Understanding Inspection Rules
Inspection rules configure Context-Based Access Control (CBAC) inspection commands. CBAC inspects traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.
CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when inspected traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered inspection when exiting through the firewall.
Inspection rules are applied after your access rules, so any traffic that you deny in the access rule is not inspected. The traffic must be allowed by the access rules at both the input and output interfaces to be inspected. Whereas access rules allow you to control connections at layer 3 (network, IP) or 4 (transport, TCP or UDP protocol), you can use inspection rules to control traffic using application-layer protocol session information.
For all protocols, when you inspect the protocol, the device provides the following functions:
-
Automatically opens a return path for the traffic (reversing the source and destination addresses), so that you do not need to create an access rule to allow the return traffic. Each connection is considered a session, and the device maintains session state information and allows return traffic only for valid sessions. Protocols that use TCP contain explicit session information, whereas for UDP applications, the device models the equivalent of a session based on the source and destination addresses and the closeness in time of a sequence of UDP packets.
These temporary access lists are created dynamically and are removed at the end of a session.
-
Tracks sequence numbers in all TCP packets and drops those packets with sequence numbers that are not within expected ranges.
-
Uses timeout and threshold values to manage session state information, helping to determine when to drop sessions that do not become fully established. When a session is dropped, or reset, the device informs both the source and destination of the session to reset the connection, freeing up resources and helping to mitigate potential Denial of Service (DoS) attacks.
The following topics provide more information about inspection:
Choosing the Interfaces for Inspection Rules
Configure inspection on devices that protect internal networks. Use it with TCP, UDP, or more specific protocols. Inspect these applications if you want the application’s traffic to be permitted through the device only when the traffic session is initiated from a particular side of the device (usually from the protected internal network).
Tip For IOS devices, you need to configure inspection explicitly, and you can identify the direction of traffic to be inspected. For ASA, PIX, and FWSM devices, you cannot identify the direction, and you need to configure inspection only if you do not want the inspection defaults. In the remaining discussion, statements concerning direction apply only to IOS devices. For ASA, PIX, and FWSM, simply configure inspection on the identified interface.
In many cases, you will configure inspection in one direction only at a single interface, which causes traffic to be permitted back into the internal network only if the traffic is part of a permissible (valid, existing) session. This is a typical configuration for protecting your internal networks from traffic that originates on the Internet.
You can also configure inspection in two directions at one or more interfaces. Configure inspection in two directions when the networks on both sides of the firewall should be protected, such as with extranet or intranet configurations, and to protect against DoS attacks. For example, if the device is situated between two partner companies’ networks, you might want to restrict traffic in one direction for certain applications, and restrict traffic in the opposite direction for other applications. If you are protecting a web server in the DMZ zone, you might want to configure deep inspection on HTTP traffic to identify and reset connections that have undesirable characteristics.
You might want to configure your inspection rules on the outbound interfaces of your network, those that connect to the Internet or another uncontrolled network, while allowing unfiltered connections within the trusted network. Thus, your devices use resources for inspection only on sessions that travel over unsecured and therefore potentially dangerous networks.
Related Topics
Selecting Which Protocols To Inspect
You can generically inspect TCP and UDP, which covers all applications that use these protocols. However, you can also inspect more specific protocols. In some cases, inspecting a specific protocol provides better service than generic TCP/UDP inspection. TCP and UDP inspection do not recognize application-specific commands, and therefore might not permit all return packets for an application, particularly if the return packets have a different port number than the previous exiting packet.
For example:
-
Some protocols allow you to configure deep inspection. Deep inspection allows you to configure more specific rules for a traffic stream. For example, you can drop HTTP connections where the content type of the request and response do not match. For information on deep inspection and your configuration options, see Configuring Protocols and Maps for Inspection.
-
Protocols that negotiate return channels, such as FTP, should be specifically inspected. If you use simple generic TCP inspection of FTP traffic, the negotiated channels are not opened, and the connection will fail. If you want to allow FTP, ensure that you create a specific inspection rule for it.
Multimedia protocols also negotiate return channels and should be specifically inspected. These include H.323, RTSP (Real Time Streaming Protocol), and other application-specific protocols. Some applications also use a generic TCP channel, so you might also need to configure generic TCP inspection. Any generic TCP inspection rule should appear below a more specific inspection rule in the table (that is, any rule that specifies TCP or UDP should appear at the end of the inspection rule table).
Related Topics
Understanding Access Rule Requirements for Inspection Rules
Access rules are applied before inspection rules. Therefore, you must ensure that your access rules do not prohibit traffic that you want inspected. Use the following guidelines:
-
Permit inspected traffic to leave the network through the firewall.
All access rules that evaluate traffic leaving the protected network should permit traffic that will be inspected. For example, if Telnet will be inspected, then Telnet traffic should be permitted on all access rules that apply to traffic leaving the network.
-
Deny inspected return traffic entering the network through the firewall.
For temporary openings to be created in an access list, the access list should deny inspected return traffic because the inspection engine will open up temporary holes in the access lists for this traffic. (You want traffic to be normally blocked when it enters your network.)
-
Permit or deny traffic that cannot be inspected, or that you do not want to inspect, as required by your network.
For example, if you do not want to inspect ICMP traffic, but you want to allow some ICMP traffic, configure your access rules to allow the traffic in both directions. Consider permitting at least these ICMP message types: echo reply (for ping commands), time-exceeded (for trace route), packet-too-big (for path MTU discovery), traceroute (for trace route), and unreachable (to notify that a host cannot be found).
-
Add an access rule entry denying any network traffic from a source address matching an address on the protected network.
This is known as anti-spoofing protection because it prevents traffic from an unprotected network from assuming the identity of a device on the protected network.
-
Add an entry denying broadcast messages with a source address of 255.255.255.255.
This entry helps to prevent broadcast attacks.
Related Topics
Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices
Inspecting packets at the application layer, and maintaining TCP and UDP session information, provides a device with the ability to detect and prevent certain types of network attacks such as SYN-flooding. A SYN-flood attack occurs when a network attacker floods a server with a barrage of requests for connection and does not complete the connection. The resulting volume of half-open connections can overwhelm the server, causing it to deny service to valid requests. Network attacks that deny access to a network device are called denial-of-service (DoS) attacks.
Inspection helps to protect against DoS attacks in other ways. Inspection looks at packet sequence numbers in TCP connections to see if they are within expected ranges and drops any suspicious packets. You can also configure inspection to drop half-open connections, which require firewall processing and memory resources to maintain. Additionally, inspection can detect unusually high rates of new connections and issue alert messages.
For IOS devices, you can configure several inspection setting parameters to fine-tune your defenses against SYN flooding and half-open connections. Configure the
Firewall > Settings > Inspection
policy. For details about each setting, see Configuring Settings for Inspection Rules for IOS Devices.
Inspection can also help by protecting against certain DoS attacks involving fragmented IP packets. Even though the firewall prevents an attacker from making actual connections to a given host, the attacker can disrupt services provided by that host. This is done by sending many non-initial IP fragments or by sending complete fragmented packets through a router with an ACL that filters the first fragment of a fragmented packet. These fragments can tie up resources on the target host as it tries to reassemble the incomplete packets. To fine-tune fragment inspection, configure an inspection rule for the
fragment
protocol and configure the maximum number of fragments you want to allow and a timeout value.
Related Topics
Configuring Inspection Rules
Inspection rules policies identify the traffic that will be inspected through an interface. Inspection tracks permitted sessions and opens temporary holes in your access rules to allow return traffic.
Inspection rules are processed after access rules, so any traffic dropped by an access rule is not inspected. You can also use deny rules to selectively exclude certain types of traffic from inspection. For example, you might create a deny inspection rule to prevent a specific class of DNS traffic from being inspected, while all other DNS traffic is inspected. The basic procedure is:
-
Add a new deny rule before the default inspection rule for the specific protocol. For the Match Traffic By option, select Source and Destination Address and Port. Next, define the specific type of traffic by providing Source and Destination Network IP addresses, and selecting the desired Service type (for example, DNS-TCP). Finally, in the third screen of the inspection-rule wizard, select the appropriate protocol (for example, DNS).
-
Now edit the default inspection rule (below your new deny rule in the table). Again select Source and Destination Address and Port for the Match Traffic By option. Be sure this is a Permit rule, provide an all-addresses option as the source and destination addresses, and enter IP as the Service type. In the third screen, keep the selected protocol; configure or remove the related map, as necessary.
See Inspection Rules Page and Add or Edit Inspect/Application FW Rule Wizard for additional information about this process.
See the following topics for more information about things you should consider when creating inspection rules:
Before You Begin
You might have a set of inspection rules that you want to apply to all devices. To do this, you can create a shared rule and inherit its rules to each device’s inspection rules policy. For more information, see Creating a New Shared Policy and Inheriting or Uninheriting Rules.
Step 1 Do one of the following to open the Inspection Rules Page:
-
(Device view) Select
Firewall > Inspection Rules
from the Policy selector.
-
(Policy view) Select
Firewall > Inspection Rules
from the Policy Type selector. Select an existing policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the
Add Row
button or right-click and select
Add Row
. This opens the Add or Edit Inspect/Application FW Rule Wizard.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select an existing row and edit either the entire row or specific cells. For more information, see Editing Rules.
Step 3 Select whether to apply the rule to all interfaces on the device or to only the interfaces you specify.
If you elect to specify interfaces, enter the interface name or interface role, or click
Select
to select it from a list. For IOS devices, you also can select whether the rule applies in the Out direction (traffic leaving the interface). Use the In direction for all other device types.
Step 4 Select the criteria you want to use for matching traffic. This determines what gets inspected based on this rule.
-
Default Protocol Ports
—Select this option if the protocol you are inspecting uses the default ports on your network.
If you want to constrain the inspection based on the source or destination address, also select
Limit inspection between source and destination IP addresses
(available only for ASA, PIX 7.x+, and FWSM 3.x+ devices). When you click
Next
, you are prompted for the source and destination addresses. You can specify
any
for source or destination if you are interested only in configuring the other value.
-
Custom Destination Ports
—Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. When you click
Next
, you are prompted for the port or port range.
-
Destination Address and Port (IOS devices only)
—Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.10. When you click
Next
, you are prompted for the destination address and the port information.
-
Source and Destination Address and Port (PIX 7.x+, ASA, FWSM 3.x+)
—Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic. When you click
Next
, you are prompted for the source and destination addresses and the service port information.
Note For FWSM 2.x and PIX 6.3(x), you can select either Default Inspection Traffic or Custom Destination Ports only.
Step 5 Click
Next
. If you selected anything other than Default Protocol Ports, fill in the required addressing and port information explained above and click
Next
. See Add or Edit Inspect/Application FW Rule Wizard, Step 2.
Step 6 On the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select the protocol you want to inspect from the list. Ensure that the Device Type field indicates that inspection is supported for that protocol on the devices to which you are assigning the rule. (If you assign a rule to an unsupported device type, the rule is ignored but you will get a validation warning).
If the protocol you select allows additional configuration, the
Configure
button becomes active. Click it to view and select your options. For more information, see Configuring Protocols and Maps for Inspection.
For IOS devices only:
-
If you selected
Custom Destination Ports
or
Destination Address and Port
as the traffic match, you can select
custom protocol
as the protocol name and click
Configure
to assign a name to the configuration.
-
You can configure additional alert, audit, and timeout settings that override those set in the inspection settings policy. You can also specify whether to inspect router generated traffic for a limited number of protocols. For more information about inspection settings, see Configuring Settings for Inspection Rules for IOS Devices.
Step 7 Click
Finish
to save the rule.
Step 8 If you did not select the right row before adding the rule, select the new rule and use the up and down arrow buttons to position the rule appropriately. For more information, see Moving Rules and the Importance of Rule Order.
Inspection Rules Page
Use the Inspection Rules page to configure inspection rules for device interfaces. Inspection examines traffic that travels through the device to discover and manage state information for TCP and UDP sessions. The device uses this state information to create temporary openings to allow return traffic and additional data connections for permissible sessions.
Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate policies for configuring IPv4 and IPv6 inspection rules were unified. In Policy view, IPv4 and unified versions of the policy inspection type are provided. In addition, a utility that you can use to convert IPv4 policies is provided (see Converting IPv4 Rules to Unified Rules). The following descriptions apply to apply to all versions of the inspection rule table, except where noted.
Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate policies and objects for configuring IPv4 and IPv6 inspection rules were “unified,” meaning one set of inspection rules in which you can use either IPv4 or IPv6 addresses, or a mixture of both. (See Policy Object Changes in Security Manager 4.4 for additional information.) In Policy view, IPv4 and unified versions of the inspection policy type are provided. In addition, a utility that you can use to convert existing IPv4 policies is provided (see Converting IPv4 Rules to Unified Rules). The following descriptions apply to apply to all versions of the inspection rule table, except where noted.
Inspection rules are processed after your access rules. Thus, any traffic denied by an access rule is never inspected.
Read the following topics before you configure inspection rules:
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration, disabled rules are removed from the device. For more information, see Enabling and Disabling Rules.
Navigation Path
To access the Inspection Rules page, do one of the following:
-
(Device view) Select a device, then select
Firewall > Inspection Rules
from the Policy selector.
-
(Policy view) Select
Firewall > Inspection Rules
from the Policy Type selector. Create a new policy or select an existing one.
-
(Map view) Right-click a device and select
Edit Firewall Policies > Inspection Rules
.
Related Topics
Field Reference
Table 17-1 Inspection Rules Page
|
|
Expand all rows/Collapse all rows
|
Use these buttons to expand or collapse all sections in the rules table.
Note The buttons are located in the upper-right corner of the Filter area above the inspection rules table.
|
Conflict Indicator icons
|
Identifies conflicts and provides a quick visual representation of the type of conflict. For more details, including types of conflicts and the actions you can take from this column, see Understanding the Automatic Conflict Detection User Interface.
|
No.
|
The ordered rule number.
|
Permit
|
Whether a rule identifies traffic that should be inspected based on the conditions set:
-
Permit—Identifies traffic that will be inspected. Shown as a green check mark.
-
Deny—Exempts the traffic from inspection. Your access rules will determine if the traffic is allowed or blocked. Shown as a red circle with slash.
|
Sources
|
The sources of traffic for this rule; can be networks, security groups (ASA 9.0+ only), and users. Multiple entries are displayed on separate lines within the table cell.
|
Destinations
|
The destinations for this rule; can be networks and security groups (ASA 9.0+ only). Multiple entries are displayed on separate lines within the table cell.
|
Traffic Match
|
The type of matching used in the rule:
-
default-inspection
—The rule inspects traffic based on the default port.
-
TCP,UDP/port number—The rule inspects traffic based on a custom port number.
-
Service—The rule inspects traffic based on a service specification or service object. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects.
|
Interface
|
The interfaces or interface roles to which the rule is assigned.
Global
indicates that the rule is assigned to all interfaces. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects.
|
Dir.
|
The direction of the traffic to which this rule applies:
-
In—Packets entering the interface.
-
Out—Packets exiting the interface.
|
Inspected Protocol
|
The protocol to be inspected and possibly some configuration settings for the protocol. You can right-click this cell and choose Edit Inspected Protocol to edit this; see Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page for more information.
|
Time Range
|
The time range policy object assigned to the rule. This object defines the time window within which inspection occurs.
|
Category
|
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Description
|
The description of the rule, if any.
|
Last Ticket(s)
|
Shows the ticket(s) associated with last modification to the rule. You can click the ticket ID in the Last Ticket(s) column to view details of the ticket and to navigate to the ticket. If linkage to an external ticket management system has been configured, you can also navigate to that system from the ticket details (see Ticket Management Page).
|
Page elements below the rules table
|
Query
|
Click this button to run a policy query, which can help you evaluate your rules and identify ineffective rules. See Generating Policy Query Reports
|
Find and Replace button (binoculars icon)
|
Click this button to search for various types of items within the table and to optionally replace them. See Finding and Replacing Items in Rules Tables.
|
Up Row and Down Row buttons (arrow icons)
|
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order.
|
Add Row button
|
Click this button to add a rule to the table after the selected row using the Add or Edit Inspect/Application FW Rule Wizard. If you do not select a row, the rule is added at the end of the local scope. For more information about adding rules, see Adding and Removing Rules.
|
Edit Row button
|
Click this button to edit the selected rule. You can also edit individual cells. For more information, see Editing Rules.
|
Delete Row button
|
Click this button to delete the selected rule.
|
Add or Edit Inspect/Application FW Rule Wizard
Use the Add or Edit Inspect/Application FW Rule wizard to add and edit inspection rules. The wizard steps you through the process of configuring an inspection rule based on your selection in the
Match Traffic By
group on this page.
Read the following topics before you configure inspection rules:
Navigation Path
From the Inspection Rules Page, click the
Add Row
button or select a row and click the
Edit Row
button.
Related Topics
Field Reference
Table 17-2 Add and Edit Inspect/Application FW Rule Wizard Step 1: Traffic Match Method
|
|
Enable Rule
|
Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules.
|
Apply the Rule to
|
The interface to which the rule applies:
-
All Interfaces—Apply the rule to all interfaces. The rule becomes a global rule on ASA, PIX, and FWSM devices. For IOS devices, the rule is configured for each interface in the In direction.
-
Interface (PIX 7.x+, ASA, FWSM 3.x+, IOS)—Apply the rule only to those interfaces identified in the Interfaces field. Enter the name of the interface or the interface role, or click
Select
to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.
For IOS devices only, you can select the direction of the traffic to which this rule applies, either traffic entering an interface (
In
) or exiting it (
Out
). For other devices, leave
In
as the direction.
|
Match Traffic By
How you want to identify the traffic to inspect. If you select something other than Default Protocol Ports (by itself), you are prompted for the other port or address information when you click
Next
.
|
Default Protocol Ports
Limit inspection between source and destination IP addresses (PIX 7.x+, ASA, FWSM 3.x+)
|
Inspect traffic based on the default ports assigned to a protocol. You will select a protocol on the next page (Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page).
You can also select
Limit inspection between source and destination IP addresses
to configure the inspection to occur only between a specified source and destination. Do not select this option if you want to inspect a protocol without applying any constraints to the inspected traffic.
If you also select this option, the next page of the wizard is described in Add or Edit Inspect/Application FW Rule Wizard, Step 2.
|
Custom Destination Ports
|
Inspect traffic based on specified non-default TCP or UDP destination ports. Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic.
You will specify the protocol and port(s) on the next page of the wizard; see Add or Edit Inspect/Application FW Rule Wizard, Step 2.
|
Destination Address and Port (IOS devices only)
|
Inspect traffic on IOS devices based on destination IP address and port. Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.10.
|
Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)
|
Inspect traffic on PIX 7.x+, ASA, and FWSM 3.x+ devices based on source and destination IP addresses and services. Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic.
You will specify the action, sources, destinations, and Services on the next page of the wizard; see Add or Edit Inspect/Application FW Rule Wizard, Step 2.
|
Category
|
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Description
|
An optional description of the rule (up to 1024 characters).
|
Add or Edit Inspect/Application FW Rule Wizard, Step 2
The options presented on the second page of the Inspect/Application FW Rule Wizard depend on your
Match Traffic By
selection on the first page (see Add or Edit Inspect/Application FW Rule Wizard). The possibilities are as follows:
Navigation Path
From the Add or Edit Inspect/Application FW Rule Wizard, select a Match Traffic By option and click Next.
Related Topics
Field Reference
The following table describes the options presented on page 2 of the Inspect/Application FW Rule Wizard after you have selected
Custom Destination Ports
on the first page of the wizard (described in Add or Edit Inspect/Application FW Rule Wizard).
Table 17-3 Add and Edit Inspect/Application FW Rule Wizard Step 2: Protocol and Port Page
|
|
Protocol
|
The protocol for the ports you are specifying, either TCP, UDP, or both TCP/UDP.
When configuring Custom Destination Ports for an IOS device, you must select TCP/UDP.
|
Ports
|
The port(s) used by the traffic you want to inspect. Valid values range from 1 to 65535.
-
Single—Specify one port number only.
-
Range—Specify a range of ports, for example, 10000-11000.
When configuring custom ports, be aware that port ranges might not be supported on all platforms or OS versions. Any conflicts are identified during policy validation, not while you are editing this rule.
Tip If you specify a port or port range that conflicts with a pre-defined port mapping, the device does not allow the port to be remapped.
|
The following table describes the options presented on page 2 of the Inspect/Application FW Rule Wizard after you have selected
Default Protocol Ports
and
Limit inspection between source and destination IP addresses
on the first page of the wizard, and when you select
Source and Destination Address and Port
on the first page. The first page of the wizard is described in Add or Edit Inspect/Application FW Rule Wizard.
Table 17-4 Add and Edit Inspect/Application FW Rule Wizard Step 2: Action, Sources, Destinations, and Services Page
|
|
Action
|
Whether you are identifying traffic that should be inspected based on the conditions set. Typically, you will create Permit rules.
-
Permit—Identifies traffic that will be inspected.
-
Deny—Exempts the traffic from inspection. Your access rules will determine if the traffic is allowed or blocked.
|
Sources
|
Provide traffic sources for this rule; can be networks, security groups, and users. You can enter values or object names, or Select objects, for one or more of the following types of sources:
-
Network – You can specify a various network, host and interface definitions, either individually or as objects. If you Select an interface object as a source, the dialog box displays tabs to differentiate between hosts/networks and interfaces.
The “All-Address” objects do not restrict the rule to specific hosts, networks, or interfaces. These addresses are IPv4 or IPv6 addresses for hosts or networks, network/host objects, interfaces, or interface roles.
Note You can only specify a fully qualified domain name (FQDN) by providing an FQDN network/host object, or a group object that includes an FQDN object. You cannot directly type in an FQDN.
See Understanding Networks/Hosts Objects, Specifying IP Addresses During Policy Definition and Understanding Interface Role Objects for additional information about these definitions.
– Individual user names: NetBIOS_DOMAIN\username
– User groups (note the double \): NetBIOS_DOMAIN\\user_group
– Identity user group object names.
For more information, see:
– Selecting Identity Users in Policies
– Configuring Identity-Based Firewall Rules
– Creating Identity User Group Objects
Note Enter more than one value in any of these fields by separating the items with commas.
Each specification is combined with any others to limit traffic matches to only those flows that include all definitions. For example, specified user traffic originating from within a specified source address range.
|
Destinations
|
Provide traffic destinations for this rule; can be networks or security groups. As with Sources, you can enter values or object names, or Select objects, for one or more destinations of Network and Security Group (ASA 9.0+) type.
|
Services
|
The services that define the type of traffic upon which to act. You can enter or Select any combination of service objects and service types (which are typically a protocol and port combination).
Enter more than one value by separating the items with commas.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects.
|
Time Range
|
The name of a time range policy object that defines the times when this rule applies. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock.
Enter the name or click
Select
to select the object. If the object that you want is not listed, click the
Create
button to create it.
|
Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page
Use the Inspect/Application FW Rule wizard’s inspected protocol page to configure the protocol monitored by this inspection rule.
The options in this section are presented when you add or edit a firewall inspection rule, and when you right-click the Inspected Protocol cell of an existing rule in the table on the Inspection Rules Page.
Navigation Path
Do one of the following:
-
In the Add or Edit Inspect/Application FW Rule Wizard, click Next until you reach this page.
-
To open the Edit Inspected Protocols dialog box, right-click the Inspected Protocol cell of an inspection rule and choose
Edit Inspected Protocol
. If you select multiple rows, your changes replace the inspected protocol defined for all selected rules.
Related Topics
Field Reference
Table 17-5 Inspected Protocol Options
|
|
Protocols table
|
Lists the protocols that can be inspected. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type to which you will apply the inspection rule.
Tip For IOS devices, if you selected Custom Destination Ports or Destination Address and Port for the match type on the first page of the wizard, you can select custom protocol and click Configure to give your protocol a name. For other device types, select the protocol that you associate with the ports previously specified.
The Options column displays configured options for the selected protocol, if any.
The Group column provides additional information on the use of some of the protocols.
|
Selected Protocol
Configure button
|
Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Configuring Protocols and Maps for Inspection.
|
Rule Settings (IOS)
|
Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Configuring Settings for Inspection Rules for IOS Devices), are used. These are the settings you can enable or disable:
-
Alert—Whether to generate stateful packet inspection alert messages on the console.
-
Audit—Whether audit trail messages are logged to the syslog server or router.
-
Timeout—Whether to configure the length of time, in seconds, for which a session is managed while there is no activity. If you select Specify Timeout, enter the timeout value; the range is 5 to 43200 seconds.
-
Inspect Router Generated Traffic—Whether to inspect traffic that is generated by the device itself. This option is available for a limited number of the protocols.
|
Configure DNS Dialog Box
Use the Configure DNS dialog box to configure settings for DNS inspection on PIX 7.0+, ASA, FWSM, and IOS devices.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select DNS in the protocols table, and click
Configure
.
Field Reference
Table 17-6 Configure DNS Dialog Box
|
|
Maximum DNS Packet Length
|
The maximum DNS packet length. Values are 512 to 65535.
|
DNS Map
|
The DNS policy map object that defines traffic match conditions and actions, protocol conformance policies, and filter settings. Enter the object name, or click
Select
to select it. If the object that you want is not listed, click the
Create
button to create it.
|
Enable Dynamic Filter Snooping
|
Whether to allow the security appliance to snoop DNS packets in order to build a database of DNS lookup information. This information is used by botnet traffic filtering to match DNS names to IP addresses.
If you configure a botnet traffic filtering rules policy, select this option. Otherwise, do not select the option. For more information, see Botnet Traffic Filter Rules Page.
|
Configure SMTP Dialog Box
Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol (SMTP) inspection. SMTP is used to transfer email between servers and clients on the Internet.
SMTP inspection drops any packets with illegal commands. You can configure a maximum data length for packets. Enter a length in the range 0-4294967295.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select SMTP in the protocols table, and click
Configure
.
Configure ESMTP Dialog Box
Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail Transport Protocol (ESMTP) inspection. You can configure these settings based on platform:
-
IOS devices—You can configure a maximum data length for packets. Enter a length in the range 0-4294967295.
-
ASA/PIX 7.x+ devices—You can specify an ESMTP policy map object to define deep inspection parameters. Enter the name of the object or click
Select
to select it from a list or to create a new object.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select ESMTP in the protocols table, and click
Configure
.
Configure Fragments Dialog Box
Use the Configure Fragments dialog box to edit settings for fragment inspection on IOS devices.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select fragment in the protocols table, and click
Configure
.
Field Reference
Table 17-7 Configure Fragments Dialog Box
|
|
Maximum Fragments
|
The maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. Values are 0-10000 state entries. The default is 256.
Note Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.
|
Timeout (sec)
|
The number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. Values are 1-1000. The default timeout value is one second.
|
Configure IMAP or POP3 Dialog Boxes
Use the Configure IMAP or POP3 dialog boxes to edit settings for Internet Message Access Protocol (IMAP) or Post Office Protocol 3 (POP3) inspection on IOS devices.
-
IMAP is a method for accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a client email program to access remote messages as though they were local.
-
POP3 is used to receive email that is stored on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select IMAP or POP3, and click
Configure
.
Field Reference
Table 17-8 Configure IMAP or POP3 Dialog Boxes
|
|
Reset Connection on Invalid IMAP/POP3 packet
|
Whether to reset, or drop, the connection between the client and server if an invalid packet is encountered. The client will have to repeat the validation process to reconnect to the server.
|
Enforce Secure Authentication
|
Whether to require that the client use a secure login to the server, that is, so that passwords are not sent in clear text.
|
Configure RPC Dialog Box
Use the RPC dialog box to edit settings for RPC inspection on IOS devices. RPC inspection blocks traffic for all RPC programs except for those you specify. To allow more than one RPC program, create a rule for each program number you want to allow.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select RPC in the protocols table, and click
Configure
.
Field Reference
Table 17-9 Configure RPC Dialog Box
|
|
Program Number
|
The program number to permit. Values are 1-4294967295.
|
Wait Time
|
The number of minutes to keep a hole in the firewall open to allow subsequent connections from the same source address to the same destination address and port. Values are 0-35791 minutes. The default is 0.
|
Configure Dialog Box
Use the Configure dialog box to select a policy map object for HTTP or IM inspection. The maps used for these types of inspection differ depending on the operating system version used on the device. Select the desired version and then click
Select
to select the desired policy map object or to create a new one.
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, select HTTP or IM in the protocols table, and click
Configure
.
Configuring Protocols and Maps for Inspection
When you configure inspection rules for a device, you select the protocols that you want to inspect. Some of these protocols allow additional configuration for deep inspection. Deep inspection allows you to specify additional requirements that packets must meet in order to traverse the device. For example, you can drop HTTP connections where the content type of the request and response do not match. (For a full list of inspectible protocols, click
Add Row
on the Inspection Rule page and click Next to view the protocols list.)
What you can configure depends not only on the protocol but on the device’s operating system and version number. Typically, your ability to fine-tune inspection is higher on an ASA device compared to an IOS device. (If you are configuring an IOS device and you want greater control over inspection, consider configuring zone-based firewall inspection; for more information, see Understanding the Zone-based Firewall Rules.)
Some deep inspection configuration is done directly in the inspection rule. However, for some protocols, you can configure the inspection rule to include a policy map that you create as an independent policy object. (You need to configure policy maps only if you want something other than the default inspection options.) You can configure these maps from the policy object selector dialog box while configuring the policy, or from the Policy Object Manager window (select
Manage > Policy Objects
).
For protocols that use policy maps, you can select the desired policy map, which defines the match conditions for the targeted traffic. For ASA, PIX, and FWSM devices, these policy maps might point to class maps that define the match conditions. To create these policy maps in the Policy Object Manager, select one of the maps listed in the following table in the
Maps > Policy Maps > Inspect
folder and review the detailed usage information in the references mentioned. For information on creating class maps, which are in the
Maps > Class Maps > Inspect
folder, see the references to the match criterion dialog boxes and Configuring Class Maps for Inspection Policies.
Table 17-10 Configuring Protocols for Deep Inspection in Inspection Rules
|
|
|
Class Map
(ASA, PIX, FWSM only)
|
Description and Match Criteria Reference
|
DNS
|
ASA, PIX, FWSM, IOS
|
DNS
|
DNS
|
Inspect traffic based on a wide variety of criteria using the class and policy map, which allow extensive control over DNS packets. In addition, you can configure a maximum length in the inspection rule, and enable dynamic DNS snooping for use with Botnet rules (on ASA devices). See the following topics:
|
FTP Strict
|
ASA, PIX, FWSM, IOS
|
FTP
|
FTP
|
Inspect traffic based on file name, type, server, user, or FTP command. See Configuring FTP Maps and FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.
|
GTP
|
ASA, PIX, FWSM, IOS
|
GTP
|
GTP
|
Inspect traffic based on timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance. See Configuring GTP Maps and GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes.
|
H.323 H.225
H.323 RAS
|
ASA, PIX, FWSM
|
H.323 (ASA, PIX, FWSM)
|
H.323 (ASA, PIX, FWSM)
|
Inspect traffic based on a wide variety of criteria, including the H.323 message type, calling party, and called party. See Configuring H.323 Maps and H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.
|
HTTP
|
ASA, PIX, FWSM, IOS
|
HTTP (ASA 7.1.x, PIX 7.1.x, FWSM 3.x, IOS)
HTTP (ASA 7.2+, PIX 7.2+)
|
HTTP (ASA, PIX, FWSM)
|
Inspect traffic based on a wide variety of criteria including the content of the header or body, port misuse, and whether the traffic includes a Java applet. The maps used differ based on the operating system and version.
For ASA/PIX 7.2+
, see Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices and HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes.
For ASA/PIX 7.1.x, FWSM 3.x+, and IOS
, see Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
|
SIP
|
ASA, PIX, FWSM
|
SIP (ASA, PIX, FWSM)
|
SIP (ASA, PIX, FWSM)
|
Inspect traffic based on a wide variety of criteria. See Configuring SIP Maps and SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes.
|
Skinny
|
ASA, PIX, FWSM, IOS
|
Skinny
|
(none)
|
Inspect traffic based on a wide variety of criteria. See Configuring Skinny Maps and Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes.
|
SMTP
|
ASA, PIX 7.x+, FWSM 3.x+, IOS
|
(none)
|
(none)
|
Inspect Simple Mail Transfer Protocol (SMTP) traffic and drop any that use illegal commands. You can configure a maximum data length for packets. See Configure SMTP Dialog Box.
|
SNMP
|
ASA, PIX, FWSM 3.x+, IOS
|
SNMP
|
(none)
|
Inspect SNMP traffic based on SNMP version. See Configuring SNMP Maps.
|
NetBIOS
|
ASA, PIX 7.x+, FWSM
|
NetBIOS
|
(none)
|
Inspect NetBIOS traffic to translate IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration. You can drop packets that violate the protocol. See Configuring NetBIOS Maps.
|
IPSec Pass Through
|
ASA, PIX 7.x+
|
IPsec Pass Through
|
(none)
|
Inspect IPSec traffic and control whether ESP or AH traffic is allowed. See Configuring IPsec Pass Through Maps.
|
DCE/RPC
|
ASA 7.2+, PIX 7.2+, FWSM 3.2+
|
DCE/RPC
|
(none)
|
Inspect traffic based on timeouts and enforcing the mapper service. See Configuring DCE/RPC Maps.
|
IP options
|
ASA 8.2(2)+
|
IP Options
|
(none)
|
Allow IP packets that have certain options configured in the Options section of the IP header. In routed mode, packets that contain the router-alert option are allowed. Otherwise, if any option is set, packets are dropped. IP options are unnecessary for most communication, but the NOP (no operation) option might be used for padding, so you might want to allow it. See Configuring IP Options Maps.
|
IPv6
|
ASA 8.4(2)+
|
IPv6
|
(none)
|
Inspect IPv6 traffic based on the following types of extension headers found anywhere in an IPv6 packet: Hop-by-Hop Options, Routing (Type 0), Fragment, Destination Options, Authentication, and Encapsulating Security Payload. See Configuring IPv6 Maps and IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes.
|
ESMTP
|
ASA, PIX 7.x+, FWSM 3.x+, IOS
|
ESMTP
|
(none)
|
Inspect ESMTP traffic. For IOS, you can configure only maximum data length. For ASA, PIX, FWSM, you can inspect traffic based on a wide variety of criteria. See Configuring ESMTP Maps.
|
Fragment
|
IOS
|
(none)
|
(none)
|
Inspect traffic based on a maximum allowed number of unassembled packet fragments. See Configure Fragments Dialog Box.
|
IMAP (Internet Message Access Protocol)
POP3 (Post Office Protocol 3)
|
IOS
|
(none)
|
(none)
|
Inspect traffic based on invalid commands or clear text logins. See Configure IMAP or POP3 Dialog Boxes.
|
RPC (Sun Remote Procedure Call)
|
FWSM 2.x, IOS
|
(none)
|
(none)
|
Inspect traffic based on the RPC protocol number. See Configure RPC Dialog Box.
|
IM
|
ASA, PIX 7.x+, IOS
|
IM (ASA 7.2+, PIX 7.2+)
IM (IOS)
|
IM (only for ASA, PIX)
|
Inspect traffic based on a wide variety of criteria. The allowed maps differ based on operating system version.
For ASA, PIX
, see Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices and IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes.
For IOS
, see Configuring IM Maps for IOS Devices.
|
Related Topics
Configuring Class Maps for Inspection Policies
Use the Add and Edit Class Map dialog boxes to define class maps to be used in policy maps of the same type. The name of the dialog box indicates the type of map you are creating.
A class map defines application traffic based on criteria specific to the application. You then select the class map in the corresponding policy map and configure the action to take for the selected traffic. Thus, each class map must contain traffic that you want to handle in the same way (for example, to allow it or to drop it).
When configuring inspection rules for devices running ASA/PIX 7.2 or higher, or FWSM, you can create class maps for the inspection of the following types of traffic: DNS, FTP, H.323, HTTP, IM, SIP, and ScanSafe.
You can also define class criteria in the related policy map. However, creating class maps allows you to reuse the map in multiple policy maps.
The following topics describe the available match criteria:
Navigation Path
Select
Manage > Policy Objects
, then select DNS, FTP, H.323 (ASA/PIX/FWSM), HTTP (ASA/PIX/FWSM), IM, or SIP (ASA/PIX/FWSM) in the
Maps > Class Maps > Inspect
folder in the table of contents. Right-click inside the work area, then select
New Object
, or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-11 Add or Edit Class Maps Dialog Boxes for Inspection Rules
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Match table
Match Type
|
The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.
-
To add a criterion, click the Add button and fill in the Match Criterion dialog box. For more information, see the topics referenced above.
-
To edit a criterion, select it and click the Edit button.
-
To delete a criterion, select it and click the Delete button.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring DCE/RPC Maps
Use the Add or Edit DCE/RPC Map dialog boxes to define a map for DCE/RPC inspection. A DCE/RPC inspection policy map lets you change the default configuration values used for DCE/RPC inspection.
DCE/RPC is a protocol widely used by Microsoft distributed client and server applications that allows software clients to execute programs on a server remotely.
This typically involves a client querying a server called the Endpoint Mapper listening on a well-known port number for the dynamically allocated network information of a required service. The client then sets up a secondary connection to the server instance providing the service. The security appliance allows the appropriate port number and network address and also applies NAT, if needed, for the secondary connection.
DCE/RPC inspection maps inspect for native TCP communication between the EPM and client on well-known TCP port 135. Map and lookup operations of the EPM are supported for clients. Client and server can be located in any security zone. The embedded server IP address and port number are received from the applicable EPM response messages. Because a client may attempt multiple connections to the server port returned by EPM, multiple use of pinholes are allowed, which have user configurable timeouts.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > DCE/RPC
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-12 Add and Edit DCE/RPC Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Pinhole Timeout
|
The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.
|
Enforce Endpoint Mapper Service
|
Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.
|
Enable Endpoint Mapper Service Lookup
Service Lookup Timeout
|
Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring DNS Maps
Use the Add and Edit DNS Map dialog boxes to define DNS Maps for inspection. A DNS map lets you change the default configuration values used for DNS application inspection.
DNS application inspection supports DNS message controls that provide protection against DNS spoofing and cache poisoning. You can configure rules for certain DNS types to be allowed, dropped, or logged, while others are blocked. For example, you can restrict zone transfer between servers.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a public server from attack if that server only supports a particular internal zone. In addition, DNS randomization can be enabled to avoid spoofing and cache poisoning of servers that either do not support randomization or that use a weak pseudo random number generator. Limiting the domain names that can be queried protects the public server further.
You can configure a DNS mismatch alert as notification if an excessive number of mismatching DNS responses are received, which could indicate a cache poisoning attack.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > DNS
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-13 Add and Edit DNS Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Protocol Conformance Tab
Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab.
|
Filtering Tab
Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab.
|
Mismatch Rate Tab
The
Log When DNS ID Mismatch Rate Exceeds
option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:
-
Threshold—The maximum number of mismatch instances before a system message log is sent. Values are 0 to 4294967295.
-
Time Interval—The time period to monitor (in seconds). Values are 1 to 31536000.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
DNS Map Protocol Conformance Tab
Use the Protocol Conformance tab to define DNS security settings and actions for a DNS map.
Navigation Path
Click the Protocol Conformance tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps.
Related Topics
Field Reference
Table 17-14 DNS Map Protocol Conformance Tab
|
|
Enable DNS Guard Function
|
Whether to perform a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.
|
Generate Syslog for ID Mismatch
|
Whether to create syslog entries for excessive instances of DNS identifier mismatches.
|
Randomize the DNS Identifier for DNS Query
|
Whether to randomize the DNS identifier in the DNS query message.
|
Enable NAT Rewrite Function
|
Whether to enable IP address translation in the A record of the DNS response.
|
Enable Protocol Enforcement
|
Whether to enable DNS message format check, including domain name, label length, compression, and looped pointer check.
|
Require Authentication Between DNS Server (RFC2845)
Action
|
Whether to require authentication between DNS servers as defined in RFC 2845. If you select this option, select the action to take when there is no authentication.
|
DNS Map Filtering Tab
Use the Filtering tab to define DNS filtering settings and actions for a DNS map.
Navigation Path
Click the Filtering tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps.
Related Topics
Field Reference
Table 17-15 DNS Map Filtering Tab
|
|
Drop Packets that Exceed Specified Length
Maximum Packet Length
|
Whether to drop packets that exceed the maximum length in bytes that you specify. This is a global setting.
|
Drop Packets Sent to Server that Exceed Specified Maximum Length
Maximum Length
|
Whether to drop packets sent to the server that exceed the maximum length in bytes that you specify.
|
Drop Packets Sent to Server that Exceed Length Indicated by Resource Record
|
Whether to drop packets sent to the server that exceed the length indicated by the resource record.
|
Drop Packets Sent to Client that Exceed Specified Length
Maximum Length
|
Whether to drop packets sent to a client that exceed the maximum length in bytes that you specify.
|
Drop Packets Sent to Client that Exceed Length Indicated by Resource Record
|
Whether to drop packets sent to the client that exceed the length indicated by the resource record.
|
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for DNS policy maps) dialog boxes to do the following:
-
Define the match criterion and value for a DNS class map.
-
Select a DNS class map when creating a DNS policy map.
-
Define the match criterion, value, and action directly in a DNS policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for DNS, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating a DNS policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit DNS Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring DNS Maps.
Related Topics
Field Reference
Table 17-16 DNS Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing DNS class map or define a new DNS class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing DNS class map policy object. Enter the name of the DNS class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of traffic to match:
-
DNS Class—Matches a DNS query or resource record class.
-
DNS Type—Matches a DNS query or resource record type.
-
Domain Name—Matches a domain name from a DNS query or resource record.
-
Header Flag—Matches a DNS flag in the header.
-
Question—Matches a DNS question.
-
Resource Record—Matches a DNS resource record.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Value
(for DNS Class criterion)
|
The DNS class you want to inspect:
-
Internet—Matches the Internet DNS class.
-
DNS Class Field Value—Matches the specified number.
-
DNS Class Field Range—Matches the specified range of numbers.
|
Value
(for DNS Type criterion)
|
The DNS type you want to inspect:
-
DNS Type Field Name—Matches the name of a DNS type:
– A—IPv4 address.
– AXFR—Full (zone) transfer.
– CNAME—Canonical name.
– IXFR—Incremental (zone) transfer.
– NS—Authoritative name server.
– SOA—Start of a zone of authority.
– TSIG—Transaction signature.
-
DNS Type Field Value—Matches the specified number.
-
DNS Type Field Range—Matches the specified range of numbers.
|
Value
(for Domain Name criterion)
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
Options
Value
(for Header Flag criterion)
|
The header flag you want to inspect. Use the Options field to indicate whether you want an exact match (Equals) or a partial match (Contains).
-
Header Flag Name—Matches the selected header flag names:
– AA (authoritative answer)
– QR (query)
– RA (recursion available)
– RD (recursion denied)
– TC (truncation) flag bits
-
Header Flag Value—Matches the specified 16-bit hexadecimal value.
|
Resource Record
|
Lists the sections to match:
-
Additional—DNS additional resource record.
-
Answer—DNS answer resource record.
-
Authority—DNS authority resource record.
|
Configuring ESMTP Maps
Use the Add and Edit ESMTP Map dialog boxes to define the match criterion and values for the ESMTP inspect map. An ESMTP policy map lets you change the default configuration values used for ESMTP inspection.
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, and buffer overflow/underflow attacks. It also provides support for application security and protocol conformance, which enforce the sanity of the ESMTP messages as well as detect several attacks, block senders/receivers, and block mail relay.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > ESMTP
from the Object Type selector. Right-click inside the table, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-17 Add and Edit ESMTP Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Mask Server Banner
|
Whether to mask the server banner to prevent the client from discovering server information.
|
Configure Mail Relay
Domain Name
Action
|
Whether to have ESMTP inspection detect mail relay. When you select this option, enter the domain name you are inspecting and select the action you want to take when mail relay is detected.
|
Special Character (ASA7.2.3+/PIX7.2.3+)
Action
|
Whether you want to detect special characters in sender or receiver email addresses. If you select this option, select the action you want to take when special characters are detected.
|
Allow TLS (ASA7.2.3+, 8.0.3+/PIX7.2.3)
Action Log
|
Whether to allow a TLS proxy on the security appliance. If you select this option, you can also select Action Log to create a log entry when TLS is detected.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for an ESMTP policy map.
The fields on this dialog box change based on the criterion you select. You can use the following criteria:
-
Body Length—Matches the message body length.
-
Body Line Length—Matches the length of a line in the message body.
-
Commands—Matches ESMTP commands.
-
Command Recipient Count—Matches the number of recipient email addresses.
-
Command Line Length—Matches the number of characters of a command line.
-
EHLO Reply Parameters—Matches the ESMTP EHLO reply parameters.
-
Header Length—Matches the number of characters of the header.
-
Header Line Length—Matches the number of characters of a line in the message header.
-
To Recipients Count—Matches the number of recipients in the To field of the header.
-
Invalid Recipients Count—Matches the number of invalid recipients in the header.
-
MIME File Type—Matches the MIME file type.
-
MIME Filename Length—Matches the number of characters of the filename.
-
MIME Encoding—Matches the MIME encoding scheme.
-
Sender Address—Matches the address of the sender.
-
Sender Address Length—Matches the number of characters of the sender’s address.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit ESMTP Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring ESMTP Maps.
Related Topics
Field Reference
Table 17-18 ESMTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Criterion
|
Specifies which criterion of ESMTP traffic to match. The criteria are described above.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Greater Than Length
|
The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.
The dialog box indicates the valid range for the length, except for Body Length and Header length, which can be 1 to 4294967295.
|
Commands
|
The ESMTP command verbs you want to inspect.
|
Greater Than Count
|
The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.
|
Parameters
|
The ESMTP EHLO reply parameters you want to inspect.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
MIME Encoding
|
The type of MIME encoding schemes you want to inspect.
|
Configuring FTP Maps
Use the Add and Edit FTP Map dialog boxes to define the match criterion and values for an FTP inspect map. You can use an FTP map to block specific FTP protocol methods, such as an FTP PUT, from passing through the security appliance and reaching your FTP server.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > FTP
from the Object Type selector. Right-click inside the table, then select
New Object
or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-19 Add and Edit FTP Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Mask Greeting Banner from Server
|
Whether to mask the greeting banner from the FTP server to prevent the client from discovering server information.
|
Mask Reply to SYST Command
|
Whether to mask the reply to the
syst
command to prevent the client from discovering server information.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Validate For
Validate button
|
The device platforms for which to validate the object. Select the platform for which you intend to use this object and click
Validate
to determine if the object is configured in a way that will prevent policy deployment.
|
FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit FTP Match Criterion (for FTP class maps) or Match Condition and Action (for FTP policy maps) dialog boxes to do the following:
-
Define the match criterion and value for an FTP class map.
-
Select an FTP class map when creating an FTP policy map.
-
Define the match criterion, value, and action directly in an FTP policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating an FTP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for FTP, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating an FTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit FTP Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring FTP Maps.
Related Topics
Field Reference
Table 17-20 FTP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing FTP class map or define a new FTP class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing FTP class map policy object. Enter the name of the FTP class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of FTP traffic to match:
-
Request Command—Matches an FTP request command.
-
Filename—Matches a filename for FTP transfer.
-
File Type—Matches a file type for FTP transfer.
-
Server—Matches an FTP server name.
-
Username—Matches an FTP username.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Request Commands
|
The FTP commands you want to inspect:
-
Append (APPE)—Appends to a file.
-
Delete (DELE)—Deletes a file at the server site.
-
Help (HELP)—Provides help information from the server.
-
Put (PUT)—FTP client command for the stor (store a file) command.
-
Rename From (RNFR)—Specifies rename-from filename.
-
Server Specific Command (SITE)—Specifies commands that are server specific. Usually used for remote administration.
-
Change to Parent (CDUP)—Changes to the parent directory of the current working directory.
-
Get (GET)—FTP client command for the retr (retrieve a file) command.
-
Create Directory (MKD)—Creates a directory.
-
Remove Directory (RMD)—Removes a directory.
-
Rename To (RNTO)—Specifies rename-to filename.
-
Store File with Unique Name (STOU)—Stores a file with a unique filename.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
Configuring GTP Maps
Use the Add and Edit GTP Map dialog boxes to define the match criterion and values for a GTP inspect map.
The GPRS Tunnel Protocol (GTP) provides uninterrupted connectivity for mobile subscribers between GSM networks and corporate networks or the Internet. GTP uses a tunneling mechanism to provide a service for carrying user data packets.
A GTP map object lets you change the default configuration values used for GTP application inspection. The GTP protocol is designed to provide security for wireless connections to TCP/IP networks such as the Internet. You can use a GTP map to control timeout values, message sizes, tunnel counts, and GTP versions traversing the security appliance.
Tip GTP inspection requires a special license. If you do not have the required license, you will see device errors if you try to deploy a GTP map.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > GTP
from the Object Type selector. Right-click inside the work area, then select
New Object
, or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-21 Add and Edit GTP Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Country and Network Codes Table
|
The three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc) to include in the map. The codes are 000 to 999.
-
To add codes, click the Add button and fill in the dialog box.
-
To edit a row, select it and click the Edit button.
-
To delete a row, select it and click the Delete button.
|
Permit Response Table
|
The Network/Host policy objects for which you will allow GTP responses from a GSN that is different from the one to which the response was sent.
-
To add objects, click the Add button and fill in the dialog box. For more information, see Add and Edit Permit Response Dialog Boxes.
-
To edit a row, select it and click the Edit button.
-
To delete a row, select it and click the Delete button.
|
Request Queue
|
The maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. The default is 200.
|
Tunnel Limit
|
The maximum number of tunnels allowed.
|
Permit Errors
|
Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped.
|
Edit Timeouts button
|
Click this button to configure time out values for various operations. For more information about the options, see GTP Map Timeouts Dialog Box.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Validate For
Validate button
|
The device platforms for which to validate the object. Select the platform for which you intend to use this object and click
Validate
to determine if the object is configured in a way that will prevent policy deployment.
|
Add and Edit Country Network Codes Dialog Boxes
Use the Add and Edit Country Network Codes dialog boxes to add Mobile Country Code (mcc) and Mobile Network Code (mnc) values to the GTP policy map. The codes can be 000 to 999.
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the
Add
button in the Country and Network codes table, or select a row and click the
Edit
button. See Configuring GTP Maps.
Add and Edit Permit Response Dialog Boxes
Use the Add and Edit Permit Response dialog boxes to permit GTP responses from a GSN that is different from the one to which the response was sent.
Enter the name of a Network/Host policy object that defines the destination (
To Object Group
) and source (
From Object Group
) of the traffic. You can click
Select
to select the object from a list, where you can also create an new object by clicking the
Create
button in the Object Selector dialog box.
You cannot use the Network/Host object named “any.”
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the
Add
button in the Permit Response table, or select a row and click the
Edit
button. See Configuring GTP Maps.
GTP Map Timeouts Dialog Box
Use the GTP Map Timeouts dialog box to set timeout values for a GTP Map.
Navigation Path
From the Add and Edit GTP Map dialog boxes, click the
Edit Timeouts
button on the Parameters tab. See Configuring GTP Maps.
Field Reference
Table 17-22 GTP Map Timeouts Dialog Box
|
|
GSN Timeout
|
The period of inactivity (hh:mm:ss) after which a GSN is removed. The default is 30 minutes. Enter 0 to never tear down immediately.
|
PDP Context Timeout
|
The maximum period of time allowed (hh:mm:ss) before beginning to receive the PDP context. The default is 30 minutes. Enter 0 to specify no limit.
|
Request Queue Timeout
|
The maximum period of time allowed (hh:mm:ss) before beginning to receive the GTP message. The default is 60 seconds. Enter 0 to specify no limit.
|
Signaling Connections Timeout
|
The period of inactivity (hh:mm:ss) after which the GTP signaling is removed. The default is 30 minutes. Enter 0 to not remove the signal.
|
Tunnel Timeout
|
The period of inactivity (hh:mm:ss) after which the GTP tunnel is torn down. The default is 60 seconds (when a Delete PDP Context Request is not received). Enter 0 to never tear down immediately.
|
T3 Response Timeout
|
The maximum wait time for a response before removing the connection.
|
GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a GTP policy map.
The fields on this dialog box change based on the criterion you select.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit GTP Map dialog box, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring GTP Maps.
Related Topics
Field Reference
Table 17-23 GTP Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Criterion
|
Specifies which criterion of GTP traffic to match:
-
Access Point Name—Matches the access point name so you can define the access points to drop when GTP application inspection is enabled.
-
Message ID—Matches the numeric identifier for the message that you want to drop. By default, all valid message IDs are allowed.
-
Message Length—Matches the length of the UDP packet. Use this criterion to change the default for the maximum allowed message length for the UDP payload.
-
Version—Matches the GTP version.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
|
The action you want the device to take for traffic that matches the defined criteria.
-
Drop Packet—By default, all invalid packets or packets that failed during parsing are dropped.
-
Drop Packet and Log
-
Rate Limit
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Access Point Name
|
The access points to act on when GTP application inspection is enabled.
-
Specified By—An access point name to be dropped. By default, all messages with valid APNs are inspected, and any APN is allowed.
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
ID Type
|
The numeric identifier of the message that you want to act on.
-
Value—A single message ID.
-
Range—A range of message IDs.
|
Minimum Length
|
The minimum number of bytes in the UDP payload.
|
Maximum Length
|
The maximum number of bytes in the UDP payload.
|
Version Type
|
The GTP version as a single value or range of values.
Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 2123, while Version 1 uses port 3386. By default all GTP versions are allowed.
|
Configuring H.323 Maps
Use the Add and Edit H.323 Map dialog boxes to define the match criterion and values for an H.323 inspect map. An H.323 policy map lets you change the default configuration values used for H.323 inspection.
H.323 inspection supports H.323 compliant applications such as Cisco CallManager and VocalTec Gatekeeper. H.323 is a suite of protocols defined by the International Telecommunication Union for multimedia conferences over LANs. The security appliance supports H.323 through Version 4, including H.323 v3 feature Multiple Calls on One Call Signaling Channel.
With H.323 inspection enabled, the security appliance supports multiple calls on the same call signaling channel, a feature introduced with H.323 Version 3. This feature reduces call setup time and reduces the use of ports on the security appliance. The two major functions of H.323 inspection are as follows:
-
NAT the necessary embedded IPv4 addresses in the H.225 and H.245 messages. Because H.323 messages are encoded in PER encoding format, the security appliance uses an ASN.1 decoder to decode the H.323 messages.
-
Dynamically allocate the negotiated H.245 and RTP/RTCP connections.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > H.323 (ASA/PIX/FWSM)
from the Object Type selector. Right-click inside the work area, then select
New Object
, or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-24 Add and Edit H.323 Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
HSI Group table
|
The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table. Up to five HSI hosts per group, and up to ten end points per HSI group, are allowed.
-
To add a group, click the Add button and fill in the dialog box (see Add or Edit HSI Group Dialog Boxes).
-
To edit a group, select it and click the Edit button.
-
To delete a group, select it and click the Delete button.
|
Call Duration Limit
|
The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.
|
Enforce Presence of Calling and Called Party Numbers
|
Whether to enforce calling and called party numbers used in call setup.
|
Check State Transition on H.225 Messages
|
Whether to enable state checking validation on H.225 messages.
|
Check State Transition on RAS Messages
|
Whether to enable state checking validation on RAS messages.
|
Create Pinholes on Seeing RCF Packets
|
Whether to enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The device opens pinholes for calls based on Registration Request/Registration Confirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint’s IP address is unknown and the device opens a pinhole through source IP address/port 0/0.
This option is available for ASA 8.0(5)+ devices.
|
Check for H.245 Tunneling
Action
|
Whether to enforce H.245 tunnel blocking and perform the action you select in the Action list box.
|
Check RTP Packets for Protocol Conformance
|
Whether to check RTP packets flowing through the pinholes for protocol conformance.
|
Payload Type must be Audio or Video based on Signaling Exchange
|
Whether to enforce the payload type to be audio or video based on the signaling exchange.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Add or Edit HSI Group Dialog Boxes
Use the Add or Edit HSI group dialog boxes to add HSI groups to an H.323 policy inspection map.
Navigation Path
From the Parameters tab on the Add and Edit H.323 Map dialog boxes, click the
Add Row
button in the HSI group table, or select a row and click the
Edit Row
button. See Configuring H.323 Maps.
Field Reference
Table 17-25 Add and Edit HSI Group Dialog Boxes
|
|
Group ID
|
The HSI group ID number (0 to 2147483647).
|
IP Address
|
The IP address of the HSI host.
|
Endpoint table
|
The end points associated with HSI group. You can add up to 10 end points per group. For each end point, you specify the IP address and interface policy group.
-
To add an end point, click the Add button and fill in the dialog box (see Add or Edit HSI Endpoint IP Address Dialog Boxes).
-
To edit an end point, select it and click the Edit button.
-
To delete an end point, select it and click the Delete button.
|
Add or Edit HSI Endpoint IP Address Dialog Boxes
Us the Add or Edit HSI Endpoint IP Address dialog box to add end points to an HSI group.
Navigation Path
From the Add and Edit HSI Group dialog boxes, click the
Add Row
button in the end point table, or select a row and click the
Edit Row
button. See Configuring H.323 Maps.
Field Reference
Table 17-26 Add and Edit HSI Endpoint IP Address Dialog Boxes
|
|
Network/Host
|
The IP address of the end point host or network.
|
Interface
|
The Interface policy group that identifies the interface connected to the security appliance. Enter the name of a policy group, or click
Select
to select it from a list, where you can also create new policy groups.
|
H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit H.323 Match Criterion (for H.323 class maps) or Match Condition and Action (for H.323 policy maps) dialog boxes to do the following:
-
Define the match criterion and value for an H.323 class map.
-
Select an H.323 class map when creating an H.323 policy map.
-
Define the match criterion, value, and action directly in an H.323 policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating an H.323 class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for H.323, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating an H.323 policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit H.323 Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring H.323 Maps.
Related Topics
Field Reference
Table 17-27 H.323 Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing H.323 class map or define a new H.323 class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing H.323 class map policy object. Enter the name of the H.323 class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of H.323 traffic to match:
-
Called Party—Matches the called party address.
-
Calling Party—Matches the calling party address.
-
Media Type—Matches the media type.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
Media Type
|
The type of media you want to inspect, audio, video, or data.
|
Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices
Use the Add and Edit HTTP Map dialog boxes to define HTTP maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x, and IOS devices.
The enhanced HTTP inspection feature, which is also known as an application firewall, verifies that HTTP messages conform to RFC 2616, use RFC-defined methods, and comply with various other criteria. This can help prevent attackers from using HTTP messages for circumventing network security policy.
When you enable HTTP inspection with an HTTP map, strict HTTP inspection with the action reset and log is enabled by default. You can change the actions performed in response to inspection failure, but you cannot disable strict inspection as long as the HTTP map remains enabled. Security Manager uses the
http-map
command to configure the map on the device.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > HTTP (ASA 7.1.x/PIX 7.1.x/FWSM3.x/IOS)
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-28 Add and Edit HTTP Map Dialog Boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
General tab
|
Defines the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the options, see HTTP Map General Tab.
|
Entity Length tab
|
Defines the action taken if the length of the HTTP content falls outside of configured targets. For a description of the options, see HTTP Map Entity Length Tab.
|
RFC Request Method tab
|
Defines the action that the security appliance should take when specific RFC request methods are used in the HTTP request. For a description of the options, see HTTP Map RFC Request Method Tab.
|
Extension Request Method tab
|
Defines the action taken when specific extension request methods are used in the HTTP request. For a description of the options, see HTTP Map Extension Request Method Tab.
|
Port Misuse tab
|
Defines the action taken when specific undesirable applications are encountered. For a description of the options, see HTTP Map Port Misuse Tab.
|
Transfer Encoding tab
|
Defines the action taken when specific transfer encoding types are used in the HTTP request. For a description of the options, see HTTP Map Transfer Encoding Tab.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
HTTP Map General Tab
Use the General tab to define the action taken when non-compliant HTTP requests are received and to enable verification of content type.
Navigation Path
Click the General tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-29 HTTP Map General Tab
|
|
Take action for non-RFC 2616 compliant traffic
|
Whether you want to configure the action to be taken for traffic that does not comply with RFC 2616. Possible actions are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
You can also select
Generate Syslog
to write a message to the syslog if non-compliant traffic is encountered.
|
Verify Content-type field belongs to the supported internal content-type list.
|
Whether you want to configure the action to be taken for traffic whose content type does not belong to the supported internal content-type list. Possible actions are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
You can also select these options:
-
Verify Content-type field for response matches the ACCEPT field of request
—To also verify that the content type of the response matches the request.
-
Generate Syslog
—To write a message to the syslog if non-compliant traffic is encountered.
|
Override Global TCP Idle Timeout (IOS only)
|
Whether to change the TCP idle timeout default setting. An IOS device terminates a connection if there is no communication activity after this length of time. If you select this option, specify the desired timeout value in seconds.
|
Override Global Audit Trail Setting (IOS only)
Enable Audit Trail
|
Whether to change the audit trail setting for IOS devices. If you select this option, you can select
Enable Audit Trail
to generate audit trail messages.
|
HTTP Map Entity Length Tab
Use the Entity Length tab to enable inspection based on the length of the HTTP content.
Navigation Path
Click the Entity Length tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-30 HTTP Map Entity Length Tab
|
|
Inspect URI Length
|
Whether to enable inspection based on the length of the URI. If you select this option, configure the following:
-
Maximum—The desired maximum length, in bytes, of the URI, from 1 to 65535.
-
Excessive URI Length Action—The action to take when the length is exceeded:
– Allow Packet—Allow the message.
– Drop Packet—Close the connection.
– Reset Connection—Send a TCP reset message to client and server.
-
Generate Syslog—Whether to generate a syslog message when a violation occurs.
|
Inspect Maximum Header Length
|
Whether to enable inspection based on the length of the HTTP header. If you select this option, configure the following:
-
Request—The desired maximum length, in bytes, of the request header, from 1 to 65535.
-
Response—The desired maximum length, in bytes, of the response header, from 1 to 65535.
-
Excessive Header Length Action—The action to take when the length is exceeded:
– Allow Packet—Allow the message.
– Drop Packet—Close the connection.
– Reset Connection—Send a TCP reset message to client and server.
-
Generate Syslog—Whether to generate a syslog message when a violation occurs.
|
Inspect Body Length
|
Whether to enable inspection based on the length of the message body. If you select this option, configure the following:
-
Minimum Threshold—The desired minimum length, in bytes, of the message body, from 1 to 65535.
-
Maximum Threshold—The desired maximum length, in bytes, of the message body, from 1 to 65535.
-
Body Length Threshold Action—The action to take when the message body falls outside of the configured boundaries:
– Allow Packet—Allow the message.
– Drop Packet—Close the connection.
– Reset Connection—Send a TCP reset message to client and server.
-
Generate Syslog—Whether to generate a syslog message when a violation occurs.
|
HTTP Map RFC Request Method Tab
Use the RFC Request Method tab to define the action to take when specific request methods are used in the HTTP request.
Navigation Path
Click the RFC Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-31 HTTP Map RFC Request Method
|
|
Available and Selected Methods
Action
Generate Syslog
|
The Available Methods list contains the request methods defined in RFC 2616.
To configure an action for a method, select it, then select an action and optionally select
Generate Syslog
if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the
>>
button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the
<<
button.)
Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.
The actions you can specify are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
|
Specify the action to be applied for the remaining available methods above.
|
Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.
|
HTTP Map Extension Request Method Tab
Use the Extension Request Method tab to define the action taken when specific extension request methods are used in the HTTP request.
Navigation Path
Click the Extension Request Method tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-32 HTTP Map Extension Request Method Tab
|
|
Available and Selected Methods
Action
Generate Syslog
|
The Available Methods list contains the extension request methods defined in RFC 2616.
To configure an action for a method, select it, then select an action and optionally select
Generate Syslog
if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the
>>
button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the
<<
button.)
Tip You can select multiple methods at a time using Ctrl+click if the action and syslog requests are the same for each.
The actions you can specify are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
|
Specify the action to be applied for the remaining available methods above.
|
Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.
|
HTTP Map Port Misuse Tab
Use the Port Misuse tab to enable port misuse application firewall inspection. The application categories you can configure are:
-
IM—Instant Messaging. The applications checked for are Yahoo! Messenger, AIM, and MSN IM.
-
P2P—Peer-to-peer applications. The Kazaa application is checked.
-
Tunneling—Tunneling applications. The applications checked for are HTTPort/HTTHost, GNU Httptunnel, GotoMyPC, Firethru, and Http-tunnel.com Client.
Navigation Path
Click the Port Misuse tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-33 HTTP Map Port Misuse Tab
|
|
Available and Selected Application Categories
Action
Generate Syslog
|
The Available Application Categories list contains the categories for which you can define firewall inspection settings.
To configure an action for a category, select it, then select an action and optionally select
Generate Syslog
if you want a message added to the syslog when an HTTP request containing the selected application is encountered. Click the
>>
button to add it to the Selected Categories list. (To remove a category from the selected list, select it and click the
<<
button.)
Tip You can select multiple categories at a time using Ctrl+click if the action and syslog requests are the same for each.
The actions you can specify are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
|
Specify the action to be applied for the remaining available categories above.
|
Whether to define a default action for the categories for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.
|
HTTP Map Transfer Encoding Tab
Use the Transfer Encoding tab to enable inspection based on the transfer encoding type. The encoding types that you can configure are:
-
Chunked—Identifies the transfer encoding type in which the message body is transferred as a series of chunks.
-
Compressed—Identifies the transfer encoding type in which the message body is transferred using UNIX file compression.
-
Deflate—Identifies the transfer encoding type in which the message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).
-
GZIP—Identifies the transfer encoding type in which the message body is transferred using GNU zip (RFC 1952).
-
Identity—Identifies connections in which no transfer encoding is performed in the message body.
Navigation Path
Click the Transfer Encoding tab on the Add and Edit HTTP Map dialog boxes for ASA 7.1.x/PIX 7.1.x/FWSM 3.x/IOS Devices. See Configuring HTTP Maps for ASA 7.1.x, PIX 7.1.x, FWSM 3.x and IOS Devices.
Related Topics
Field Reference
Table 17-34 HTTP Map Transfer Encoding Tab
|
|
Available and Selected Encoding Types
Action
Generate Syslog
|
The Available Encoding Types list contains the types of transfer encoding for which you can define firewall inspection settings.
To configure an action for a type, select it, then select an action and optionally select
Generate Syslog
if you want a message added to the syslog when an HTTP request containing the selected type is encountered. Click the
>>
button to add it to the Selected Encoding Types list. (To remove a type from the selected list, select it and click the
<<
button.)
Tip You can select multiple types at a time using Ctrl+click if the action and syslog requests are the same for each.
The actions you can specify are:
-
Allow Packet—Allow the message.
-
Drop Packet—Close the connection.
-
Reset Connection (default)—Send a TCP reset message to client and server.
|
Specify the action to be applied for the remaining available encoding types above.
|
Whether to define a default action for the types for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.
|
Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices
Use the Add and Edit HTTP Map dialog boxes to define the match criterion and values for the HTTP inspect map for ASA and PIX software releases 7.2 and higher.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > HTTP (ASA 7.2+/PIX 7.2+)
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-35 Add and Edit HTTP Map Dialog Boxes (ASA 7.2+/PIX 7.2+)
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Body Match Maximum
|
The maximum number of characters in the body of an HTTP message that should be searched in a body match.
Tip A high value can have a significant impact on performance.
|
Check for protocol violations
|
Whether to check for protocol violations.
|
Action
|
The action to take based on the defined settings. You can drop, reset, or log the connection.
|
Spoof Server
|
Enables you to replace the server HTTP header value with the specified string.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Overrides: None
|
Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Understanding Policy Object Overrides for Individual Devices.
Note Selecting Allow Value Override per Device does not automatically set overrides.
|
HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit HTTP Match Criterion (for HTTP class maps) or Match Condition and Action (for HTTP policy maps) dialog boxes to do the following:
-
Define the match criterion and value for an HTTP class map.
-
Select an HTTP class map when creating an HTTP policy map.
-
Define the match criterion, value, and action directly in an HTTP policy map.
These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map. You can use the following criteria:
-
Request/Response Content Type Mismatch—Specifies that the content type in the response must match one of the MIME types in the accept field of the request.
-
Request Arguments—Applies the regular expression match to the arguments of the request.
-
Request Body—Applies the regular expression match to the body of the request.
-
Request Body Length—Specifies that the body length of the request be matched as greater than or less than the specified number of bytes.
-
Request Header Count—Specifies that the number of headers in the request be matched as greater than or less than the specified number.
-
Request Header Length—Specifies that the header length of the request be matched as greater than or less than the specified number of bytes.
-
Request Header Field—Applies the regular expression match to the header of the request.
-
Request Header Field Count—Applies the regular expression match to the header of the request based on a specified number of header fields.
-
Request Header Field Length—Applies the regular expression match to the header of the request based on a specified field length.
-
Request Header Content Type—Specifies the content type to evaluate in the content-type header field of the request.
-
Request Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the request.
-
Request Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the request.
-
Request Method—Specifies the method of the request to match.
-
Request URI—Applies the regular expression match to the URI of the request.
-
Request URI Length—Specifies that the URI length of the request be matched as greater than or less than the specified number of bytes.
-
Response Body ActiveX—Specifies whether there is ActiveX content in the body of the request.
-
Response Body Java Applet—Specifies whether there is a Java applet in the body of the request.
-
Response Body—Applies the regular expression match to the body of the response.
-
Response Body Length—Specifies that the body length of the response be matched as greater than or less than the specified number of bytes.
-
Response Header Count—Specifies that the number of headers in the response be matched as greater than or less than the specified number.
-
Response Header Length—Specifies that the header length of the response be matched as greater than or less than the specified number of bytes.
-
Response Header Field—Applies the regular expression match to the header of the response.
-
Response Header Field Count—Applies the regular expression match to the header of the response based on a specified number of header fields.
-
Response Header Field Length—Applies the regular expression match to the header of the response based on a specified field length.
-
Response Header Content Type—Specifies the content type to evaluate in the content-type header field of the response.
-
Response Header Transfer Encoding—Specifies the transfer encoding to evaluate in the transfer-encoding header field of the response.
-
Response Header Non-ASCII—Specifies whether there are non-ASCII characters in the header of the response.
-
Response Status Line—Applies the regular expression match to the status line of the response.
Navigation Path
When creating an HTTP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for HTTP, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating an HTTP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit HTTP Map dialog boxes for ASA/PIX 7.2+ devices, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring HTTP Maps for ASA 7.2+ and PIX 7.2+ Devices.
Related Topics
Field Reference
Table 17-36 HTTP Class and Policy Maps (ASA 7.2+/PIX 7.2+) Add and Edit Match Condition and Action Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing HTTP class map or define a new HTTP class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing HTTP class map policy object. Enter the name of the HTTP class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of HTTP traffic to match. The criteria are described above.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion. For some criteria, this is the only available option.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria. The types of action depend on the criterion you select.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Field Name
|
The name of the header field to evaluate. You can select one of the following:
-
Predefined—The predefined HTTP header fields.
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
When you are evaluating the Request Header Transfer Encoding or Response Header Transfer Encoding criteria, you can also select these options:
-
Specified By—One of the following predefined types of transfer encoding:
– Chunked—The message body is transferred as a series of chunks.
– Compressed—The message body is transferred using UNIX file compression.
– Deflate—The message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).
– GZIP—The message body is transferred using GNU zip (RFC 1952).
– Identity—No transfer encoding is performed.
-
Empty—The transfer-encoding field in request header is empty.
|
Greater Than Length
|
The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.
|
Greater Than Count
|
The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.
|
Content Type
|
The content type to evaluate as specified in the content-type header field. You can select one of the following:
-
Specified By—A predefined MIME type.
-
Unknown—The MIME type is not known. Select Unknown when you want to evaluate the item against all known MIME types.
-
Violation—The magic number in the body must correspond to the MIME type in the content-type header field.
-
Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.
|
Request Method
|
The specified request method to match. You can select one of the following:
-
Specified By—The predefined request method.
-
Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.
|
Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices
Use the Add and Edit IM Map dialog boxes to define settings for define an Instant Messenger (IM) inspect map for devices running ASA/PIX 7.2 or higher. An IM map lets you change the default configuration values used for IM application inspection.
Instant Messaging causes concern due to its use of clear text when conducting business and the potential for network attacks and the spreading of viruses. Thus, you might want to block certain types of instant messages from occurring, while allowing others.
For ASA and PIX devices, IM application inspection provides detailed access control to control network usage. You can use regular expressions to help stop leakage of confidential data and the propagation of network threats. You can inspect Yahoo! Messenger or MSN Messenger traffic.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > IM (ASA 7.2+/PIX 7.2+)
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-37 Add and Edit IM Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit IM Match Criterion (for IM class maps) or Match Condition and Action (for IM policy maps) dialog boxes to do the following:
-
Define the match criterion and value for an IM class map.
-
Select an IM class map when creating an IM policy map.
-
Define the match criterion, value, and action directly in an IM policy map.
These types of maps are used only for devices running ASA 7.2 or higher, or PIX 7.2 or higher, operating systems.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating an IM class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for IM, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating an IM policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit IM Map dialog boxes for ASA 7.2/PIX 7.2, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring IM Maps for ASA 7.2+, PIX 7.2+ Devices.
Related Topics
Field Reference
Table 17-38 IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing IM class map or define a new IM class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing IM class map policy object. Enter the name of the IM class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of IM traffic to match. The criteria are:
-
Filename—Matches the filename from IM file transfer service.
-
Client IP Address—Matches the source client IP address.
-
Client Login Name—Matches the client login name from IM service.
-
Peer IP Address—Matches the peer, or destination, IP address.
-
Peer Login Name—Matches the peer, or destination, login name from IM service.
-
Protocol—Matches IM protocols.
-
Service—Matches IM services.
-
File Transfer Service Version—Matches the IM file transfer service version.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
IP Address
|
The IP address you want to match.
|
Protocol
|
The IM protocol, either MSN Messenger or Yahoo! Messenger.
|
Services
|
The IM services you want to inspect. Select one or more of the listed services.
|
Configuring IM Maps for IOS Devices
Use the Add and Edit IM Map (IOS) dialog boxes to configure Instant Messaging (IM) inspection policy map objects for IOS devices. An IM map lets you change the default configuration values used for IM application inspection.
Instant Messaging causes concern due to its use of clear text when conducting business and the potential for network attacks and the spreading of viruses. Thus, you might want to block certain types of instant messages from occurring, while allowing others.
IM application inspection provides detailed access control to control network usage. It also helps stop leakage of confidential data and the propagation of network threats. The scope can be limited by identifying permitted or denied servers. Inspection of Yahoo! Messenger, MSN Messenger, and AOL instant messages are supported.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > IM (IOS)
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-39 Add and Edit IM Map (IOS) Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Service Tabs
The tabs represent different IM service providers. The settings available on each tab are identical. You must configure the settings separately for each service provider. The descriptions of the following fields apply to each of the services: Yahoo!, MSN, and AOL.
|
Text Chat
|
How you want the text chat service to be handled, for example, allowed, denied, logged, or some combination.
|
Other Services
|
How you want services other than text chat to be handled, for example, allowed, denied, logged, or some combination. IOS software recognizes all services other than text chat, such as voice-chat, video-chat, file sharing and transferring, and gaming as a single group.
|
Permit Servers
|
The servers from which to permit traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.
|
Deny Servers
|
The servers from which to deny traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.
|
Alert
|
Whether you want to enable or disable alerts. The default is to use the default inspection settings.
|
Audit
|
Whether you want to enable or disable an audit trail. The default is to use the default inspection settings.
|
Timeout
|
A timeout for the service. You can use the default inspection settings, or you can elect to specify a timeout. If you select Specify Timeout, enter the timeout value in seconds.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring IP Options Maps
Use the Add and Edit IP Options Map dialog boxes to define maps for the inspection of the options in an IP packet header on ASA 8.2(2)+ devices. The options field provides for control functions that are required in some situations but unnecessary for most common communications.
If you do not configure IP options inspection, the ASA device drops packets that have any options configured, with one exception. In routed mode, packets that contain the router alert option are allowed. (To disallow router alert packets, create an IP options map with router alert deselected, and configure an inspection rule to inspect IP Options using the policy map.)
Tip Because the no operation (NOP) option might be used as padding to ensure proper packet-header size and alignment, you might want to allow NOP.
For each option, you can select whether to:
-
Allow
—Allow the packet and do not change the IP header options field.
-
Clear
—Allow the packet and clear the option from the IP header options field.
If you do not select an option, the option is prohibited, and packets containing the option are dropped. Any option not listed here also results in a dropped packet; you cannot change this behavior.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > IP Options
from the Object Type selector. Right-click inside the work area, then select
New Object
, or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-40 Add and Edit IP Options Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 128 characters is allowed.
|
Description
|
A description of the policy object.
|
End of Options List
|
End of Options List (EOOL), or IP Option 0, contains just a single zero byte and appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.
|
No operation
|
No Operation (NOP), or IP Option 1, is used for padding. The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as to align the options on a 32-bit boundary.
|
Router alert
|
Router Alert (RTRALT), or IP Option 20, notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packet’s delivery path.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring IPv6 Maps
Use the Add and Edit IPv6 Map dialog boxes to define the match criteria and values for an IPv6 inspect map. You can use an IPv6 map to selectively drop IPv6 packets based on following types of extension headers found anywhere in the IPv6 packet:
-
Hop-by-Hop Options
-
Routing (Type 0)
-
Fragment
-
Destination Options
-
Authentication
-
Encapsulating Security Payload
Service objects corresponding to these protocols are available in the Services table in the Policy Object Manager.
Note With the release of Security Manager 4.4 and versions 9.0 and higher of the ASA, the separate policies for configuring IPv4 and IPv6 inspection rules were unified. However, IPv6 maps are still provided in support of earlier versions.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > IPv6
from the Object Type selector. Right-click inside the table, then select
New Object
or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-41 Add and Edit IPv6 Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Permit only known Extension Headers
|
Whether the ASA should verify the IPv6 extension header. When selected and an unknown IPv6 extension header is encountered, the ASA drops the packet and logs the action.
This option is selected by default.
|
Enforce Extension Header Order
|
Whether the ASA should enforce extension header order as defined in the RFC 2460 specification. When selected and an error is detected, the ASA drops the packet and logs the action.
This option is selected by default.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
These criteria entries are created and edited in the IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides in the Policy Object Overrides Window. The
Overrides
field indicates the number of devices that have overrides for this object.
|
IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define an Extension Header match criterion and action for an IPv6 policy map. The contents of the Extension Headers are not processed; an action is applied based solely on the presence of a specified EH type.
The fields in these dialog boxes change based on the criterion you select.
Note You can apply multiple match definitions to one IPv6 policy map.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit IPv6 Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring IPv6 Maps.
Related Topics
Field Reference
Table 17-42 IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes
|
|
Criterion
|
Choose the type of IPv6 Extension Header to match:
-
Authentication Header (AH)—Provides integrity and data-origin authentication for IP packets.
-
Destination Options Header—Used for IPv6 Mobility, as well as in support of certain applications.
-
Encapsulating Security Payload Header (ESP)—All information following the ESP header is encrypted and not accessible to intermediate network devices.
-
Fragment Header—Supports traffic-source fragmented-packet communications.
-
Hop-by-Hop Options Header—Optional information that must be examined by every node in the packet’s delivery path.
-
Header Count—The number of headers in the packet. When you choose this option, the following field appears; specify an upper bound for the number of headers:
– Greater Than Count—Enter a value between 0 and 255.
The packet is considered a match if the Header Count is greater than the specified number; it is not a match if the count is equal to, or less than the specified number.
-
Routing Header Type—Use this option to match one or EH types based on their header codes. When you choose this type, the following Value options appear; specify one or the other:
– Routing Type—Enter one Extension Header code; for example,
51
for Authentication Header.
– Routing Type Field Range—Enter a starting value and an ending value to define a range of EH codes.
-
Routing Header Address Count—The number of IP addresses embedded in the packet. When you choose this option, the following field appears; specify an upper bound for the number of addresses:
– Greater Than Count—Enter a value between 0 and 255.
The packet is considered a match if the address count is greater than the specified number; it is not a match if the count is equal to, or less than the specified number.
|
Type
|
Specifies that the map is applied only to traffic that matches the defined criteria.
|
Action
|
Choose the action you want the device to take for traffic that matches the defined criteria:
-
Drop Packet—Matching packets are dropped without notification.
-
Drop Packet and Log—Matching packets are logged and then dropped.
-
Log—Matching packets are logged and processing continues.
|
Configuring IPsec Pass Through Maps
Use the Add and Edit IPsec Pass Through Map dialog boxes to configure settings for the IPsec Pass Through Map policy object. An IPsec Pass Through policy map lets you change the default configuration values used for IPsec Pass Through inspection.
The IPSec Pass Through inspection engine lets the security appliance pass ESP (IP protocol 50) and AH (IP protocol 51) traffic that is formed between two hosts because of successful IKE (UDP port 500) negotiation without the requirement of specific ESP or AH access lists.
The ESP or AH traffic is permitted by the inspection engine with the configured idle timeout if there is an existing control flow and it is within the connection limit defined in the MPF framework. A new control flow is created for IKE UDP port 500 traffic with the configured UDP idle timeout if there is not one, or it uses the existing flow.
To ensure that the packet arrives into the inspection engine, a hole is punched for all such traffic (ESP and AH). This inspect is attached to the control flow. The control flow is present as long as there is at least one data flow (ESP or AH) established, but the traffic always flows on the same connection. Because this IKE connection is kept open as long as data flows, a rekey would always succeed. The flows are created irrespective of whether NAT is being used. However, PAT is not supported.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > IPsec Pass Through
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-43 Add and Edit IPsec Pass Through Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Allow ESP
Maximum ESP Tunnels per Client
ESP Idle Timeout
|
Whether to allow ESP traffic. If you select this option, you can configure the maximum number of ESP tunnels that each client can have and the amount of time that an ESP tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).
|
Allow AH
Maximum AH Tunnels per Client
AH Idle Timeout
|
Whether to allow AH traffic. If you select this option, you can configure the maximum number of AH tunnels that each client can have and the amount of time that an AH tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring NetBIOS Maps
Use the Add or Edit NetBIOS Map dialog boxes to define maps for NetBIOS inspection. A NetBIOS policy map lets you change the default configuration values used for NetBIOS inspection.
The NetBIOS inspection engine translates IP addresses in the NetBIOS name service (NBNS) packets according to the security appliance NAT configuration.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > NetBIOS
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-44 Add or Edit NetBIOS Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Check for Protocol Violation
Action
|
Whether to check for NETBIOS protocol violations. If you select this option, select the action you want to take when violations occur.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring ScanSafe Maps
Use the Add or Edit ScanSafe Map dialog boxes to define maps for ScanSafe inspection. A ScanSafe policy map lets you change the default configuration values used for ScanSafe inspection.
The fields on this dialog box change, depending upon whether you are creating a class map or a policy map.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > ScanSafe
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-45 ScanSafe Add Match Condition and Action Dialog Box
|
|
|
Transport Protocol
|
Allows you to select either HTTPS or HTTP.
For HTTPS, the allowed range of values is 1-65535.
For HTTP, the allowed range of values is 1-65535. The default value is 8080.
|
Default User Name
|
The default user name for the ScanSafe server
|
Default Group Name
|
The default group name for the ScanSafe server
|
Category
|
Allows you to select Cat-A through Cat-G.
This is the category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Match Condition and Action
tab only
|
Class
|
The name of the class map
|
Action
|
Allows you to select the action you want to take when policy violations occur
|
+ [the "add" button]
|
Opens the Add Match Condition and Action dialog box. This dialog box has the following fields:
-
Match Type
-
Class Map
-
Action
|
Configuring SIP Maps
Use the Add and Edit SIP Map dialog boxes to configure values used for SIP application inspection. A SIP inspection map lets you change the default configuration values used for SIP application inspection.
SIP is a widely used protocol for Internet conferencing, telephony, presence, events notification, and instant messaging. Partially because of its text-based nature and partially because of its flexibility, SIP networks are subject to a large number of security threats.
SIP application inspection provides address translation in message header and body, dynamic opening of ports and basic sanity checks. It also supports application security and protocol conformance, which enforce the sanity of the SIP messages, as well as detect SIP-based attacks.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > SIP (ASA/PIX/FWSM)
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-46 Add and Edit SIP Map Dialog Box
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
|
Enable SIP Instant Messaging Extensions
|
Whether to enable Instant Messaging extensions.
|
Permit Non-SIP Traffic on SIP Port
|
Whether to permit non-SIP traffic on the SIP port.
|
Hide Server’s and Endpoint’s IP Address
|
Whether to hide the IP addresses, which enables IP address privacy.
|
Check RTP Packets for Protocol Conformance
Limit Payload to Audio or Video based on the Signaling Exchange
|
Whether to check RTP/RTCP packets flowing on the pinholes for protocol conformance. If you select this option, you can also elect to enforce the payload type to be audio/video based on the signaling exchange.
|
If Number of Hops to Destination is Greater Than 0
|
Whether to check if the value of Max-Forwards header is zero. When it is greater than zero, the action you select in the Action field is implemented. The default is to drop the packet.
|
If State Transition is Detected
|
Whether to check SIP state transitions. When a transition is detected, the action you select in the Action field is implemented. The default is to drop the packet.
|
If Header Fields Fail Strict Validation
|
Whether to take the action specified in the Action field if the SIP header fields are invalid. The default is to drop the packet.
|
Inspect Server’s and Endpoint’s Software Version
|
Whether to inspect the SIP endpoint software version in User-Agent and Server headers. The default is to mask the information.
|
If Non-SIP URI is Detected
|
Whether to take the action specified in the Action field if a non-SIP URI is detected in the Alert-Info and Call-Info headers. The default is to mask the information.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit SIP Match Criterion (for SIP class maps) or Match Condition and Action (for SIP policy maps) dialog boxes to do the following:
-
Define the match criterion and value for a SIP class map.
-
Select a SIP class map when creating a SIP policy map.
-
Define the match criterion, value, and action directly in a SIP policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a class map or policy map.
Navigation Path
When creating a SIP class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog boxes for SIP, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring Class Maps for Inspection Policies.
When creating a SIP policy map, in the Policy Object Manager, from the Match Condition and Action tab on the Add and Edit SIP Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring SIP Maps.
Related Topics
Field Reference
Table 17-47 SIP Class and Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Match Type
Class Name
(Policy Map only)
|
Enables you to use an existing SIP class map or define a new SIP class map.
-
Use Specified Values—You want to define the class map on this dialog box.
-
Use Values in Class Map—You want to select an existing SIP class map policy object. Enter the name of the SIP class map in the
Class Name
field. Click
Select
to select the map from a list or to create a new class map object.
|
Criterion
|
Specifies which criterion of SIP traffic to match.
-
Called Party—Matches the called party as specified in the To header.
-
Calling Party—Matches the calling party as specified in the From header.
-
Content Length—Matches the Content Length header.
-
Content Type—Matches the Content Type header.
-
IM Subscriber—Matches the SIP Instant Messenger subscriber.
-
Message Path—Matches the SIP Via header.
-
Third Party Registration—Matches the requester of a third-party registration.
-
URI Length—Matches a URI in the SIP headers.
-
Request Method—Matches the SIP request method.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
Action
(Policy Map only)
|
The action you want the device to take for traffic that matches the defined criteria.
|
Variable Fields
The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.
|
Value
|
The regular expression you want to evaluate. You can select one of the following:
-
Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression object.
-
Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click
Select
to choose the object from a list of existing ones or to create a new regular expression group object.
|
URI Type
|
The type of URI to match, either SIP or TEL.
|
Greater Than Length
|
The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.
|
Content Type
|
The content type to evaluate as specified in the content-type header field. You can select one of the following:
-
SDP—Matches an SDP SIP content header type.
-
Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.
|
Resource Method
|
The request method you want to inspect:
-
ack—Confirms that the client has received a final response to an INVITE request.
-
bye—Terminates a call and can be sent by either the caller or the called party.
-
cancel—Cancels any pending searches but does not terminate a call that has already been accepted.
-
info—Communicates mid-session signaling information along the signaling path for the call.
-
invite—Indicates a user or service is being invited to participate in a call session.
-
message—Sends instant messages where each message is independent of any other message.
-
notify—Notifies a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred.
-
options—Queries the capabilities of servers.
-
prack—Provisional response acknowledgment.
-
refer—Requests that the recipient REFER to a resource provided in the request.
-
register—Registers the address listed in the To header field with a SIP server.
-
subscribe—Requests notification of an event or set of events at a later time.
-
unknown—Uses a nonstandard extension that could have unknown security impacts on the network.
-
update—Permits a client to update parameters of a session but has no impact on the state of a dialog.
|
Configuring Skinny Maps
Use the Add or Edit Skinny Map dialog boxes to define Skinny maps for Skinny inspection. A Skinny policy map lets you change the default configuration values used for Skinny inspection.
Skinny (SCCP) is a simplified protocol used in VoIP networks. Cisco IP Phones using SCCP can coexist in an H.323 environment. When used with Cisco CallManager, the SCCP client can interoperate with H.323 compliant terminals. Application layer functions in the security appliance recognize SCCP version 3.3. There are 5 versions of the SCCP protocol: 2.4, 3.0.4, 3.1.1, 3.2, and 3.3.2.
The security appliance supports all versions through 3.3.2. The security appliance supports PAT and NAT for SCCP. PAT is necessary if you have more IP phones than global IP addresses for the IP phones to use. By supporting NAT and PAT of SCCP Signaling packets, Skinny application inspection ensures that all SCCP signaling and media packets can traverse the security appliance.
Normal traffic between Cisco CallManager and Cisco IP Phones uses SCCP and is handled by SCCP inspection without any special configuration. The security appliance also supports DHCP options 150 and 66, which it accomplishes by sending the location of a TFTP server to Cisco IP Phones and other DHCP clients. Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > Skinny
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row, then select
Edit Object
.
Related Topics
Field Reference
Table 17-48 Add and Edit Skinny Map Dialog Boxes
|
|
Name
|
The name of the Skinny map. A maximum of 40 characters is allowed.
|
Description
|
A description of the Skinny map, up to 200 characters.
|
|
Enforce Endpoint Registration
|
Whether to enforce registration before calls can be placed.
|
Maximum SCCP Station Message ID 0x
|
The maximum SCCP station message ID allowed, in hexadecimal.
|
Check RTP Packets for Protocol Conformance
Enforce Payload Type to be Audio or Video based on Signaling Exchange
|
Whether to check RTP packets flowing through the pinholes for protocol conformance. If you select this option, you can also select whether to enforce the payload type.
|
Minimum SCCP Prefix Length
|
The minimum SCCP length allowed.
|
Maximum SCCP Prefix Length
|
The maximum SCCP length allowed.
|
Media Timeout
|
The timeout value for media connections.
|
Signaling Timeout
|
The timeout value for signaling connections.
|
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define the match criterion, value, and action for a Skinny policy map.
Navigation Path
In the Policy Object Manager, from the Match Condition and Action tab on the Add or Edit Skinny Map dialog boxes, right-click inside the table, then select
Add Row
or right-click a row, then select
Edit Row
. See Configuring SIP Maps.
Related Topics
Field Reference
Table 17-49 Skinny Policy Maps Add and Edit Match Condition and Action Dialog Boxes
|
|
Criterion
|
Specifies which criterion of Skinny traffic to match.
|
Type
|
Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on 0xFFFF, then any traffic that has the message ID 0xFFFF is excluded from the map.
-
Matches—Matches the criterion.
-
Doesn’t Match—Does not match the criterion.
|
ID Type
|
The hexadecimal value for the message ID to inspect:
-
Value—Matches a single hexadecimal value.
-
Range—Matches a range of values.
|
Action
|
The action you want the device to take for traffic that matches the defined criteria.
|
Configuring SNMP Maps
Use the Add and Edit SNMP Map dialog boxes to define maps for SNMP inspection. An SNMP policy map lets you change the default configuration values used for SNMP application inspection.
SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The security appliance can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by creating an SNMP map. You then apply the SNMP map when you enable SNMP inspection.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Policy Maps > Inspect > SNMP
from the Object Type selector. Right-click inside the work area, then select
New Object
, or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-50 Add and Edit SNNP Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Disallowed SNMP Versions
|
The versions of SNMP you want to prohibit.
-
SNMP Version 1
-
SNMP Version 2c (Community Based)
-
SNMP Version 2 (Party Based)
-
SNMP Version 3
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring Regular Expression Groups
Use the Add and Edit Regular Expression Groups dialog boxes to define regular expression groups, which contain multiple regular expressions. Groups make it possible for you to create modular regular expressions and group them in multiple ways for various uses. The objects can be used in some inspection class maps and inspection policy maps.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Regular Expressions Groups
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-51 Add and Edit Regular Expression Class Map Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Regular Expressions
|
The Regular Expression policy objects that include the expressions you want to include in the group. Enter the name of the objects or click
Select
to select them from a list or to create a new object.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Configuring Regular Expressions for Inspection Maps
Use the Add and Edit Regular Expression dialog boxes to define regular expressions for use in class and policy inspection maps or in regular expression group policy objects.
A regular expression matches text strings either literally as an exact string or by using metacharacters so you can match multiple variants of a text string. You can use regular expressions in various type of class and policy inspection maps to match various target items, for example, the content of certain application traffic such as the body text inside an HTTP packet.
Navigation Path
Select
Manage > Policy Objects
, then select
Maps > Regular Expressions
from the Object Type selector. Right-click inside the work area, then select
New Object
or right-click a row and select
Edit Object
.
Related Topics
Field Reference
Table 17-52 Add and Edit Regular Expression Dialog Boxes
|
|
Name
|
The name of the policy object. A maximum of 40 characters is allowed.
|
Description
|
A description of the policy object. A maximum of 200 characters is allowed.
|
Value
|
The regular expression, up to 100 characters in length. For information on the metacharacters you can use to build regular expressions, see Metacharacters Used to Build Regular Expressions.
|
Category
|
The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.
|
Allow Value Override per Device
Overrides
Edit button
|
Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.
If you allow device overrides, you can click the
Edit
button to create, edit, and view the overrides. The
Overrides
field indicates the number of devices that have overrides for this object.
|
Metacharacters Used to Build Regular Expressions
The following table explains the metacharacters you can use to build regular expressions in the Add and Edit Regular Expression dialog boxes (see Configuring Regular Expressions for Inspection Maps).
Keep the following tips in mind when creating regular expressions:
-
If you enter any metacharacters in your text string that you want to be used literally, add the backslash (\) escape character before them. For example, “example\.com”.
-
If you want to match upper and lower case characters, enter text in both upper- and lowercase. For example, “cats” is entered as “[cC][aA][tT][sS]”.
Table 17-53 Metacharacters Used to Build Regular Expressions
|
|
|
.
|
Dot
|
Matches any single character. For example, d.g matches dog, dag, dtg, and any word that contains those characters, such as doggonnit.
|
(exp)
|
Subexpression
|
A subexpression segregates characters from surrounding characters, so that you can use other metacharacters on the subexpression. For example, d(o|a)g matches dog and dag, but do|ag matches do and ag. A subexpression can also be used with repeat quantifiers to differentiate the characters meant for repetition. For example, ab(xy){3}z matches abxyxyxyz.
|
|
|
Alternation
|
Matches either expression it separates. For example, dog|cat matches dog or cat.
|
?
|
Question mark
|
A quantifier that indicates that there are 0 or 1 of the previous expression. For example, lo?se matches lse or lose.
|
*
|
Asterisk
|
A quantifier that indicates that there are 0, 1 or any number of the previous expression. For example, lo*se matches lse, lose, loose, etc.
|
+
|
Plus
|
A quantifier that indicates that there is at least 1 of the previous expression. For example, lo+se matches lose and loose, but not lse.
|
{x}
|
Repeat Quantifier
|
Repeat exactly x times. For example, ab(xy){3}z matches abxyxyxyz.
|
|
Minimum repeat quantifier
|
Repeat at least x times. For example, ab(xy){2,}z matches abxyxyz, abxyxyxyz, etc.
|
[abc]
|
Character class
|
Matches any character in the brackets. For example, [abc] matches a, b, or c.
|
[^abc]
|
Negated character class
|
Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter.
|
[a-c]
|
Character range class
|
Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].
The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc].
|
“”
|
Quotation marks
|
Preserves trailing or leading spaces in the string. For example, “ test” preserves the leading space when it looks for a match.
|
^
|
Caret
|
Specifies the beginning of a line.
|
\
|
Escape character
|
When used with a metacharacter, matches a literal character. For example, \[ matches the left square bracket.
|
char
|
Character
|
When character is not a metacharacter, matches the literal character.
|
\r
|
Carriage return
|
Matches a carriage return 0x0d.
|
\n
|
Newline
|
Matches a new line 0x0a.
|
\t
|
Tab
|
Matches a tab 0x09.
|
\f
|
Formfeed
|
Matches a form feed 0x0c.
|
\xNN
|
Escaped hexadecimal number
|
Matches an ASCII character using hexadecimal (exactly two digits).
|
\NNN
|
Escaped octal number
|
Matches an ASCII character as octal (exactly three digits). For example, the character 040 represents a space.
|