No.

Identifies the ordered rule number in the table.

Permit

Whether the rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-65.

•Understanding Interface Role Objects, page 8-33.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-65.

•Understanding Interface Role Objects, page 8-33.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.

For example:

•All DMZs

•All FastEthernets

•All Interfaces

•FastEthernet0

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Action

Identifies the AAA methods.

•Authentication—indicates that the rule controls traffic based on who the user is.

•Authorization—indicates that the rule controls traffic based on what the user is allowed to do.

•Accounting—indicates that the rule controls traffic based on what the user did.

AuthProxy

Identifies the authentication proxy method used for IOS devices.

Server Group

Identifies the AAA server group.

Note The AAA server group must have at least one AAA server defined.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

•Combine Rules—To improve performance and memory usage by combining similar rules. This reduces the number of rules in the policy. See Combining Rules, page 11-9.

•Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

Authentication Action

When selected, indicates that the rule controls traffic based on who the user is.

Authorization Action (PIX/ASA/FWSM)

When selected, indicates that the rule controls traffic based on what the user is allowed to do.

Accounting Action (PIX/ASA/FWSM)

When selected, indicates that the rule controls traffic based on what the user did.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Sources

Destinations

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

•Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Services

The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Note Due to an issue in PIX 6.3 and FWSM devices, when a source port is specified in an AAA ACL, no traffic is authenticated. Therefore, the source address is ignored when the CLI is generated.

AAA Server Group (PIX,ASA,FWSM)

Identifies the AAA server group. See Understanding AAA Server and Server Group Objects, page 8-15.

Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.

For example:

•All DMZs

•All FastEthernets

•All Interfaces

•FastEthernet0

Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

HTTP Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies HTTP to trigger the authentication proxy.

FTP Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies FTP to trigger the authentication proxy.

Telnet Traffic Type Applies to Authentication Proxy (IOS)

When selected, specifies Telnet to trigger the authentication proxy.

Authentication

When selected, indicates that the rule controls traffic based on who the user is. Authentication provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services.

Authorization (PIX/ASA)

When selected, indicates that the rule controls traffic based on what the user is allowed to do. Authorization provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP and Telnet. AA authorization works by assembling a set of attributes that describe what the user is authorized to perform.

Accounting (PIX/ASA)

When selected, indicates that the rule controls traffic based on what the user did. Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming.

HTTP

Specifies HTTP to trigger the authentication proxy.

FTP

Specifies FTP to trigger the authentication proxy.

Telnet

Specifies Telnet to trigger the authentication proxy.

AAA Server Group

Identifies the AAA Server Group.

Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

No.

The ordered rule number.

Permit

Whether a rule permits or denies traffic based on the conditions set:

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

Destination

The source and destination addresses for the rule. The "any" address does not restrict the rule to specific hosts, networks, or interfaces. These addresses are IP addresses for hosts or networks, network/host objects, interfaces, or interface roles. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-65

•Understanding Interface Role Objects, page 8-33

Service

The services or service objects that specify the protocol and port of the traffic to which the rule applies. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Interface

The interfaces or interface roles to which the rule is assigned. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.

Dir.

The direction of the traffic to which this rule applies:

•In—Packets entering the interface.

•Out—Packets exiting the interface.

Options

The additional options configured for the rule. These include logging, time range, and some additional IOS rule options. See Advanced and Edit Options Dialog Boxes.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

The description of the rule, if any.

Expiration Date

The date that the rule expires. Expired rules show Expired in bold text. Expired rules are not automatically deleted.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

•Analysis—To identify rules that overlap or conflict with other rules. See Generating Analysis Reports, page 11-24.

•Combine Rules—To improve performance and memory usage by combining similar rules. This reduces the number of rules in the policy. See Combining Rules, page 11-9.

•Hit Count—To identify the number of times that traffic for a device is permitted or denied based on an access rule. This information is useful in debugging the deployed policies. See Generating Hit Count Reports, page 11-26.

•Import Rules—To import rules from an ACL defined using device commands. See Importing Rules, page 11-28.

•Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12

Find and Replace button (binoculars icon)

Click this button to search for various types of items within the table and to optionally replace them. See Finding and Replacing Items in Rules Tables, page 11-6.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.

Add Row button

Click this button to add a rule to the table after the selected row using the Add and Edit Access Rule Dialog Boxes. If you do not select a row, the rule is added at the end of the local scope. For more information about adding rules, see Adding and Removing Rules, page 11-4.

Edit Row button

Click this button to edit the selected rule. You can also edit individual cells. For more information, see Editing Rules, page 11-5.

Delete Row button

Click this button to delete the selected rule.

Enable Rule

Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules, page 11-8.

Action

Permit or deny traffic based on the conditions defined.

Sources

Destinations

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

•Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Service

The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Interfaces

The interfaces or interface roles to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.

Description

An optional description of the rule (up to 1024 characters).

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Advanced button

Click this button to configure other settings for the rule, including logging configuration, traffic direction, time ranges, and rule expiration dates. For more information, see Advanced and Edit Options Dialog Boxes.

Enable Logging (PIX, ASA, FWSM)

Whether to generate syslog messages for the rule entries, or ACEs, for PIX, ASA, and FWSM devices. You can select these additional options:

•Default Logging—Use the default logging behavior. If a packet is denied, message 106023 is generated. If a packet is permitted, no syslog message is generated. The default logging interval is 300 seconds.

•Per ACE Logging—Configure logging specific to this entry. Select the logging level you want to use to log events for the ACE, and the logging interval, which can be from 1-600 seconds. Syslog message 106100 is generated for the ACE.

Following are the possible logging levels:

–Emergency—(0) System is unstable

–Alert—(1) Immediate action is needed

–Critical—(2) Critical conditions

–Error—(3) Error conditions

–Warning—(4) Warning conditions

–Notification—(5) Normal but significant condition

–Informational—(6) Informational messages only

–Debugging—(7) Debugging messages

Enable Logging (IOS)

Log Input

Whether to generate an informational logging message about the packet that matches the entry to be sent to the console for IOS devices.

Select Log Input to include the input interface and source MAC address or virtual circuit in the logging output.

Traffic Direction

(Advanced dialog box only)

The direction of the traffic to which this rule applies:

•In—Packets entering an interface.

•Out—Packets exiting an interface.

Time Range

The name of a time range policy object that defines the times when access to the device will be allowed by this rule. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock.

Enter the name or click Select to select the object. If the object that you want is not listed, click the Create button to create it.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Options (IOS)

Additional options for IOS devices:

•Fragment—Allow fragmentation, which provides additional management of packet fragmentation and improves compatibility with NFS.

By default, a maximum of 24 fragments is accepted to reconstruct a full IP packet; however, based on your network security policy, you might want to consider configuring the device to prevent fragmented packets from traversing the firewall.

•Established—Allow outbound TCP connections to return access through the device. This option works with two connections: an original connection outbound from a network protected by the device, and a return connection inbound between the same two devices on an external host.

Rule Expiration

(Advanced dialog box only)

Whether to configure an expiration date for the rule. Click the calendar icon to select a date. For more information, see Configuring Expiration Dates for Access Rules, page 11-22.

If you configure an expiration date, you can also configure the number of days before which the rule expires to send out a notification of the pending expiration, and e-mail addresses to which to send the notifications. These fields are initially filled with the information configured on the Rule Expiration administrative settings page (select Tools > Security Manager Administration > Rule Expiration).

Expired rules are not automatically deleted. You must delete them yourself and redeploy the configuration to the device.

No.

Identifies the ordered rule number in the table.

Permit

Whether a rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:

•Understanding Network/Host Objects, page 8-65

•Understanding Interface Role Objects, page 8-33

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following:

•Understanding Network/Host Objects, page 8-65

•Understanding Interface Role Objects, page 8-33

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Dir.

(Direction) Identifies traffic direction within a network. Direction is always associated with an interface:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note The Direction parameter is supported on IOS devices only.

Inspected Protocol

Identifies the protocol to be inspected.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. See Creating Time Range Objects, page 8-92.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

•Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

All Interfaces

Enables you to add an inspection rule that will be associated with all interfaces.

Note Global inspection is supported for PIX and ASA devices only; however, although IOS doesn't support global inspection, it is simulated when you create an IOS inspection rule and apply it globally. Such a rule is applied to all interfaces in the direction "in".

Interface (PIX 7.x, ASA, FWSM 3.x, IOS)

Enables you to add an inspection rule based on an interface.

Traffic Direction

Enables you to further define deep packet inspection by identifying traffic direction within a network:

•In—Packets entering a network.

•Out—Packets exiting a network.

Note Traffic direction is active only when inspection is based on an interface.

Interfaces

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

This is a required field if you apply the rule to ASA or IOS device interfaces.

Enter the interface information or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.

Default Protocol Ports

Enables you to inspect traffic based on a default protocol setting. Select this option if you want to inspect a protocol without applying any constraints to the inspected traffic. For a description of the GUI elements, see Table I-11.

Note You must click Next to open the appropriate wizard page.

Limit inspection between source and destination IP addresses (ASA, FWSM 3.x)

When selected, enables you to limit inspection between source and destination IP addresses. This setting applies to PIX 7.0, ASA, and FWSM 3.x devices only. For a description of the GUI elements, see Table I-13.

Note You must click Next to open the appropriate wizard page.

Custom Destination Ports

Enables you to inspect traffic based on TCP or UDP destination ports.

Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. For a description of the GUI elements, see Table I-14.

Note You must click Next to open the appropriate wizard page.

Destination Address and Port (IOS)

Enables you to inspect traffic on IOS devices based on destination IP addresses.

Select this option if you want to associate additional traffic with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.1. For a description of the GUI elements, see Table I-15.

Note You must click Next to open the appropriate wizard page.

Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)

Enables you to inspect traffic on ASA and FWSM 3.x devices based on source and destination IP addresses and ports. For a description of the GUI elements, see Table I-16.

Note You must click Next to open the appropriate wizard page.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Protocols table

Lists the protocols that you can inspect. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type on which you will use the inspection rule policy.

The group column provides additional information on the use of some of the protocols.

Selected Protocol

Configure button

Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Protocols Supporting Configuration Options.

Rule Settings (IOS)

Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Inspection Settings Page), are used. These are the settings you can enable or disable:

•Alert—Whether to generate stateful packet inspection alert messages on the console.

•Audit—Whether audit trail messages are logged to the syslog server or router.

•Timeout—Whether to configure the length of time, in seconds, for which a session is managed while there is no activity. If you select Specify Timeout, enter the timeout value; the range is 5 to 43200 seconds.

•Inspect Router Generated Traffic—Whether to inspect traffic that is generated by the device itself. This option is available for a limited number of the protocols.

DNS

Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are 512-65535. Also, you can configure DNS policy maps and dynamic snooping. For more information, see Configure DNS Dialog Box.

FTP Strict

Enables you to select or create an FTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure FTP strict inspection, no map is required.

GTP

Enables you to select or create a GTP Map object to configure application firewall (PIX/ASA 7.x/FWSM 3.x). To configure GTP inspection, no map is required.

HTTP

Enables you to select or create an HTTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure HTTP inspection, no map is required.

RPC

Requires a program number and wait time (IOS/FWSM 2.x).

•Program number values are 1-4294967295.

•Wait time values are 0-35791.

For more information, see Configure RPC Dialog Box.

SMTP

Sets maximum data length (PIX/FWSM/IOS). Values are 0-4294967295. For more information, see Configure SMTP Dialog Box.

Custom protocol

Requires a custom protocol name. Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000. For more information, see Custom Protocol Dialog Box.

ESMTP

Sets maximum data length (PIX/ASA/FWSM 3.x/IOS). Values are 0-4294967295. For more information, see Configure ESMTP Dialog Box.

Fragment

Sets maximum fragments and timeout values (IOS).

•Fragment values are 0-10000.

•Timeout values are 1-1000.

For more information, see Configure Fragments Dialog Box.

IMAP

Includes optional settings for retrieving email (IOS). For more information, see Configure IMAP Dialog Box.

POP3

Includes optional settings for retrieving email (IOS). For more information, see Configure POP3 Dialog Box.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic

•Deny—Denies traffic

Sources

Destinations

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

•Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Protocol

•TCP

•UDP

•TCP/UDP

Ports

Specifies port information. Values are 1-65535.

•Single—Identifies a single port value. When selected, requires a port value.

•Range—Identifies a range of port values. When selected, requires a range of port values.

Note Port range values might not be supported on all platforms or OS versions. In such cases, a validation error results.

Destinations

The destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

Protocol

The protocol for the traffic, either TCP, UDP, or both (TCP/UDP).

Ports

•Single—Identifies a single port value. Values are 1-65535.

•Range—Identifies a range of port values. Values are 1-65535.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Sources

Destinations

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

•Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Services

The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Time Range

Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization.

Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box.

Note Time range is not supported on FWSM 2.x or PIX 6.3 devices.

Maximum DNS Packet Length

The maximum DNS packet length. Values are 512 to 65535.

DNS Map

The DNS policy map object that defines traffic match conditions and actions, protocol conformance policies, and filter settings. Enter the object name, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Enable Dynamic Filter Snooping

Whether to allow the security appliance to snoop DNS packets in order to build a database of DNS lookup information. This information is used by botnet traffic filtering to match DNS names to IP addresses.

If you configure a botnet traffic filtering rules policy, select this option. Otherwise, do not select the option.

Maximum Data

Values are 0 to 4294967295.

Custom Protocol Name

Identifies the name associated with the custom protocol.

Maximum Data

Values are 0 to 4294967295.

Maximum Fragments

Specifies the maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. Values are 0-10000 state entries. Default is 256.

Note Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

Timeout (sec)

Configures the number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. Values are 1 to 1000. Default timeout value is one second.

If this number is set to a value greater that one second, it is automatically adjusted by the Cisco IOS software when the number of free state structures goes below certain thresholds:

•When the number of free states is less than 32, the timeout is divided by two.

•When the number of free states is less than 16, the timeout is set to one second.

Reset Connection on Invalid IMAP packet

When selected, requires that the client/server communication repeat the validation process from the time the TCP connection is initialized until the client is authenticated.

Enforce Secure Authentication

When selected, allows you to download external IMAP email only if authentication methods are secure, which generates the secure-login command.

Reset Connection on Invalid POP3 packet

When selected, requires that the client/server communication repeat the validation process from the time the TCP connection is initialized until the client is authenticated.

Enforce Secure Authentication

When selected, allows you to download external POP3 email only if authentication methods are secure, which generates the secure-login command.

Program Number

Specifies the program number to permit. Values are 1 to 4294967295.

Wait Time

Specifies the number of minutes to keep a small hole in the firewall to allow subsequent connections from the same source address and to the same destination address and port. Values are 0 to 35791 minutes. Default is zero.

Platform radio buttons

Enables you to select the device type, which then enables you to enter the information in the field provided or click Select, which opens the appropriate Selector dialog box from which to make your selection.

Enable Dynamic Blacklist From Server

Enables downloading of the dynamic database from the Cisco update server. If you do not have a database already installed on the security appliance, it downloads the database after approximately 2 minutes. The update server determines how often the security appliance polls the server for future updates, typically every hour.

Note If the device is in multiple context mode, configure this option on the System context for that device.

Use Dynamic Blacklist

Enables use of the dynamic database for the Botnet Traffic Filter.

Note In multiple context mode, you configure use of the database on a per-context basis.

Interfaces

The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings.

Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.

ACL

Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic.

To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects, page 8-23.

No.

Identifies the ordered rule number in the table.

Permit

Whether a rule permits or denies traffic based on the conditions set.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with slash.

EtherType

Specifies Ethernet packet type.

•Supports PIX/FWSM/ASA EtherType access-lists:

–IPX

–BPDU—Spanning Tree Bridge Protocol Data Units

–MPLS-UNICAST

–MPLS-MULTICAST

–Other—Any valid hex value from 0x600-0xFFFF.

•Supports IOS devices:

–Other—Any valid hex value from 0x0-0xFFFF.

Mask

Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.)

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33.

For example:

•All DMZs

•All FastEthernets

•All Interfaces

•FastEthernet0

Enter interface information, or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected for PIX/FWSM/ASA. The bridge-group command is generated as a subcommand of the interface role.

Dir.

(Direction) Identifies traffic direction within a network. Direction is always associated with an interface:

•In—Packets entering a network.

•Out—Packets exiting a network.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Note For PIX/FWSM/ASA, the description is mapped to access-list remark.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Interfaces

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33.

For example:

•All DMZs

•All Fast Ethernets

•All Interfaces

•FastEthernet0

Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected for PIX/FWSM/ASA. The bridge-group command is generated as a subcommand of the interface role.

Traffic Direction

Identifies traffic direction within a network. Direction is always associated with an interface.

•In—Packets entering a network.

•Out—Packets exiting a network.

EtherType

Specifies Ethernet packet type.

•Supports PIX/FWSM/ASA EtherType access-lists:

–IPX

–BPDU—Spanning Tree Bridge Protocol Data Units

–MPLS-UNICAST

–MPLS-MULTICAST

–Other—Any valid hex value from 0x600-0xFFFF.

•Supports IOS devices:

–Other—Any valid hex value from 0x0-0xFFFF.

Wildcard Mask (IOS)

Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.)

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Note For PIX/FWSM/ASA, the description is mapped to access-list remark.

EtherType

Specifies Ethernet packet type.

•Supports PIX/FWSM/ASA EtherType access-lists:

–IPX

–BPDU—Spanning Tree Bridge Protocol Data Units

–MPLS-UNICAST

–MPLS-MULTICAST

–Other—Any valid hex value from 0x600-0xFFFF.

•Supports IOS devices:

–Other—Any valid hex value from 0x0-0xFFFF.

Wildcard Mask (IOS)

Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.)

No.

Identifies the ordered rule number in the table.

Source

Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-65.

•Understanding Interface Role Objects, page 8-33.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

Destination

Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See:

•Understanding Network/Host Objects, page 8-65.

•Understanding Interface Role Objects, page 8-33.

Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object.

Service

Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value.

Type

Displays filtering parameters.

Options

Displays additional configuration options for the selected protocol.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

•Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.

Up Row and Down Row buttons (arrow icons)

Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7.

Add button

Adds a rule to the table.

Edit button

Edits an existing rule in the table.

Delete button

Deletes a rule from the table.

Enable Rule

When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed.

When viewing the main rules tables:

•An enabled rule is shown without hash marks.

•A disabled rule is shown with hash marks.

Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes.

Filtering

Lists options for handling filtering:

•Filter—Limits traffic to particular sites and limits traffic between two entities.

•Filter Except—Exempts specific traffic from filtering.

Note Filter except rules are recognized before filter rules.

Type

Describes what should be filtered.

•URL—HTTP filtering using an external filtering server, such as Websense or N2H2.

•HTTPS—Supported on Websense filtering servers only.

•Java—Supported on Websense and N2H2 servers.

•ActiveX—Supported on Websense and N2H2 servers.

•FTP—Supported on Websense filtering servers only.

Sources

Destinations

The source or destination of the traffic. You can enter more than one value by separating the items with commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.

•Host IP address, for example, 10.10.10.100.

•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.

•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

•Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.

If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.

Services

The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.

You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

Note The Services field is not applicable when Filter Except is selected.

Allow traffic if URL Filter Server unavailable

When selected, permits outbound connections to pass through the security appliance without filtering if the server is unavailable.

If you omit this option and if the N2H2 or Websense server goes offline, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back online.

Block connection to HTTP Proxy Server.

When selected, prevents users from connecting to an HTTP proxy server.

Truncate CGI request by removing CGI parameters.

When selected, truncates CGI URLs to include only the CGI script location and the script name without any parameters.When a URL has a parameter list starting with a question mark (?), the URL sent to the filtering server is truncated by removing all characters after and including the question mark.

Long URL

Lists options for handling long URLs:

•Drop—Drops the packet if a URL exceeds the maximum permitted size. (Default). To avoid this, you can set the security appliance to truncate a long URL

•Truncate—Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit.

•Deny—Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available.

Note Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed.

Filtering

Lists options for handling filtering:

•Filter—Limit traffic to particular sites, and limits traffic between two entities.

•Filter Except—Exempts specific traffic from filtering.

Note Filter Except rules are recognized before filter rules.

Action

Describes what should occur based on the conditions set.

•Permit—Allows traffic.

•Deny—Denies traffic.

Allow traffic if URL Filter Server unavailable

When selected, permits outbound connections to pass through the security appliance without filtering if the server is unavailable.

Note If you omit this option and if the N2H2 or Websense server goes offline, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back online.

Block connection to HTTP Proxy Server

When selected, prevents users from connecting to an HTTP proxy server.

Truncate CGI request by removing CGI parameters

When selected, truncates CGI URLs to include only the CGI script location and the script name without any parameters.When a URL has a parameter list starting with a question mark (?), the URL sent to the filtering server is truncated by removing all characters after and including the question mark.

Block outbound traffic if absolute FTP path is not provided

When selected, blocks traffic if an exact path to a particular directory is not specified.

Long URL

Lists options for handling long URLs:

•Drop—Drops the packet if a URL exceeds the maximum permitted size. (Default). To avoid this, you can set the security appliance to truncate a long URL

•Truncate—Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit.

•Deny—Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available.

Note Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server.

Web Filter Rules tab

The URL filtering rules defined for the policy. Each rule shows the interface on which it is defined, whether the rule is applied to incoming or outgoing traffic, and the permitted or denied Java applet sources if Java applet scanning is enabled. You might have more than one rule for an interface if you configure both a permit and deny list for Java applet scanning.

•To add a rule, click the Add Row button and fill in the IOS Web Filter Rule and Applet Scanner Dialog Box.

•To edit a rule, select it and click the Edit Row button.

•To delete a rule, select it and click the Delete Row button.

Exclusive Domains tab

The local web filter list. This list is checked before web requests are sent to the filtering server and applies to all interfaces on which you configure web filtering.

If you know there are specific domains that you will always allow (such as your organization's own domain name), or disallow, you can list them here. By configuring a local filter list, you can improve performance because the device does not need to wait for a response from the filtering server.

•To add a domain, click the Add Row button and fill in the IOS Web Filter Exclusive Domain Name Dialog Box.

•To edit a domain, select it and click the Edit Row button.

•To delete a domain, select it and click the Delete Row button.

Enable Web Filtering

Whether to enable the web filtering rule.

Interface

The interface or interface role to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33.

Traffic Direction

The direction of the traffic to which this rule applies:

•In—Packets entering an interface.

•Out—Packets exiting an interface.

Java Applet Scanning

Enable Java Applet Scanner

If you select Enable Java Applet Scanning, the device checks for the presence of Java applets in HTTP traffic coming from web servers to internal hosts. If a Java applet is present and the web server (applet source) is in the list of permitted sources, the Java applet is left unmodified in the HTTP traffic. Otherwise, the Java applets are removed from HTTP pages.

Tip When you enable web filtering, Java applets are inspected, which can affect performance. By enabling the Java applet scanner, you can identify a list of permitted or denied sources and avoid inspection for those applets. Even if you do not want to deny any sources, enable scanning and permit the any source.

Permit Traffic

Applet Sources

The list of permitted or denied source addresses for Java applets. To configure a list of permitted or denied sources:

•Select either Permit from Specified Sources or Deny from Specified Sources. If you want to create both a permit and deny list, create two separate web filter rules. If you do not configure a permit list, all sources are denied.

•Enter the list of permitted or denied addresses in the Applet Sources field. The list can include host IP addresses, network addresses, address ranges, or network/host objects, but cannot include domain names. Separate multiple addresses with commas. For more information on entering addresses, see Specifying IP Addresses During Policy Definition, page 8-68.

Traffic

Whether you want to permit access to the listed web sites or deny access to them.

Domain Name

The domain names or host IP addresses of web sites that you are permitting or denying. Separate multiple entries with commas.

For domain names, you can enter a full or partial name. For example, cisco.com covers all web servers on the cisco.com domain, whereas www.cisco.com specifies only the www web server.

Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Adding and Editing Zone-based Firewall Rules for information about enabling and disabling these rules.)

No.

This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule.

Permit

Indicates whether the rule permits or denies traffic.

•Permit—Shown as a green check mark.

•Deny—Shown as a red circle with a slash.

Source

Identifies source networks and hosts for this rule. Networks/hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information.

Destination

Identifies destination networks and hosts for this rule. Networks and hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information.

Service

The services that define the types of traffic matched by this rule. Services are defined by objects that specify protocol and port information. See Understanding and Specifying Services and Service and Port List Objects, page 8-75 for more information.

From Zone

This rule applies only to traffic originating from this zone.

To Zone

This rule applies only to traffic destined for this zone.

Inspected Protocol

The protocol(s) on which the rule performs the chosen Action.

Action

Identifies how matched protocols are processed:

•Drop - Matched traffic is silently dropped. The default action for all traffic.

•Drop and Log - Matched traffic is logged and dropped.

•Pass - The router forwards matched traffic from the source zone to the destination zone.

•Pass and Log - Traffic is logged and forwarded.

•Inspect - State-based traffic control; Inspect can provide application inspection and control for certain protocols, based on Port to Application Mapping (PAM).

•Content Filter - HTTP content inspection based on a WebFilter parameter map, or a WebFilter policy map.

Note The Log options generate system-log messages; you must ensure that syslog logging is configured to capture these messages.

Options

The Inspect Parameter map assigned to this rule; available only with Inspect and Content Filter actions.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Description

The description of this rule, if provided. A maximum of 1024 characters is allowed.

Tools button

Click this button to select tools that you can use with this type of policy. You can select from the following tools:

•Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12

Find and Replace button (binoculars icon)

Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6.

Up button

Moves the selected rule up one row in the table.

Down button

Moves the selected rule down one row in the table.

Add button

Opens the Add Zone-based Firewall Rule dialog box, where you can create a new rule.

Edit button

Used to edit the selected rule in the table; opens the Edit Zone-based Firewall Rule dialog box.

Delete button

Deletes the selected rule from the table.

Enable Rule

When selected, the rule is enabled on the device after the configuration is generated and deployed. Deselect this option to disable the rule without deleting it.

Define the traffic flow to which this rule is applied.

Match

Choose whether to Permit or Deny matched traffic.

Sources

Destinations

Provide the source networks/hosts and destination networks/hosts for matching traffic. Each field allows multiple values separated by commas.

You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.

•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects in the selection dialog box.

•Host IP address; for example, 10.10.10.100.

•Network address, including subnet mask, in either 10.10.10.0/24 or 10.10.10.0/255.255.255.0 formats.

•A range of IP addresses; for example, 10.10.10.100-10.10.10.200.

•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).

Services

Specify the services that define the type of traffic to matched by this rule. You can enter any combination of service objects and service types (which are typically a protocol and port combination), separated by commas.

If you type in a service, you are prompted as you type with valid values. You also can click Select to select services from a list.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.

From Zone

To Zone

Basic zone-based firewall rules are unidirectional; that is, they define a traffic flow that moves in only one direction between two zones.

Enter or Select the zone from which traffic flows can originate for this rule, and enter or Select the zone to which traffic can flow.

Advanced button

Opens the Advanced Options dialog box where you can select time-range options. See Zone-based Firewall Rule: Advanced Options Dialog Box.

The action applied to traffic that matches this rule. Choose the desired Action:

Action: Drop, Drop and Log, Pass, Pass and Log

•Drop - Silently drops all packets for the specified Services. The default action for all traffic.

•Drop and Log - Matched traffic is logged and dropped.

•Pass - The router forwards matched packets from the source zone to the destination zone. Return traffic is not recognized, so you have to specify additional rules for return traffic. This option is useful only for protocols such as IPsec-encrypted traffic.

•Pass and Log - Traffic is logged and forwarded.

For any of these Actions, you can select one or more protocols to be matched by clicking the Select button next to the Protocol table to open the Protocol Selector Dialog Box. However, this is not necessary; you can leave the Protocol table empty and pass or drop traffic based on the Sources, Destinations, and Services parameters.

The Protocol Selector dialog box also provides access to the Configure Protocol Dialog Box, where you can edit the Port Application Mapping (PAM) parameters for the selected protocol.

Note The Log options generate system-log messages; you must ensure that syslog logging is configured to capture these messages.

Action: Inspect

Inspect provides state-based traffic control—the device maintains connection or session information for TCP and UDP traffic, meaning return traffic in reply to connection requests is permitted.

Choose this option to apply packet inspection based on your selected Layer 4 (TCP, UDP) and Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocols. You also can edit PAM settings for the selected protocols, and you can set up deep packet inspection (DPI) and provide additional protocol-related information for the Layer 7 protocols. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information.

1. You can select one or more protocols for inspection by clicking the Select button next to the Protocol table to open the Protocol Selector Dialog Box.

2. The Protocol Selector dialog box also provides access to the Configure Protocol Dialog Box, where you can create custom protocols, and edit the PAM and DPI parameters for the selected protocol.

3. Inspect Parameters - You can apply a customized set of connection, timeout, and other settings by entering the name of an Inspect Parameter map in this field, or you can click Select to select one from a list. You also can create new Inspect Parameter maps from the selection-list dialog box; see Add or Edit Inspect Parameter Map Dialog Boxes, page F-74 for more information.

If you do not specify an Inspect Parameters map, the default settings are used.

Action: Content Filter

Content Filter provides URL filtering based on a supplied parameter or policy map. The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts a third-party server to determine whether the requests should be allowed or blocked. You can provide a WebFilter parameter map, which defines filtering based on local URL lists, as well as information from an external SmartFilter (previously N2H2) or Websense server. Alternately, you can provide a WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro filtering data.

1. When Content Filter is the chosen Action, HTTP is the specified Protocol. You can click Configure to open the Configure Protocol Dialog Box, where you can edit the HTTP PAM settings, and apply an HTTP DPI map.

2. Select WebFilter Parameter Map, or WebFilter Policy Map, and supply the name of an appropriate map. You can click the appropriate Select button to select the map from a list; you also can create new maps from the selection-list dialog box. See Configuring Maps for Content Filtering in Zone-Based Firewall Rules Policies, page 8-59 for information about configuring these maps.

3. Inspect Parameters - You can apply a customized set of connection, timeout, and other settings by entering the name of an Inspect Parameter map in this field, or you can click Select to select one from a list. You also can create new Inspect Parameter maps from the selection-list dialog box; see Add or Edit Inspect Parameter Map Dialog Boxes, page F-74 for more information.

If you do not specify an Inspect Parameters map, the default settings are used.

Description

(Optional) You can enter a description of up to 1024 characters to help you identify the rule when viewing the rules table.

Category

(Optional) You can assign a category to the rule, to help you organize and identify rules and objects. See Using Category Objects, page 8-6.

Time Range

This feature lets you define time periods during which this zone-based firewall rule is active. If you do not specify a time range, the rule is immediately and always active.

Enter the name of a time-range object, or click Select to choose one from a list in the Time Ranges Selector dialog box. You can create and edit time-range objects from this dialog box. See Creating Time Range Objects, page 8-92 for more information.

Options

This feature lets you apply a packet-fragment or an established-connection restriction to this zone-based firewall rule. Choose one of the following options:

•None - No packet-fragment or established-connection restrictions are applied.

•Fragment - If chosen, non-initial packet fragments are blocked.

•Established - Permits return traffic only for connections already established.

Available Protocols

A list of protocols that can be selected for a zone-based firewall rule.

Tip You can create a custom protocol by clicking the Create button below the Selected Protocols column.

Selected Protocols

The list of protocols you have selected for this zone-based firewall rule.

Tip You can edit Port Application Mapping (PAM) settings for the protocol highlighted in the Selected Protocols column: click the Edit button below the Selected Protocols column to open the Configure Protocol Dialog Box.

>> button

Moves the highlighted protocols from the Available Protocols column to the Selected Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions.

<< button

Moves the highlighted protocols from the Selected Protocols column back to the Available Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions.

Protocol Name

The name of the selected protocol. If you are creating a custom protocol, you can enter a name of up to 19 characters. Custom protocol names must begin with user-.

Enable Signature

This option is available only when editing the peer-to-peer (eDonkey, FastTrack, Gnutella, Kazaa2) protocols.

Select this option to enable signature-based classification of peer-to-peer (P2P) packets.

Deep Inspection

This option is available only when editing the H.323, HTTP, IM (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger), IMAP, P2P (eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC protocols, and Inspect is the chosen Action for the zone-based firewall rule.

Enter or Select the name of the Inspect policy map to be used with the selected protocol. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information about these policy maps.

Protocol Info

This option is available only when editing the Instant Messaging (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger) and the Stun-ice protocols.

Enter or Select the name of the Protocol Info parameter map to be used with the selected protocol. These parameter maps define the DNS servers that interact with these applications, which helps the Instant Messaging (IM) application engine recognize the IM traffic and enforce the configured policy for that IM application.

See Add or Edit Protocol Info Parameter Map Dialog Boxes, page F-76 for more information about these parameter maps.

These options let you customize the Port Application Mapping (PAM) parameters for the selected protocol.

Protocol

Select the transport protocol(s) for this mapping:

•TCP/UDP

•TCP

•UDP

Ports

Enter any combination of a single port number, multiple port numbers, or a range of ports (for example, 60000-60005). Separate multiple entries with commas. Do not specify a range that overlaps already mapped ports.

Networks

If this protocol/port mapping is only for specific networks or hosts, enter the names or IP addresses of the networks or hosts, or the names of the network/host objects. You can click Select to open the Networks/Hosts Selector. Separate multiple entries with commas.

Maximum number of concurrent flows (PIX, ASA, FWSM)

The maximum number of concurrent deny flows that the device is allowed to create. Syslog message 106101 is generated when the device reaches the number. The range you should use depends on the amount of flash memory available in the device:

•More than 64 MB—Values are 1-4096. The default is 4096.

•More than 16 MB—Values are 1-1024. The default is 1024.

•Less than or equal to 16 MB—Values are 1-256. The default is 256.

Syslog interval (PIX, ASA, FWSM)

The interval of time for generating syslog message 106101, which alerts you that the security appliance has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if the specified number of seconds has passed since the last 106101 message. Values are 1 to 3600 milliseconds. The default is 300.

Enable Access List Compilation (Global)

Whether to compile access lists, which speeds up the processing of large rules tables. Compilation optimizes your policy rules and performance for all ACLs, but is supported on a limited number of older platforms:

•Routers (global configuration only): 7120, 7140, 7200, 7304, and 7500.

•PIX 6.3 firewalls, in global mode or per interface.

ACL compilation speeds up the processing of large rules tables and optimizes your policy rules and performance. An ACL is compiled only if the number of access list elements is greater than or equal to 19. The maximum recommended number of entries is 16,000.

To compile access lists, the device must have a minimum of 2.1 MB of memory for the device. Access list compilation is also known as Turbo ACL.

Interfaces table

The table lists the interfaces for which you want to configure special processing. The interface name can be a specific interface or an interface role (which can apply settings to more than one interface at a time).

The main use of this table is to configure names for ACLs if you do not want Security Manager to configure system-generated names. The name applies to the ACL generated for an interface in a specific direction.

You can also configure interface-level settings for object group search, per user downloadable ACLs, and ACL compilation.

•To add an interface setting, click the Add button and fill in the Firewall ACL Setting Dialog Box.

•To edit an interface setting, select it and click the Edit button.

•To delete an interface setting, select it and click the Delete button.

Interface

A name of the interface or interface role for which you are configuring settings. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it.

Traffic Direction

The direction of the traffic through the interface, in or out. The settings you configure apply only to this direction, if direction matters.

User Defined ACL Name

Whether you want to supply the name for the ACL. If you select this option, enter the name you want to use, which is applied to the ACL generated for the interface and direction combination. The name must be unique on the device.

If you do not provide a name, Security Manager generates a name for you.

Enable Per User Downloadable ACLs (PIX, ASA, FWSM)

Whether to enable the download of per-user ACLs to override the ACLs on the interface. Typically, user ACLs are configured in a AAA server; they are not configured in Security Manager. If there are no per-user ACLs, the access rules configured for the interface are applied to the traffic.

Enable Object Group Search (PIX 6.x)

Whether to enable object group search, which reduces the memory requirement on the device to hold large ACLs. However, object group search impacts performance by making ACL processing slower for each packet.

Object group search is recommended when you have large object groups.

Enable Access List Compilation (PIX 6.x)

Whether to compile access lists on this interface for PIX 6.x devices. This setting overrides the equivalent global setting that you configure on the Access Control Settings page.

ACL compilation speeds up the processing of large rules tables and optimizes your policy rules and performance for the interface. An ACL is compiled only if the number of access list elements is greater than or equal to 19. The maximum recommended number of entries is 16,000.

To compile access lists, the device must have a minimum of 2.1 MB of memory for the device.

TCP Establish Timeout (seconds)

How long to wait for a TCP session to reach the established state before dropping the session, in seconds, from 1 to 2147483. The default is 30.

FIN Wait Time (seconds)

How long to maintain TCP session state information after the firewall detects a FIN-exchange, in seconds, from 1 to 2147483. The FIN-exchange occurs when the TCP session is ready to close. The default is 5.

TCP Idle Time (seconds)

How long to maintain a TCP session while there is no activity in the session, in seconds, from 1 to 2147483. The default is 3600 (one hour).

UDP Idle Time (seconds)

How long to maintain a UDP session while there is no activity in the session, in seconds, from 1 to 2147483. The default is 30.

When the software detects a valid UDP packet, the software establishes state information for a new UDP session. Because UDP is a connectionless service, there are no actual sessions, so the software approximates sessions by examining the information in the packet and determining if the packet is similar to other UDP packets (for example, it has similar source or destination addresses) and if the packet was detected soon after another similar UDP packet.

If the software detects no UDP packets for the UDP session for the period of time defined by the UDP idle timeout, the software will not continue to manage state information for the session.

DNS Timeout (seconds)

The length of time for which a DNS lookup session is managed while there is no activity, in seconds, from 1 to 2147483. The default is 5.

Maximum 1 Minute Connection Rate - low

Maximum 1 Minute Connection Rate - high

The number of new unestablished sessions that causes the system to start and stop deleting half-open sessions. Ensure that you enter a lower number in the Low field than you enter in the High field. Possible values are from 1 to 2147483647 per minute. The default is 400 for low and 500 for high.

Maximum Incomplete Sessions Stop Threshold

Maximum Incomplete Sessions Start Threshold

The number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions. Ensure that you enter a lower number in the stop field than you enter in the start field. Possible values are from 1 to 2147483647. The default is 400 for low and 500 for high.

Max Sessions Per Host

The number of half-open TCP sessions with the same host destination address that can exist at a time before the software starts deleting half-open sessions to the host. Possible values are 1 to 4294967295. The default is 50.

A large number of half-open sessions can indicate there is a Denial of Service attack against the host.

Max Sessions Blocking Interval (min)

If the maximum sessions per host threshold is reached, the blocking time to apply to help mitigate the potential TCP host-specific denial-of-service (DoS) attack. Possible values are 0 to 35791 minutes. The default is 0.

•If the blocking timeout value is 0, the software deletes the oldest existing half-open session for the host for every new connection request to the host above the maximum session limit. This ensures that the number of half-open sessions to a given host will never exceed the threshold.

•If the blocking timeout value is greater than 0, the software deletes all existing half-open sessions for the host, then blocks all new connection requests to the host. The software will continue to block all new connection requests until the block-time expires.

Session Hash Table Size (buckets)

The size of the hash table in terms of buckets. Possible values for the hash table are 1024, 2048, 4096, and 8192. The default is 1024.

You should increase the hash table size when the total number of sessions running through the device is approximately twice the current hash size; decrease the hash table size when the total number of sessions is reduced to approximately half the current hash size. Essentially, try to maintain a 1:1 ratio between the number of sessions and the size of the hash table.

Enable Alert Messages

Whether to generate stateful packet inspection alert messages on the console.

Enable Audit Trail Messages

Whether audit trail messages are logged to the syslog server or router.

Permit DHCP Passthrough (Transparent Firewall)

Whether to permit a transparent firewall to forward DHCP packets across the bridge without inspection.

Permitting DHCP passthrough overrides an ACL for DHCP packets, so DHCP packets are forwarded even if the ACL is configured to deny all IP packets. Thus, clients on one side of the bridge can get an IP address from a DHCP server on the opposite side of the bridge.

Block Non-SYN Packets

Whether to drop TCP packets that do not belong to an established session. These are TCP packets that do not initiate sessions, that is, the SYN bit is not set in them.

Log Dropped Packets

Whether to create log messages for dropped packets to specify the reason for dropping them.

Use Secure HTTP Authentication

When selected, requires additional user authentication during the session establishment.

Enable Proxy Limit

When enabled, allows proxies based on proxy limit settings.

Maximum Concurrent Proxy Limit per User

Specifies the number of concurrent proxy connections allowed per user. Values are 1 to 128. Default is 16.

Table used to configure listening ports to authenticate network users. When you enable a listening port, the security appliance serves an authentication page for direct connections and/or for through traffic.

Disable FTP Authentication Challenge (FWSM 3.x)

When selected, enables you to disable the authentication challenge for FTP traffic.

You can configure whether the FWSM challenges you for a username and password. By default, the FWSM prompts you when a AAA rule enforces authentication for traffic in a new session and the protocol is FTP.

Disable HTTP Authentication Challenge (FWSM 3.x)

When selected, enables you to disable the authentication challenge for HTTP traffic.

You can configure whether the FWSM challenges you for a username and password. By default, the FWSM prompts you when a AAA rule enforces authentication for traffic in a new session and the protocol is HTTP.

Disable HTTPS Authentication Challenge (FWSM 3.x)

When selected, enables you to disable the authentication challenge for HTTPS traffic.

You can configure whether the FWSM challenges you for a username and password. By default, the FWSM prompts you when a AAA rule enforces authentication for traffic in a new session and the protocol is HTTPS.

Disable TELNET Authentication Challenge (FWSM 3.x)

When selected, enables you to disable the authentication challenge for TELNET traffic.

You can configure whether the FWSM challenges you for a username and password. By default, the FWSM prompts you when a AAA rule enforces authentication for traffic in a new session and the protocol is TELNET.

Table used to define when the connection from a certain interface and source will be cleared when the uauth timer expires.

Protocol

Specifies the protocol that you want to listen for. Options are HTTP or HTTPS.

Interface

Specifies the interface on which you enable listeners.

Click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected.

Port

Specifies the port number that the security appliance listens on; the defaults are 80 (HTTP) and 443 (HTTPS).

Redirect network users for authentication request

When selected, redirects through traffic to an authentication web page served by the security appliance. Without the redirect keyword, only traffic directed to the security appliance interface can access the authentication web pages.

Interface

Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33

For example:

•All DMZs

•All FastEthernets

•All Interfaces

•FastEthernet0

Enter the information in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box.

Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device.

Source IP Address/Netmask

Identifies the network object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are:

•a.b.c.d where a,b,c,d = 0-255 (host)

•a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet)

•a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)*

•a.b.c.d/e where e = subnet in x.x.x.x format**

•Freeform text that is the name of a network object

*IP address ranges can span more than one subnet.

**For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-65.

Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box.

Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object.

MAC-Exempt List Name

The name of the MAC exempt list.

MAC Exempt List table

The MAC exempt rules that you want to implement. The table shows the MAC addresses and masks (in hexadecimal) and whether you are permitting them (exempting them from authentication and authorization) or denying them (making them go through standard authentication and authorization). The device processes the entries in order and uses the first match (not the best match).

•To add an exemption rule, click the Add Row button and fill in the Firewall AAA MAC Exempt Setting Dialog Box.

•To edit an exemption rule, select it and click the Edit Row button.

•To delete an exemption rule, select it and click the Delete Row button.

Action

The action you want to take for the hosts that use the specified MAC addresses:

•Permit—Exempts the host from authentication and authorization.

•Deny—Forces the host to go through authentication and authorization.

MAC Address

The MAC address of the hosts in standard 12-digit hexadecimal format, such as 00a0.cp5d.0282. You can enter complete MAC addresses or partial addresses.

For partial addresses, you can enter 0 for digits you are not matching.

MAC Mask

The mask to apply to the MAC address. Use f to match a digit exactly, 0 to match any digit at that place:

•To specify an exact match of the address, enter ffff.ffff.ffff.

•To match an address pattern, enter 0 for any digit for which you want to match any character. For example, ffff.ffff.0000 matches all addresses that have the same first 8 digits.

Authorization Server Groups

Selects different authorization methods by selecting different AAA Server Groups, for example, RADIUS and TACACS+ servers.

Enter the information in the field provided or click Select, which opens the AAA Server Groups Selector dialog box from which to make your selection.

Accounting Server Groups

Selects different accounting methods by selecting different AAA Server Groups, for example, RADIUS and TACACS+ servers.

Enter the information in the field provided or click Select, which opens the AAA Server Groups Selector dialog box from which to make your selection.

Use Broadcast for Accounting

When selected, enables sending accounting records to multiple AAA servers. Accounting records are simultaneously sent to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

Authentication Server Groups

To configure authentication server groups, go to Platform > Device Admin > AAA.

Accounting Notice

Lists options for handling an accounting notice.

•Start-stop—Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.

•Stop-only—Sends a stop accounting notice at the end of the requested user process.

•None—Disables accounting services on this line or interface.

HTTP Banner

Enables you to select an HTTP banner.

•Disable Banner Text—No banner is displayed for the authentication proxy login page for HTTP.

•Use Default Banner—Displays the default banner "Cisco Systems, <router hostname > Authentication" for the authentication proxy login page for HTTP.

•Use Custom Banner—Enables you to enter a custom message that appears for the authentication proxy login page for HTTP (for example, "Welcome <Username>."

Note If HTTP banner text and URL location are selected at the same time, the URL banner take precedence; however, the configuration for the banner text remains on the device.

Use HTTP banner from File

When selected, enables you to enter the URL for the HTTP banner file.

URL

Enables you to identify the location of the HTTP banner file.

HTTPS Server

To configure HTTPS Server, go to Platform > Device Admin > Device Access > HTTP.

FTP Banner

Enables you to select an FTP banner.

•Disable Banner Text—No banner is displayed for the authentication proxy login page for FTP.

•Use Default Banner—Displays the default banner "Cisco Systems, <router hostname > Authentication" for the authentication proxy login page for FTP.

•Use Custom Banner—Enables you to enter a custom message that appears for the authentication proxy login page for FTP (for example, "Welcome <Username >."

Telnet Banner

Enables you to select a Telnet banner.