the GUI elements, see Table F-260 on page F-434.
•Third Party Registration—Matches the requester of a third-party registration. For a description of the GUI elements, see Table F-261 on page F-436.
•URI Length—Matches a URI in the SIP headers. For a description of the GUI elements, see Table F-262 on page F-438.
•Request Method—Match the SIP request method. For a description of the GUI elements, see Table F-263 on page F-439.
When completed, go to Step 10.
