-
User Guide for Cisco Security Manager 3.3
-
Preface
-
Getting Started with Security Manager
-
Working with the Security Manager User Interface
-
Using Map View
-
Preparing Devices for Management
-
Managing the Device Inventory
-
Managing Policies
-
Managing Activities
-
Managing Policy Objects
-
Managing Site-to-Site VPNs
-
Managing Remote Access VPNs
-
Managing Firewall Services
-
Managing IPS Services
-
Managing Routers
-
Managing Firewall Devices
-
Managing Cisco Catalyst Switches and Cisco 7600 Series Routers
-
Managing IPS Devices
-
Managing Deployment
-
Managing FlexConfigs
-
Managing the Security Manager Server
-
Using Monitoring, Troubleshooting, and Diagnostic Tools
-
Administrative Settings User Interface Reference
-
Map View User Interface Reference
-
Device Inventory User Interface Reference
-
Policy User Interface Reference
-
Activities User Interface Reference
-
Policy Object Manager User Interface Reference
-
Site-to-Site VPN User Interface Reference
-
Remote Access VPN User Interface Reference
-
Firewall Services User Interface Reference
-
Router Platform User Interface Reference
-
PIX/ASA/FWSM Platform User Interface Reference
-
Catalyst Platform User Interface Reference
-
IPS User Interface Reference
-
Deployment User Interface Reference
-
Index
-
Table Of Contents
Firewall Services User Interface Reference
Add and Edit AAA Rules Dialog Boxes
Edit AAA Server Group Dialog Box
Add and Edit Access Rule Dialog Boxes
Advanced and Edit Options Dialog Boxes
Edit Firewall Rule Expiration Settings Dialog Box
Add and Edit Inspection Rule Dialog Boxes
Protocols Supporting Configuration Options
Limit Inspection Between Source and Destination IP Addresses
(ASA, FWSM 3.x) PageMatch Traffic by Custom Destination Ports Page
Match Traffic by Destination Address and Port (IOS) Page
Match Traffic by Source and Destination Address and Port
(ASA, FWSM 3.x) PageConfigure Fragments Dialog Box
Configuring Protocol Platform Dialog Box
Botnet Traffic Filter Rules Page
Dynamic Blacklist Configuration Tab
Traffic Classification Dialog Box
Device Whitelist or Device Blacklist Dialog Box
Add and Edit Transparent Firewall Rule Dialog Boxes
Edit Transparent EtherType Dialog Box
Edit Transparent Mask Dialog Box
Web Filter Rules Page (PIX/ASA)
Add and Edit PIX/FWSM/ASA Rules Dialog Boxes
Edit Web Filter Type Dialog Box
Edit Web Filter Options Dialog Box
IOS Web Filter Rule and Applet Scanner Dialog Box
IOS Web Filter Exclusive Domain Name Dialog Box
Zone-based Firewall Rules Page
Adding and Editing Zone-based Firewall Rules
Zone-based Firewall Rule: Advanced Options Dialog Box
Common Firewall Services Dialog Boxes
Add or Edit Sources or Destinations Dialog Boxes
Add or Edit Services Dialog Boxes
Add or Edit Interfaces or Zones Dialog Boxes
Firewall ACL Setting Dialog Box
AAA Firewall Page, Advanced Setting Tab
Interactive Authentication Configuration Dialog Box
Clear Connection Configuration Dialog Box
AAA Firewall Page, MAC-Exempt List Tab
Firewall AAA MAC Exempt Setting Dialog Box
Web Filter Server Configuration Dialog Box
Zone Based Firewall Page - Content Filter Tab
Add and Edit Rule Section Dialog Boxes
Import Rules Wizard—Enter Parameters Page
Import Rules Wizard—Status Page
Import Rules Wizard—Preview Page
Querying Device or Policy Dialog Box
Policy Query Results Dialog Box
Hit Count Selection Summary Dialog Box
Combine Rules Selection Summary Dialog Box
Rule Combiner Results Dialog Box
Firewall Services User Interface Reference
Firewall services policies are used to define firewall configurations for your devices. These reference topics describe the pages and dialog boxes used to configure firewall services policies.
This chapter contains the following topics:
•
Botnet Traffic Filter Rules Page
•
•
•
•
•
•
•
•
AAA Rules Page
Use the AAA Rules page to identify AAA rules defined in Security Manager. For more information, see Working with AAA Rules, page 11-40.
From the AAA Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
From the AAA Rules page, you can also generate reports to discover object groups that are being used and identify policies associated with a particular device.
Navigation Path
To access the AAA Rules page, do one of the following:
•
•
•
Related Topics.
•
Field Reference
Table I-1 AAA Rules Page
No.
Identifies the ordered rule number in the table.
Permit
Whether the rule permits or denies traffic based on the conditions set.
•
•
Source
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:
•
•
Note
Destination
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:
•
•
Note
Service
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Note
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.
For example:
•
•
•
•
Note
Action
Identifies the AAA methods.
•
•
•
AuthProxy
Identifies the authentication proxy method used for IOS devices.
Server Group
Identifies the AAA server group.
Note
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Tools button
Click this button to select tools that you can use with this type of policy. You can select from the following tools:
•
•
Find and Replace button (binoculars icon)
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.
Up Row and Down Row buttons (arrow icons)
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.
Add button
Adds a rule to the table.
Edit button
Edits an existing rule in the table.
Delete button
Deletes a rule from the table.
Add and Edit AAA Rules Dialog Boxes
Use the Add and Edit AAA Rules dialog box to add and edit AAA rules.
Navigation Path
To access the Add and Edit AAA Rules dialog boxes, do one of the following:
•
•
Related Topics
•
Field Reference
Table I-2 Add and Edit AAA Rules Dialog Boxes
Enable Rule
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.
When viewing the main rules tables:
•
•
Note
Authentication Action
When selected, indicates that the rule controls traffic based on who the user is.
Authorization Action (PIX/ASA/FWSM)
When selected, indicates that the rule controls traffic based on what the user is allowed to do.
Accounting Action (PIX/ASA/FWSM)
When selected, indicates that the rule controls traffic based on what the user did.
Action
Describes what should occur based on the conditions set.
•
•
Sources
Destinations
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Services
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Note
AAA Server Group (PIX,ASA,FWSM)
Identifies the AAA server group. See Understanding AAA Server and Server Group Objects, page 8-15.
Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.
For example:
•
•
•
•
Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.
Note
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
HTTP Traffic Type Applies to Authentication Proxy (IOS)
When selected, specifies HTTP to trigger the authentication proxy.
FTP Traffic Type Applies to Authentication Proxy (IOS)
When selected, specifies FTP to trigger the authentication proxy.
Telnet Traffic Type Applies to Authentication Proxy (IOS)
When selected, specifies Telnet to trigger the authentication proxy.
Edit AAA Option Dialog Box
Use the Edit AAA Option dialog box to edit the method for access entry.
Navigation Path
To access the Edit AAA Option dialog box, do one of the following:
•
•
Related Topics
•
Field Reference
AuthProxy Dialog Box
Use the AuthProxy dialog box to edit an IOS traffic type entry in a table.
Navigation Path
To access the AuthProxy dialog box, right-click the entry in the AuthProxy column of the AAA Rules table, then click Edit AuthProxy.
Related Topics
•
Field Reference
Edit AAA Server Group Dialog Box
Use the Edit AAA Server Group dialog box to edit a server group entry in a table.
Navigation Path
To access the Edit AAA Server Group dialog box, right-click the entry in the Server Group column of the AAA Rules table, then click Edit Server Group.
Related Topics
•
•
Field Reference
Access Rules Page
Use the Access Rules page to configure access control rules for device interfaces. Access rules policies define the rules that allow or deny traffic to transit an interface. Typically, you create access rules for traffic entering an interface, because if you are going to deny specific types of packets, it is better to do it before the device spends a lot of time processing them. Access rules are processed before other types of firewall rules.
Read the following topics before you configure access rules:
•
•
•
•
Tip
Navigation Path
To open the Access Rules page, do one of the following:
•
•
•
Related Topics
•
•
•
•
•
•
•
Field Reference
Table I-6 Access Rules Page
No.
The ordered rule number.
Permit
Whether a rule permits or denies traffic based on the conditions set:
•
•
Source
Destination
The source and destination addresses for the rule. The "any" address does not restrict the rule to specific hosts, networks, or interfaces. These addresses are IP addresses for hosts or networks, network/host objects, interfaces, or interface roles. Multiple entries are displayed as separate subfields within the table cell. See:
•
Service
The services or service objects that specify the protocol and port of the traffic to which the rule applies. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Interface
The interfaces or interface roles to which the rule is assigned. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.
Dir.
The direction of the traffic to which this rule applies:
•
•
Options
The additional options configured for the rule. These include logging, time range, and some additional IOS rule options. See Advanced and Edit Options Dialog Boxes.
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
The description of the rule, if any.
Expiration Date
The date that the rule expires. Expired rules show Expired in bold text. Expired rules are not automatically deleted.
Tools button
Click this button to select tools that you can use with this type of policy. You can select from the following tools:
•
•
•
•
•
Find and Replace button (binoculars icon)
Click this button to search for various types of items within the table and to optionally replace them. See Finding and Replacing Items in Rules Tables, page 11-6.
Up Row and Down Row buttons (arrow icons)
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.
Add Row button
Click this button to add a rule to the table after the selected row using the Add and Edit Access Rule Dialog Boxes. If you do not select a row, the rule is added at the end of the local scope. For more information about adding rules, see Adding and Removing Rules, page 11-4.
Edit Row button
Click this button to edit the selected rule. You can also edit individual cells. For more information, see Editing Rules, page 11-5.
Delete Row button
Click this button to delete the selected rule.
Add and Edit Access Rule Dialog Boxes
Use the Add and Edit Firewall Rule dialog boxes to add and edit firewall access rules. Read the following topics before you configure access rules:
•
•
•
•
Navigation Path
From the Access Rules Page, click the Add Row button or select a row and click the Edit Row button.
Related Topics
•
•
•
•
Field Reference
Table I-7 Add and Edit Access Rule Dialog Boxes
Enable Rule
Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules, page 11-8.
Action
Permit or deny traffic based on the conditions defined.
Sources
Destinations
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Service
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Interfaces
The interfaces or interface roles to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.
Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.
Description
An optional description of the rule (up to 1024 characters).
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Advanced button
Click this button to configure other settings for the rule, including logging configuration, traffic direction, time ranges, and rule expiration dates. For more information, see Advanced and Edit Options Dialog Boxes.
Advanced and Edit Options Dialog Boxes
Use the Advanced and Edit Options dialog boxes to configure additional settings for an access rule. When you are in the Advanced dialog box, you have more fields available for configuration than when you edit options, which is a cell-level editing dialog box. The settings in the Advanced dialog box show up in three different cells in an access rule; direction, options, and rule expiration.
Navigation Path
To access the Advanced dialog box, do one of the following:
•
•
Related Topics
•
•
•
•
Field Reference
Table I-8 Advanced Dialog Box
Enable Logging (PIX, ASA, FWSM)
Whether to generate syslog messages for the rule entries, or ACEs, for PIX, ASA, and FWSM devices. You can select these additional options:
•
•
Following are the possible logging levels:
–
–
–
–
–
–
–
–
Enable Logging (IOS)
Log Input
Whether to generate an informational logging message about the packet that matches the entry to be sent to the console for IOS devices.
Select Log Input to include the input interface and source MAC address or virtual circuit in the logging output.
Traffic Direction
(Advanced dialog box only)
The direction of the traffic to which this rule applies:
•
•
Time Range
The name of a time range policy object that defines the times when access to the device will be allowed by this rule. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock.
Enter the name or click Select to select the object. If the object that you want is not listed, click the Create button to create it.
Note
Options (IOS)
Additional options for IOS devices:
•
By default, a maximum of 24 fragments is accepted to reconstruct a full IP packet; however, based on your network security policy, you might want to consider configuring the device to prevent fragmented packets from traversing the firewall.
•
Rule Expiration
(Advanced dialog box only)
Whether to configure an expiration date for the rule. Click the calendar icon to select a date. For more information, see Configuring Expiration Dates for Access Rules, page 11-22.
If you configure an expiration date, you can also configure the number of days before which the rule expires to send out a notification of the pending expiration, and e-mail addresses to which to send the notifications. These fields are initially filled with the information configured on the Rule Expiration administrative settings page (select Tools > Security Manager Administration > Rule Expiration).
Expired rules are not automatically deleted. You must delete them yourself and redeploy the configuration to the device.
Edit Firewall Rule Expiration Settings Dialog Box
Use the Edit Firewall Rule Expiration Settings dialog box to edit the expiration settings for an access rule.
To set an expiration date for the rule, click the calendar icon to select a date.
If you configure an expiration date, you can also configure the number of days before which the rule expires to send out a notification of the pending expiration, and e-mail addresses to which to send the notifications. These fields are initially filled with the information configured on the Rule Expiration administrative settings page (select Tools > Security Manager Administration > Rule Expiration).
Expired rules are not automatically deleted. You must delete them yourself and redeploy the configuration to the device.
For more information, see Configuring Expiration Dates for Access Rules, page 11-22.
Navigation Path
Right-click the Expiration Date cell in an access rule (on the Access Rules Page) and select Edit Rule Expiration. If you select multiple rows, your changes replace the options defined for all selected rules.
Related Topics
•
Inspection Rules Page
Use the Inspection Rules page to identify inspection rules managed by Security Manager. For more information, see Understanding Inspection Rules, page 11-33.
From the Inspection Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
From the Inspection Rules page, you can generate reports to discover object groups that are being used and identify policies associated with a particular device.
Navigation Path
To access the Inspection Rules page, do one of the following:
•
•
•
Related Topics
•
Field Reference
Table I-9 Inspection Rules Page
No.
Identifies the ordered rule number in the table.
Permit
Whether a rule permits or denies traffic based on the conditions set.
•
•
Source
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:
•
•
Note
Destination
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:
•
•
Note
Service
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Note
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.
For example:
•
•
•
•
Note
Dir.
(Direction) Identifies traffic direction within a network. Direction is always associated with an interface:
•
•
Note
Inspected Protocol
Identifies the protocol to be inspected.
Time Range
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. See Creating Time Range Objects, page 8-92.
Note
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Tools button
Click this button to select tools that you can use with this type of policy. You can select from the following tools:
•
Find and Replace button (binoculars icon)
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.
Up Row and Down Row buttons (arrow icons)
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.
Add button
Adds a rule to the table.
Edit button
Edits an existing rule in the table.
Delete button
Deletes a rule from the table.
Add and Edit Inspection Rule Dialog Boxes
Use the Add and Edit Inspection Rule dialog boxes to add and edit inspection rules.
Navigation Path
To access the Add and Edit Inspection Rule dialog boxes, do one of the following:
•
•
Related Topics
•
•
•
Field Reference
Table I-10 Add and Edit Inspect/Application FW Rule Dialog Boxes
Enable Rule
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.
When viewing the main rules tables:
•
•
Note
All Interfaces
Enables you to add an inspection rule that will be associated with all interfaces.
Note
Interface (PIX 7.x, ASA, FWSM 3.x, IOS)
Enables you to add an inspection rule based on an interface.
Traffic Direction
Enables you to further define deep packet inspection by identifying traffic direction within a network:
•
•
Note
Interfaces
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:
•
•
•
•
This is a required field if you apply the rule to ASA or IOS device interfaces.
Enter the interface information or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.
Note
Default Protocol Ports
Enables you to inspect traffic based on a default protocol setting. Select this option if you want to inspect a protocol without applying any constraints to the inspected traffic. For a description of the GUI elements, see Table I-11.
Note
Limit inspection between source and destination IP addresses (ASA, FWSM 3.x)
When selected, enables you to limit inspection between source and destination IP addresses. This setting applies to PIX 7.0, ASA, and FWSM 3.x devices only. For a description of the GUI elements, see Table I-13.
Note
Custom Destination Ports
Enables you to inspect traffic based on TCP or UDP destination ports.
Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. For a description of the GUI elements, see Table I-14.
Note
Destination Address and Port (IOS)
Enables you to inspect traffic on IOS devices based on destination IP addresses.
Select this option if you want to associate additional traffic with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.1. For a description of the GUI elements, see Table I-15.
Note
Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)
Enables you to inspect traffic on ASA and FWSM 3.x devices based on source and destination IP addresses and ports. For a description of the GUI elements, see Table I-16.
Note
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Add Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes
Use the Inspected Protocol page of the Add Inspect/Application FW Rule wizard, or the Edit Inspected Protocol dialog box, to configure the protocol inspected by an inspection rule.
Navigation Path
Do one of the following:
•
•
Related Topics
•
•
•
Field Reference
Table I-11 Inspected Protocols Dialog Box
Protocols table
Lists the protocols that you can inspect. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type on which you will use the inspection rule policy.
The group column provides additional information on the use of some of the protocols.
Selected Protocol
Configure button
Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Protocols Supporting Configuration Options.
Rule Settings (IOS)
Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Inspection Settings Page), are used. These are the settings you can enable or disable:
•
•
•
•
Protocols Supporting Configuration Options
Table I-12 is a partial list of protocols that allow you to configure additional settings options.
Table I-12 Protocols Supporting Configuration Options
DNS
Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are 512-65535. Also, you can configure DNS policy maps and dynamic snooping. For more information, see Configure DNS Dialog Box.
FTP Strict
Enables you to select or create an FTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure FTP strict inspection, no map is required.
GTP
Enables you to select or create a GTP Map object to configure application firewall (PIX/ASA 7.x/FWSM 3.x). To configure GTP inspection, no map is required.
HTTP
Enables you to select or create an HTTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure HTTP inspection, no map is required.
RPC
Requires a program number and wait time (IOS/FWSM 2.x).
•
•
For more information, see Configure RPC Dialog Box.
SMTP
Sets maximum data length (PIX/FWSM/IOS). Values are 0-4294967295. For more information, see Configure SMTP Dialog Box.
Custom protocol
Requires a custom protocol name. Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000. For more information, see Custom Protocol Dialog Box.
ESMTP
Sets maximum data length (PIX/ASA/FWSM 3.x/IOS). Values are 0-4294967295. For more information, see Configure ESMTP Dialog Box.
Fragment
Sets maximum fragments and timeout values (IOS).
•
•
For more information, see Configure Fragments Dialog Box.
IMAP
Includes optional settings for retrieving email (IOS). For more information, see Configure IMAP Dialog Box.
POP3
Includes optional settings for retrieving email (IOS). For more information, see Configure POP3 Dialog Box.
Limit Inspection Between Source and Destination IP Addresses
(ASA, FWSM 3.x) PageUse this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA devices.
Navigation Path
To access the Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x) wizard page, do one of the following:
•
•
For more information, see:
•
Related Topics
•
•
•
•
•
•
Field Reference
Table I-13 Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x) Page
Action
Describes what should occur based on the conditions set.
•
•
Sources
Destinations
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Time Range
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.
Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.
Note
Match Traffic by Custom Destination Ports Page
Use this wizard page (Step 2) to select protocol and port values for TCP or UDP destination ports.
Navigation Path
To access the Match Traffic By Custom Destination Ports wizard page, do one of the following:
•
•
For more information, see:
•
Related Topics
•
•
•
Field Reference
Match Traffic by Destination Address and Port (IOS) Page
Use this wizard page (Step 2) to select protocol and port values for specific destinations for IOS devices.
To treat this matched traffic type as a supported inspect protocol only when destined to certain hosts, you should create a network policy object and include the list of hosts in it. Alternatively, you can also enter a list of host IP addresses as Destinations.
Navigation Path
To access the Match Traffic By Destination Address and Port (IOS) wizard page, do one of the following:
•
•
For more information, see:
•
Related Topics
•
•
•
•
Field Reference
Table I-15 Match Traffic By Destination Address and Port (IOS)
Destinations
The destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
Protocol
The protocol for the traffic, either TCP, UDP, or both (TCP/UDP).
Ports
•
•
Match Traffic by Source and Destination Address and Port
(ASA, FWSM 3.x) PageUse this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA and FWSM 3.x devices.
Select this matched traffic type if you want to limit inspection of traffic flowing between a set of source and destination addresses, for example, if you want to inspect FTP traffic flowing between 192.168.1.0/24 and 192.168.2.0/24.
You can use policy objects for sources, destinations and services. A time range can also be specified, which will activate the traffic criteria only during that period of time.
Navigation Path
To access the Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x) wizard page, do one of the following:
•
•
Related Topics
•
•
•
•
•
•
•
•
Field Reference
Table I-16 Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x) Page
Action
Describes what should occur based on the conditions set.
•
•
Sources
Destinations
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Services
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Time Range
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.
Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.
Note
Configure DNS Dialog Box
Use the Configure DNS dialog box to configure settings for DNS inspection on PIX 7.0+, ASA, FWSM, and IOS devices.
Navigation Path
Go to the Add Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select DNS in the protocols table, and click Configure.
Related Topics
•
•
•
•
Field Reference
Configure SMTP Dialog Box
Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol (SMTP) inspection (PIX/FWSM/IOS). SMTP is used to transfer email between servers and clients on the Internet. email clients and mail servers that use protocols other than Message Application Programming Interface (MAPI) can use the SMTP protocol to transfer a message from a client to the server, and then forward it to a message recipient's server.
SMTP inspection causes Simple Mail Transfer Protocol (SMTP) commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out.
Navigation Path
You can access the Configure SMTP dialog box from the Inspection Rules table. Select SMTP as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Custom Protocol Dialog Box
Use the Custom Protocol dialog box to edit settings for custom protocol inspection (IOS). Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000.
Navigation Path
You can access the Custom Protocol dialog box from the Inspection Rules table. Select, Custom Protocol as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Table I-19 Configure Custom Protocol Dialog Box
Custom Protocol Name
Identifies the name associated with the custom protocol.
Configure ESMTP Dialog Box
Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail Transport Protocol (ESMTP) inspection (PIX/ASA/FWSM 3.x/IOS). ESMTP enables users who install mail servers behind Cisco IOS firewalls to install their servers on the basis of ESMTP (instead of Simple Mail Transport Protocol [SMTP]).
Navigation Path
You can access the Configure ESMTP dialog box from the Inspection Rules table. Select ESMTP as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Configure Fragments Dialog Box
Use the Configure Fragments dialog box to edit settings for fragment inspection.
Navigation Path
You can access the Configure Fragments dialog box from the Inspection Rules table. Select Fragments as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Configure IMAP Dialog Box
Use the Configure IMAP dialog box to edit settings for Internet Message Access Protocol (IMAP) inspection (IOS). IMAP is a method for accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a client email program to access remote messages as though they were local.
Navigation Path
You can access the Configure IMAP dialog box from the Inspection Rules table. Select IMAP as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Configure POP3 Dialog Box
Use the Configure POP3 dialog box to edit settings for Post Office Protocol, Version 3 (POP3) inspection (IOS). POP3 is used to receive email that is stored on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.
Navigation Path
You can access the Configure POP3 dialog box from the Inspection Rules table. Select POP3 as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Configure RPC Dialog Box
Use the RPC dialog box to edit settings for RPC inspection (IOS). RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number is blocked. For example, if you create an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.
Navigation Path
You can access the Configure RPC dialog box from the Inspection Rules table. Select RPC as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Configuring Protocol Platform Dialog Box
Use the Configure (Protocol Platform) dialog box to choose a policy object based on device type.
Navigation Path
You can access the Configure (Protocol Platform) dialog box from the Inspection Rules table. Select HTTP or IM as the protocol for inspection, then click Configure.
Related Topics
•
•
•
Field Reference
Botnet Traffic Filter Rules Page
You can use the Botnet Traffic Filter Rules page to define rules for identifying malicious traffic passing through your ASA security device.
The Botnet Traffic Filter Rules page is divided into three sections:
•
Navigation Path
To access the Botnet Traffic Filter Rules page, do one of the following:
•
•
•
Related Topics
•
•
•
•
•
Dynamic Blacklist Configuration Tab
Use the Dynamic Blacklist Configuration tab to enable database updates from the Cisco update server and to enable use of the downloaded dynamic database by the security appliance.
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Dynamic Blacklist Configuration tab.
Related Topics
•
•
•
•
•
•
Field Reference
Traffic Classification Tab
Use the Traffic Classification tab to view or to configure the traffic classification definitions for a device or shared policy. Traffic classification definitions consist of an interface or interface role with an associated ACL that identifies the traffic that is monitored by the Botnet Traffic Filter. You can configure settings for specific interfaces or for interface roles. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override any settings defined for an interface role.
The columns in the table summarize the settings for an entry and are explained in Traffic Classification Dialog Box.
Tip
To configure traffic classification:
•
•
•
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Traffic Classification tab.
Related Topics
•
•
•
•
•
•
•
Traffic Classification Dialog Box
Use the Traffic Classification dialog box to specify the interfaces on which you want to enable the Botnet Traffic Filter and to identify the traffic that you want to monitor.
Navigation Path
To access the Traffic Classification dialog box, right-click inside the work area of the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
Related Topics
•
•
•
•
•
•
Field Reference
Table I-27 Traffic Classification Dialog Box
Interfaces
The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.
You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings.
Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.
ACL
Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic.
To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects, page 8-23.
Whitelist/Blacklist Tab
Use the Whitelist/Blacklist tab to view or to configure the static database entries for a device or shared policy. The Device Blacklist contains domain names or IP addresses of malicious or undesirable sites. You can use the static blacklist to supplement the Cisco dynamic database or you can use the static blacklist alone if you can identify all the malware sites that you want to target.
The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable. If the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Static whitelist entries take precedence over entries in the static blacklist and the Cisco dynamic database. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.
To configure the static database:
•
•
Timesaver
•
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Whitelist/Blacklist tab.
Related Topics
•
•
•
•
•
•
Device Whitelist or Device Blacklist Dialog Box
Use the Device Whitelist or Device Blacklist dialog box to manually define domain names or IP addresses that you want to add to the whitelisted (safe) or blacklisted (malicious) lists. You can use the static blacklist to supplement the Cisco dynamic database or you can use the static blacklist alone if you can identify all the malware sites that you want to target. Names or addresses that appear on both the whitelist and the dynamic blacklist are identified only as whitelist addresses in syslog messages and reports.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either whitelisted or blacklisted. You can also enter host IP addresses. Use a comma or new line to separate multiple entries.
Navigation Path
From the Whitelist/Blacklist Tab, click the Add Rows button beneath the Device Whitelist or Device Blacklist tables, or select an entry and click the Edit Row button.
Related Topics
•
•
•
•
•
•
Transparent Rules Page
Use the Transparent Rules page to identify EtherType rules defined in Security Manager. Before you can configure transparent rules on ASA/PIX 7.x+ security appliances or FWSM firewall devices, they must be configured in transparent mode.
To configure transparent rules on IOS devices, you must configure a bridge group with two or more layer 3 interfaces (see Bridging on Cisco IOS Routers, page 13-50 and Defining Bridge Groups, page 13-51) and create a bridge group virtual interface (BVI) (see Bridge-Group Virtual Interfaces, page 13-50).
From the Transparent Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
Only EtherType rules are configured as firewall policies. To configure other types of transparent firewall features, select Platform > Bridging.
Note
Navigation Path
To access Transparent Rules, do one of the following:
•
•
•
Related Topics
•
Field Reference
Table I-28 Transparent Rules Page
No.
Identifies the ordered rule number in the table.
Permit
Whether a rule permits or denies traffic based on the conditions set.
•
•
EtherType
Specifies Ethernet packet type.
•
–
–
–
–
–
•
–
Mask
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.)
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.
For example:
•
•
•
•
Enter interface information, or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.
Note
Dir.
(Direction) Identifies traffic direction within a network. Direction is always associated with an interface:
•
•
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Note
Up Row and Down Row buttons (arrow icons)
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.
Add button
Adds a rule to the table.
Edit button
Edits an existing rule in the table.
Delete button
Deletes a rule from the table.
Add and Edit Transparent Firewall Rule Dialog Boxes
Use the Add and Edit Transparent Firewall Rule dialog boxes to add and edit EtherType rules.
Navigation Path
To access Transparent Rules, do one of the following:
•
•
Related Topics
•
•
Field Reference
Table I-29 Add and Edit Transparent Firewall Rule Dialog Boxes
Enable Rule
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.
When viewing the main rules tables:
•
•
Note
Action
Describes what should occur based on the conditions set.
•
•
Interfaces
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.
For example:
•
•
•
•
Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.
Note
Traffic Direction
Identifies traffic direction within a network. Direction is always associated with an interface.
•
•
EtherType
Specifies Ethernet packet type.
•
–
–
–
–
–
•
–
Wildcard Mask (IOS)
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.)
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Note
Edit Transparent EtherType Dialog Box
Use the Edit Transparent EtherType dialog box to edit EtherType settings in a table.
Navigation Path
To access the Edit Transparent EtherType dialog box, right-click the entry in the EtherType column of the Transparent Rules table, then click Edit EtherType.
Related Topics
•
•
Field Reference
Edit Transparent Mask Dialog Box
Use the Edit Transparent Mask dialog box to edit mask settings in a table.
Navigation Path
To access the Edit Transparent Mask dialog box, right-click the entry in the Mask column of the Transparent Rules table, then click Edit Mask.
Related Topics
•
•
Field Reference
Web Filter Rules Page (PIX/ASA)
Use the Web Filter Rules page to identify web filter rules defined in Security Manager for PIX and ASA devices.
From the Web Filter Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
Navigation Path
To access the Web Filter Rules page for PIX/ASA devices, do one of the following:
•
•
•
Related Topics
•
Field Reference
Table I-32 Web Filter Rules Page (PIX/ASA)
No.
Identifies the ordered rule number in the table.
Source
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:
•
•
Note
Destination
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:
•
•
Note
Service
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Note
Type
Displays filtering parameters.
Options
Displays additional configuration options for the selected protocol.
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Tools button
Click this button to select tools that you can use with this type of policy. You can select from the following tools:
•
Find and Replace button (binoculars icon)
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.
Up Row and Down Row buttons (arrow icons)
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.
Add button
Adds a rule to the table.
Edit button
Edits an existing rule in the table.
Delete button
Deletes a rule from the table.
Add and Edit PIX/FWSM/ASA Rules Dialog Boxes
Use the Add and Edit PIX/FWSM/ASA Rules dialog boxes to set values for Web Filter Rules for those platforms.
Navigation Path
To access the PIX/FWSM/ASA Rules dialog box, do one of the following:
•
•
Related Topics
•
•
•
Field Reference
Table I-33 Add and Edit PIX/FWSM/ASA Web Filter Rule Dialog Boxes
Enable Rule
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.
When viewing the main rules tables:
•
•
Note
Filtering
Lists options for handling filtering:
•
•
Note
Type
Describes what should be filtered.
•
•
•
•
•
Sources
Destinations
The source or destination of the traffic. You can enter more than one value by separating the items with commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Services
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
Note
Allow traffic if URL Filter Server unavailable
When selected, permits outbound connections to pass through the security appliance without filtering if the server is unavailable.
If you omit this option and if the N2H2 or Websense server goes offline, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back online.
Block connection to HTTP Proxy Server.
When selected, prevents users from connecting to an HTTP proxy server.
Truncate CGI request by removing CGI parameters.
When selected, truncates CGI URLs to include only the CGI script location and the script name without any parameters.When a URL has a parameter list starting with a question mark (?), the URL sent to the filtering server is truncated by removing all characters after and including the question mark.
Long URL
Lists options for handling long URLs:
•
•
•
Note
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.
Edit Web Filter Type Dialog Box
Use the Edit Web Filter Type dialog box to edit filtering and service entries.
Navigation Path
To access the Edit Web Filter Type dialog box, right-click the entry in the Type column of the Web Filter Rules table, then click Edit Web Filter Type.
Related Topics
•
•
•
Field Reference
Edit Web Filter Options Dialog Box
Use the Edit Web Filter Options dialog box to edit additional options entries based on the service selected.
Navigation Path
Right-click the entry in the Options column of the Web Filter Rules table, then click Edit Web Filter Rule Options.
Related Topics
•
•
•
Field Reference
Web Filter Rules Page (IOS)
Use the Web Filter Rules page for IOS devices to configure web, or URL, filtering rules. Web filtering is a type of HTTP inspection. If your access rules allow HTTP traffic on an interface, you can configure rules to apply local and server-based web filtering to prevent users from accessing undesirable web servers.
When you configure web filter rules, also configure web filter settings in the Firewall > Settings > Web Filter policy. The settings identify the web filtering server and contain other settings that control the overall functioning of the policy. For example, you can use the settings policy to allow all web traffic if the filtering server becomes unavailable. For more information, see Web Filter Settings Page.
Tip
Navigation Path
To access the Web Filter Rules page for IOS devices, do one of the following:
•
•
•
Related Topics
•
•
•
Field Reference
Table I-36 Web Filter Rules Page (IOS)
Web Filter Rules tab
The URL filtering rules defined for the policy. Each rule shows the interface on which it is defined, whether the rule is applied to incoming or outgoing traffic, and the permitted or denied Java applet sources if Java applet scanning is enabled. You might have more than one rule for an interface if you configure both a permit and deny list for Java applet scanning.
•
•
•
Exclusive Domains tab
The local web filter list. This list is checked before web requests are sent to the filtering server and applies to all interfaces on which you configure web filtering.
If you know there are specific domains that you will always allow (such as your organization's own domain name), or disallow, you can list them here. By configuring a local filter list, you can improve performance because the device does not need to wait for a response from the filtering server.
•
•
•
IOS Web Filter Rule and Applet Scanner Dialog Box
Use the IOS Web Filter Rule and Applet Scanner dialog box to create web filtering rules for IOS devices.
Navigation Path
To open this dialog box, select the Web Filter Rules tab on the Web Filter Rules Page (IOS), click Add Row to create a new rule, or select a row and click Edit Row to edit an existing rule.
Related Topics
•
•
•
•
Field Reference
Table I-37 IOS Web Filter Rule and Applet Scanner Dialog Box
Enable Web Filtering
Whether to enable the web filtering rule.
Interface
The interface or interface role to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.
Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.
Traffic Direction
The direction of the traffic to which this rule applies:
•
•
Java Applet Scanning
Enable Java Applet Scanner
If you select Enable Java Applet Scanning, the device checks for the presence of Java applets in HTTP traffic coming from web servers to internal hosts. If a Java applet is present and the web server (applet source) is in the list of permitted sources, the Java applet is left unmodified in the HTTP traffic. Otherwise, the Java applets are removed from HTTP pages.
TipPermit Traffic
Applet Sources
The list of permitted or denied source addresses for Java applets. To configure a list of permitted or denied sources:
•
•
IOS Web Filter Exclusive Domain Name Dialog Box
Use the IOS Web Filter Exclusive Domain Name dialog box configure local web filtering rules for IOS devices. You can create a list of permitted or denied domain names or IP addresses. The device checks this list before forwarding web requests to your web filtering server.
Using local filtering saves the wait time for getting a response from the server when a user requests a web site that you know you will either always permit or always deny.
Navigation Path
To open this dialog box, select the Exclusive Domains tab on the Web Filter Rules Page (IOS), click Add Row to create a new rule, or select a row and click Edit Row to edit an existing rule.
Related Topics
•
•
•
Field Reference
Zone-based Firewall Rules Page
Zone-based firewall rules provide unidirectional application of firewall policies between groups of interfaces known as "zones." That is, interfaces are assigned to zones, and specific inspection policies are applied to traffic moving between zones in one direction or the other.
A zone defines a boundary where traffic is subjected to specific restrictions as it crosses into another region of your network. The default zone-based firewall policy between zones is deny all. Thus, if no policy is explicitly configured, all traffic between zones is blocked.
Note
The Zone Based Firewall Rules page displays a list of currently configured zone-based firewall rules, and lets you add, edit and delete rules.
Navigation Path
To access the Zone Based Firewall Rules page, do one of the following:
•
•
•
Related Topics
•
•
•
Field Reference
Table I-39 Zone Based Firewall Rules Page
Note
No.
This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.
Permit
Indicates whether the rule permits or denies traffic.
•
•
Source
Identifies source networks and hosts for this rule. Networks/hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information.
Destination
Identifies destination networks and hosts for this rule. Networks and hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information.
Service
The services that define the types of traffic matched by this rule. Services are defined by objects that specify protocol and port information. See Understanding and Specifying Services and Service and Port List Objects, page 8-75 for more information.
From Zone
This rule applies only to traffic originating from this zone.
To Zone
This rule applies only to traffic destined for this zone.
Inspected Protocol
The protocol(s) on which the rule performs the chosen Action.
Action
Identifies how matched protocols are processed:
•
•
•
•
•
•
Note
Options
The Inspect Parameter map assigned to this rule; available only with Inspect and Content Filter actions.
Category
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Description
The description of this rule, if provided. A maximum of 1024 characters is allowed.
Tools button
Click this button to select tools that you can use with this type of policy. You can select from the following tools:
•
Find and Replace button (binoculars icon)
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.
Up button
Moves the selected rule up one row in the table.
Down button
Moves the selected rule down one row in the table.
Add button
Opens the Add Zone-based Firewall Rule dialog box, where you can create a new rule.
Edit button
Used to edit the selected rule in the table; opens the Edit Zone-based Firewall Rule dialog box.
Delete button
Deletes the selected rule from the table.
Adding and Editing Zone-based Firewall Rules
Use the Add and Edit Zone based Firewall Rule dialog boxes to add and edit zone-based firewall rules on Cisco IOS and ASR devices.
Navigation Path
From the Zone-based Firewall Rules Page, click the Add Row button, or select a row and click the Edit Row button.
Related Topics
•
•
•
Field Reference
Table I-40 Add and Edit Zone based Firewall Rule Dialog Boxes
Enable Rule
When selected, the rule is enabled on the device after the configuration is generated and deployed. Deselect this option to disable the rule without deleting it.
Define the traffic flow to which this rule is applied.
Match
Choose whether to Permit or Deny matched traffic.
Sources
Destinations
Provide the source networks/hosts and destination networks/hosts for matching traffic. Each field allows multiple values separated by commas.
You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
Services
Specify the services that define the type of traffic to matched by this rule. You can enter any combination of service objects and service types (which are typically a protocol and port combination), separated by commas.
If you type in a service, you are prompted as you type with valid values. You also can click Select to select services from a list.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
From Zone
To Zone
Basic zone-based firewall rules are unidirectional; that is, they define a traffic flow that moves in only one direction between two zones.
Enter or Select the zone from which traffic flows can originate for this rule, and enter or Select the zone to which traffic can flow.
Advanced button
Opens the Advanced Options dialog box where you can select time-range options. See Zone-based Firewall Rule: Advanced Options Dialog Box.
The action applied to traffic that matches this rule. Choose the desired Action:
Action: Drop, Drop and Log, Pass, Pass and Log
•
•
•
•
For any of these Actions, you can select one or more protocols to be matched by clicking the Select button next to the Protocol table to open the Protocol Selector Dialog Box. However, this is not necessary; you can leave the Protocol table empty and pass or drop traffic based on the Sources, Destinations, and Services parameters.
The Protocol Selector dialog box also provides access to the Configure Protocol Dialog Box, where you can edit the Port Application Mapping (PAM) parameters for the selected protocol.
Note
Action: Inspect
Inspect provides state-based traffic control—the device maintains connection or session information for TCP and UDP traffic, meaning return traffic in reply to connection requests is permitted.
Choose this option to apply packet inspection based on your selected Layer 4 (TCP, UDP) and Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocols. You also can edit PAM settings for the selected protocols, and you can set up deep packet inspection (DPI) and provide additional protocol-related information for the Layer 7 protocols. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information.
1.
2.
3.
If you do not specify an Inspect Parameters map, the default settings are used.
Action: Content Filter
Content Filter provides URL filtering based on a supplied parameter or policy map. The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts a third-party server to determine whether the requests should be allowed or blocked. You can provide a WebFilter parameter map, which defines filtering based on local URL lists, as well as information from an external SmartFilter (previously N2H2) or Websense server. Alternately, you can provide a WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro filtering data.
1.
2.
3.
If you do not specify an Inspect Parameters map, the default settings are used.
Description
(Optional) You can enter a description of up to 1024 characters to help you identify the rule when viewing the rules table.
Category
(Optional) You can assign a category to the rule, to help you organize and identify rules and objects. See Using Category Objects, page 8-6.
Zone-based Firewall Rule: Advanced Options Dialog Box
Use the Zone-Based Firewall Rule Advanced Options dialog box to apply specific time-range information to a zone-based firewall rule.
Navigation Path
In the Traffic section of the Add or Edit Zone based Firewall Rule dialog box, click the Advanced button.
Related Topics
•
•
Field Reference
Table I-41 Advanced Options Dialog Box
Time Range
This feature lets you define time periods during which this zone-based firewall rule is active. If you do not specify a time range, the rule is immediately and always active.
Enter the name of a time-range object, or click Select to choose one from a list in the Time Ranges Selector dialog box. You can create and edit time-range objects from this dialog box. See Creating Time Range Objects, page 8-92 for more information.
Options
This feature lets you apply a packet-fragment or an established-connection restriction to this zone-based firewall rule. Choose one of the following options:
•
•
•
Protocol Selector Dialog Box
Use the Protocol Selector dialog box to specify one or more communication protocols as part of the definition of traffic for a zone-based firewall rule.
The Protocol Selector dialog box also provides access to the Configure Protocol dialog box, which you can use to create custom protocols and edit Port Application Mapping (PAM) parameters for existing protocols. The Configure Protocol dialog box is also where you select Deep Inspection policy maps, and Protocol Info parameter maps, for certain protocols. See Configure Protocol Dialog Box for more information.
Navigation Path
The Protocol Selector dialog box can be accessed from the Add and Edit Zone based Firewall Rule dialog boxes (described in Adding and Editing Zone-based Firewall Rules). In either dialog box, choose any Action except Content Filter and then click the Select button next to the Protocol table.
You can also open the Protocol Selector dialog box by right-clicking the Inspected Protocol column for any entry in the Zone Based Firewall Rules table, and then choosing Edit Protocols.
Related Topics
•
•
•
•
Table I-42 Protocol Selector Dialog Box
Available Protocols
A list of protocols that can be selected for a zone-based firewall rule.
TipSelected Protocols
The list of protocols you have selected for this zone-based firewall rule.
Tip>> button
Moves the highlighted protocols from the Available Protocols column to the Selected Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions.
<< button
Moves the highlighted protocols from the Selected Protocols column back to the Available Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions.
Configure Protocol Dialog Box
Packet inspection can be configured in zone-based firewall rules by the selection of specific protocol objects, which define Port Application Mapping (PAM) parameters (Layer 4 protocols and ports, and optionally specific networks and hosts). A Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocol can also include a deep-packet inspection policy specific to that protocol. Refer to Adding and Editing Zone-based Firewall Rules for information about selecting protocols during zone-based firewall rule definition.
The Configure Protocol dialog box is used to edit existing protocol definitions, and to create custom definitions, for use with zone-based firewall rules. For example, if a protocol does not use its default ports for some or all networks, you can configure different port mappings.
Navigation Path
The Configure Protocol dialog box is accessed from the Protocol Selector Dialog Box, as follows:
•
•
Related Topics
•
•
Table I-43 Configure Protocol Dialog Box
Protocol Name
The name of the selected protocol. If you are creating a custom protocol, you can enter a name of up to 19 characters. Custom protocol names must begin with user-.
Enable Signature
This option is available only when editing the peer-to-peer (eDonkey, FastTrack, Gnutella, Kazaa2) protocols.
Select this option to enable signature-based classification of peer-to-peer (P2P) packets.
Deep Inspection
This option is available only when editing the H.323, HTTP, IM (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger), IMAP, P2P (eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC protocols, and Inspect is the chosen Action for the zone-based firewall rule.
Enter or Select the name of the Inspect policy map to be used with the selected protocol. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information about these policy maps.
Protocol Info
This option is available only when editing the Instant Messaging (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger) and the Stun-ice protocols.
Enter or Select the name of the Protocol Info parameter map to be used with the selected protocol. These parameter maps define the DNS servers that interact with these applications, which helps the Instant Messaging (IM) application engine recognize the IM traffic and enforce the configured policy for that IM application.
See Add or Edit Protocol Info Parameter Map Dialog Boxes, page F-76 for more information about these parameter maps.
These options let you customize the Port Application Mapping (PAM) parameters for the selected protocol.
Protocol
Select the transport protocol(s) for this mapping:
•
•
•
Ports
Enter any combination of a single port number, multiple port numbers, or a range of ports (for example, 60000-60005). Separate multiple entries with commas. Do not specify a range that overlaps already mapped ports.
Networks
If this protocol/port mapping is only for specific networks or hosts, enter the names or IP addresses of the networks or hosts, or the names of the network/host objects. You can click Select to open the Networks/Hosts Selector. Separate multiple entries with commas.
Common Firewall Services Dialog Boxes
There are several dialog boxes that are used by many of the firewall services rules policies. These dialog boxes are used when editing or viewing the contents of rules cells, as opposed to editing the entire rule. For detailed information about editing or viewing cell contents, see Editing Rules, page 11-5.
Add or Edit Sources or Destinations Dialog Boxes
Use the Add or Edit Sources or Destinations dialog boxes to edit the source or destination entry in a firewall rules table that includes sources or destinations. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
You can enter any combination of the following address types to define the source or destination of the traffic. You can enter more than one value by separating the items with commas. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•
•
•
•
•
•
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Navigation Path
Do any of the following in a rules policy that includes sources or destinations:
•
•
•
Add or Edit Services Dialog Boxes
Use the Edit Services dialog box to edit the services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. You can also click Select to select the service from a list, or to create a new service.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Do any of the following in a rules policy that includes services:
•
•
•
Tip
Add or Edit Interfaces or Zones Dialog Boxes
Use the Add or Edit Interfaces (or Zones) dialog box to edit the interfaces or zones for which the rule is defined. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
•
When you deploy the policy to the device, interface roles are replaced by actual interface names, and only to interfaces that are actually configured on the device. To see which interfaces will actually be selected by a rule, right-click the Interfaces cell and select Show Interfaces.
•
For more information about interface roles and selecting interfaces, see the following topics:
•
•
Navigation Path
Do any of the following in a rules policy that includes interfaces or zones:
•
•
•
Edit Category Dialog Box
Use the Edit Category dialog box to change the category assigned to a rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Right-click a Category cell in a rules policy that includes categories and select Edit Category.
Edit Description Dialog Box
Use the Edit Description dialog box to edit the description of the rule. The description helps you identify the purpose of a rule and can be up to 1024 characters. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Right-click a Description cell in a rules policy that includes descriptions and select Edit Description.
Show Contents Dialog Boxes
Use the Show Contents dialog boxes to display the actual, translated data defined in a source, destination, services, interfaces, zones, or other cell in a rules table that includes addresses, interfaces, services, or policy objects that define those things. The title of the dialog box indicates which cell or entry you are examining. Use this information to determine to which addresses, services, or interfaces the rule will actually apply when deployed to the device. For detailed information about editing or viewing cell contents, see Editing Rules, page 11-5.
What you see in the dialog box depends on the view you are in:
•
–
–
–
•
Navigation Path
Do any of the following in a rules policy that includes sources, destinations, services, interfaces, zones, or other fields that specify networks, interfaces, or services. You can also show contents when using tools that work with rules, such as importing rules.
•
•
Tip
Firewall Settings
The firewall settings policy relate directly to the similarly-named rules policy, and provide additional options for configuring the behavior of the rules policies.
This section contains the following topics:
•
•
Access Control Settings Page
Use the Access Control Settings page to configure settings to use in conjunction with your access rules policy. You can control some performance and logging features, and configure ACL names for individual interfaces.
Tip
Navigation Path
To access the Access Control Page, do one of the following:
•
•
•
Related Topics
•
•
•
•
•
•
Field Reference
Table I-44 Access Control Settings Page
Maximum number of concurrent flows (PIX, ASA, FWSM)
The maximum number of concurrent deny flows that the device is allowed to create. Syslog message 106101 is generated when the device reaches the number. The range you should use depends on the amount of flash memory available in the device:
•
•
•
Syslog interval (PIX, ASA, FWSM)
The interval of time for generating syslog message 106101, which alerts you that the security appliance has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if the specified number of seconds has passed since the last 106101 message. Values are 1 to 3600 milliseconds. The default is 300.
Enable Access List Compilation (Global)
Whether to compile access lists, which speeds up the processing of large rules tables. Compilation optimizes your policy rules and performance for all ACLs, but is supported on a limited number of older platforms:
•
•
ACL compilation speeds up the processing of large rules tables and optimizes your policy rules and performance. An ACL is compiled only if the number of access list elements is greater than or equal to 19. The maximum recommended number of entries is 16,000.
To compile access lists, the device must have a minimum of 2.1 MB of memory for the device. Access list compilation is also known as Turbo ACL.
Interfaces table
The table lists the interfaces for which you want to configure special processing. The interface name can be a specific interface or an interface role (which can apply settings to more than one interface at a time).
The main use of this table is to configure names for ACLs if you do not want Security Manager to configure system-generated names. The name applies to the ACL generated for an interface in a specific direction.
You can also configure interface-level settings for object group search, per user downloadable ACLs, and ACL compilation.
•
•
•
Firewall ACL Setting Dialog Box
Use the Firewall ACL Setting dialog box to configure settings for specific interfaces or interface roles for use with access rules policies.
Navigation Path
Go to the Access Control Settings Page and click the Add Row button below the interface table, or select a row in the table and click the Edit Row button.
Related Topics
•
•
•
•
•
Field Reference
Inspection Settings Page
Use the Inspection settings page to configure options that work with inspection rules on IOS devices. Many of these settings are used for helping to prevent or mitigate Denial of Service (DoS) attacks. The default settings for most of these options are appropriate for most networks, so configure this policy only if you need to adjust one or more settings.
Navigation Path
To open the Inspection settings page, do one of the following:
•
•
•
Related Topics
•
•
Field Reference
AAA Firewall Page, Advanced Setting Tab
Use the Settings for AAA Firewalls to define HTTPS, proxy, and MAC settings for PIX 6.3, ASA/PIX 7.x and FWSM 3.2 devices.
Navigation Path
To access the AAA Firewall settings page, do one of the following:
•
•
•
Related Topics
•
•
Field Reference
Interactive Authentication Configuration Dialog Box
Use the Interactive Authentication Configuration dialog box to configure listening ports to authenticate network users. When you enable a listening port, the security appliance serves an authentication page for direct connections and/or for through traffic.
Navigation Path
Go to the AAA Firewall Page, Advanced Setting Tab and click the Add Row button beneath the Interactive Authentication table, or select an item in the table and click the Edit Row button.
Related Topics
•
Field Reference
Clear Connection Configuration Dialog Box
Use the Clear Connection Configuration dialog box to define when the connection from the certain interface and source will be cleared when the uauth timer expires.
Navigation Path
Go to the AAA Firewall Page, Advanced Setting Tab and click the Add Row button beneath the Clear Connections When Uauth Timer Expires table, or select an item in the table and click the Edit Row button.
Related Topics
•
Field Reference
Table I-49 Clear Connection Configuration Dialog Box
Interface
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33
For example:
•
•
•
•
Enter the information in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.
Note
Source IP Address/Netmask
Identifies the network object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:
•
•
•
•
•
*IP address ranges can span more than one subnet.
**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-65.
Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.
Note
AAA Firewall Page, MAC-Exempt List Tab
Use the MAC Exempt List tab of the AAA Firewall settings policy to identify hosts that should be exempt from authentication and authorization for ASA, PIX, and FWSM 3.x devices. For example, if the security appliance authenticates TCP traffic originating on a particular network but you want to allow unauthenticated TCP connections from a specific server, create a rule permitting traffic from the MAC address of the server.
You can use masks to create rules for groups of MAC addresses. For example, if you want to exempt all Cisco IP phones whose MAC addresses start with 0003.e3, create a permit rule for 0003.e300.0000 with the mask ffff.ff00.0000. (An f in a mask exactly matches the corresponding number in the address, whereas a 0 matches anything.)
Deny rules are necessary only if you are permitting a group of MAC addresses but there are some addresses within the permitted group that you want to require to use authentication and authorization. Deny rules do not prohibit traffic; they simply require the host to go through normal authentication and authorization. For example, if you want to allow all hosts with MAC addresses that start with 00a0.c95d, but you want to force 00a0.c95d.0282 to use authentication and authorization, enter these rules in order:
1.
2.
When you deploy the policy to the device, these entries are configured using the mac-list and aaa mac-exempt commands.
Tip
Navigation Path
To access the MAC Exempt List tab, do one of the following:
•
•
•
Related Topics
•
Field Reference
Table I-50 MAC-Exempt List Tab, AAA Firewall Settings Page
MAC-Exempt List Name
The name of the MAC exempt list.
MAC Exempt List table
The MAC exempt rules that you want to implement. The table shows the MAC addresses and masks (in hexadecimal) and whether you are permitting them (exempting them from authentication and authorization) or denying them (making them go through standard authentication and authorization). The device processes the entries in order and uses the first match (not the best match).
•
•
•
Firewall AAA MAC Exempt Setting Dialog Box
Use the Firewall AAA MAC Exempt Setting dialog box to add and edit exemption entries in the MAC Exempt List table. The security appliance skips authentication and authorization for hosts associated with permitted MAC addresses.
Navigation Path
Go to the AAA Firewall Page, MAC-Exempt List Tab and click the Add Row button beneath the MAC Exempt List table, or select an item in the table and click the Edit Row button.
Related Topics
•
Field Reference
AuthProxy Page
The AuthProxy page for IOS devices is divided into two sections:
Navigation Path
To access the AuthProxy page, do one of the following:
•
•
•
Related Topics
•
AuthProxy General Tab (IOS)
Navigation Path
To access the AuthProxy General page, do one of the following:
•
•
•
Related Topics
•
Field Reference
AuthProxy Timeout Tab (IOS)
Navigation Path
To access the AuthProxy Timeout page for IOS devices, do one of the following:
•
•
•
Related Topics
•
Field Reference
Firewall AAA IOS Timeout Value Setting Dialog Box
Use the Firewall AAA IOS Timeout Value Setting dialog box to set inactivity and cache time, absolute time, and authentication proxy methods for interfaces on IOS devices.
Navigation Path
To access the Firewall AAA IOS Timeout Value Setting dialog box for IOS devices, do one of the following:
•
•
Related Topics
•
Field Reference
Web Filter Settings Page
Use the Web Filter settings page to configure the web filter servers and other settings to use with your web filter rules policy.
You must install and configure the web filter servers as directed by the documentation for the server before configuring and deploying this policy. Security Manager cannot confirm that the servers exist or that are configured correctly.
Tip
Navigation Path
To access the Web Filter settings page, do one of the following:
•
•
•
Related Topics
•
•
•
Field Reference
Table I-55 Web Filter Page
Web Filter Server Type
The type of web filter server you are using:
•
•
•
TipWeb Filter Servers table
The servers that the device should use for web filtering. Enter the servers in priority order; the device uses the first one in the list until it fails to respond, and moves to the next server in the list until it receives a response.
If you select None for filter type, this list is ignored.
•
•
•
Allow Traffic when Servers Unreachable
Whether the device should allow web traffic if the web filter servers are not responding. If you do not select this option, all web access is prevented until the servers come back online.
If you allow web traffic when the servers are down, the web requests are not filtered and access to all web servers is allowed.
Enable Alerts
Whether to generate stateful packet inspection alert messages on the console.
Enable Audit Trail
Whether audit trail messages are logged to the syslog server or router.
Enable Web Filter Server Logging
Whether to send system messages to the URL filtering server for logging. The device sends a log request immediately after the URL lookup request. The log request contains the URL, hostname, source IP address, and the destination IP address. The server records the log request into its own log server so your can view this information as necessary.
Cache Size
The maximum number of destination IP addresses (and their authorization status) that can be cached in the device. The default value is 5000.
When the cache reaches 80% full, the device starts removing older inactive entries.
Maximum Requests
The maximum number of outstanding requests that can exist at any given time. If the specified number is exceeded, new requests are dropped. The default is 1000.
Packet Buffer
The maximum number of HTTP responses that can be stored in the packet buffer of the device while it waits for the web filter server to allow or deny the request. The device drops responses when the maximum is reached. The default (and maximum) value is 200.
When users make web requests, the device simultaneously sends the request to the web site and to the web filtering server. If the response from the web site is received before the server provides a permit or deny response, the device keeps the request in the packet buffer until it gets a response from the server.
The response is removed from the buffer when the server responds or if the device determines that the server is unavailable and you also selected Allow Traffic when Servers Unreachable.
Cache Match Criteria
How to cache web requests:
•
•
URL Buffer Memory
(ASA 7.2+, PIX 7.2+ only.)
The size of the URL buffer memory pool in KB. Values are 2 to 10240.
Maximum Allowed URL Size
(ASA 7.2+, PIX 7.2+ only.)
The maximum allowed URL size in KB for each URL being buffered. The possible values differ depending on server type:
•
•
Cache Size
The size of the cache, in KB, for storing responses from the filtering server. Values are 1 to 128.
Caching stores URL access privileges in memory on the security appliance. When a host requests a connection, the security appliance first looks in the URL cache for matching access privileges instead of forwarding the request to the Websense server.
URL Block Buffer Limit
The size of the buffer for storing web server responses while waiting for a filtering decision from the filtering server. The values are 1 to 128, which specifies the number of 1550-byte blocks.
Web Filter Server Configuration Dialog Box
Use the Web Filter Server Configuration dialog box to configure the external web filter servers you want to use with your Web Filter Rules policies. You can configure Websense or Smartfilter (N2H2) servers.
Navigation Path
From the Web Filter Settings Page, click Add Row beneath the Web Filter Servers table, or select a row and click Edit Row.
Related Topics
•
•
•
Field Reference
Zone Based Firewall Page
Use the Zone Based Firewall page to configure and identify unreferenced zones, specify a VPN zone, enable or disable WAAS support, maintain Trend Micro server and certificate information, and specify global Log settings on supported ASR devices.
The following tabs are described in the table on this page:
•
•
•
•
The Content Filtering tab is detailed in Zone Based Firewall Page - Content Filter Tab.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
•
•
•
Related Topics
•
•
•
Field Reference
Table I-57 Zone Based Firewall Page
Zones tab
This tab displays the Zones table, which lists unreferenced zones; that is zones without any associated interfaces, rules or policies. Unreferenced zones are usually found and listed during device discovery, but you also can create named, "empty" zones here.
The Zones table lists the following information for each unreferenced zone:
•
•
•
To add a zone to this table, click the Add Row button and provide a Zone name in the Zone dialog box.
VPN tab
This tab presents the VPN Zone field; a zone entry in this field ensures that dynamic VPN traffic can be processed by the zone-based firewall rules on this router. See Using VPNs with Zone-based Firewall Policies, page 11-65 for more information about this zone.
Enter or Select the zone through which VPN traffic will pass.
WAAS tab
This tab presents the Enable WAAS check box. Select this option to enable Wide Area Application Services interoperability.
If this option is not enabled, packets being optimized by a WAAS device may be dropped because WAAS increases the TCP packet sequence number during the TCP handshake. This behavior may be viewed as a possible attack by the IOS device.
Content Filtering tab
This tab displays server settings and certificate links for Trend Micro-based content filtering. For more information, see Zone Based Firewall Page - Content Filter Tab.
Global Parameters (ASR) tab
This tab displays global, logging-related settings specific to ASR devices. Configure these settings as follows:
•
•
•
•
Zone Based Firewall Page - Content Filter Tab
To use Trend Micro-based content filtering, you must configure contact information for the Trend Micro server on this tab of the Zone Based Firewall page. This tab also provides links to Trend Micro registration and certificate download. You must have an active subscription with Trend Micro to utilize this form of content filtering, and you must download and install a valid subscription certificate on this IOS device.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
•
•
•
Related Topics
•
•
•
•
Field Reference
Zone Dialog Box
Use the Add and Edit Zone dialog boxes to add and edit unreferenced zones.
Navigation Path
To access the Add and Edit Zone dialog boxes, do one of the following:
•
•
•
Enter a zone name in the Zone field, or click Select to choose one from the Interfaces Selector dialog box.
Related Topics
•
•
Add and Edit Rule Section Dialog Boxes
Use the Add and Edit Rule Section dialog boxes to add or edit a user-defined section heading in a rules table.
Navigation Path
Do one of the following:
•
•
Related Topics
•
•
Field Reference
