User Guide for Cisco Security Manager 4.18

Enable Rule

Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules.

Apply the Rule to

The interface to which the rule applies:

• All Interfaces—Apply the rule to all interfaces. The rule becomes a global rule on ASA, PIX, and FWSM devices. For IOS devices, the rule is configured for each interface in the In direction.
• Interface (PIX 7.x+, ASA, FWSM 3.x+, IOS)—Apply the rule only to those interfaces identified in the Interfaces field. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list.

For IOS devices only, you can select the direction of the traffic to which this rule applies, either traffic entering an interface (In) or exiting it (Out). For other devices, leave In as the direction.

Match Traffic By

How you want to identify the traffic to inspect. If you select something other than Default Protocol Ports (by itself), you are prompted for the other port or address information when you click Next.

Default Protocol Ports

Limit inspection between source and destination IP addresses (PIX 7.x+, ASA, FWSM 3.x+)

Inspect traffic based on the default ports assigned to a protocol. You will select a protocol on the next page (Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page).

You can also select Limit inspection between source and destination IP addresses to configure the inspection to occur only between a specified source and destination. Do not select this option if you want to inspect a protocol without applying any constraints to the inspected traffic.

If you also select this option, the next page of the wizard is described in Add or Edit Inspect/Application FW Rule Wizard, Step 2.

Custom Destination Ports

Inspect traffic based on specified non-default TCP or UDP destination ports. Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic.

You will specify the protocol and port(s) on the next page of the wizard; see Add or Edit Inspect/Application FW Rule Wizard, Step 2.

Destination Address and Port (IOS devices only)

Inspect traffic on IOS devices based on destination IP address and port. Select this option if you want to associate additional non-default TCP or UDP ports with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.10.

Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x)

Inspect traffic on PIX 7.x+, ASA, and FWSM 3.x+ devices based on source and destination IP addresses and services. Select this option for the same reason you would select Destination Address and Port for IOS devices, although you have the additional option of identifying the source of the traffic.

You will specify the action, sources, destinations, and Services on the next page of the wizard; see Add or Edit Inspect/Application FW Rule Wizard, Step 2.

Category

The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects.

Description

An optional description of the rule (up to 1024 characters).

Protocol

The protocol for the ports you are specifying, either TCP, UDP, or both TCP/UDP.

When configuring Custom Destination Ports for an IOS device, you must select TCP/UDP.

Ports

The port(s) used by the traffic you want to inspect. Valid values range from 1 to 65535.

• Single—Specify one port number only.
• Range—Specify a range of ports, for example, 10000-11000.

When configuring custom ports, be aware that port ranges might not be supported on all platforms or OS versions. Any conflicts are identified during policy validation, not while you are editing this rule.

Action

Whether you are identifying traffic that should be inspected based on the conditions set. Typically, you will create Permit rules.

• Permit—Identifies traffic that will be inspected.
• Deny—Exempts the traffic from inspection. Your access rules will determine if the traffic is allowed or blocked.

Sources

Provide traffic sources for this rule; can be networks, security groups, and users. You can enter values or object names, or Select objects, for one or more of the following types of sources:

• Network – You can specify a various network, host and interface definitions, either individually or as objects. If you Select an interface object as a source, the dialog box displays tabs to differentiate between hosts/networks and interfaces.

The “All-Address” objects do not restrict the rule to specific hosts, networks, or interfaces. These addresses are IPv4 or IPv6 addresses for hosts or networks, network/host objects, interfaces, or interface roles.

Note You can only specify a fully qualified domain name (FQDN) by providing an FQDN network/host object, or a group object that includes an FQDN object. You cannot directly type in an FQDN.

See Understanding Networks/Hosts Objects, Specifying IP Addresses During Policy Definition and Understanding Interface Role Objects for additional information about these definitions.

• Security Groups (ASA 9.0+) – Enter or Select the name or tag number for one or more source security groups for the rule, if any. See Selecting Security Groups in Policies, Configuring TrustSec-Based Firewall Rules and Creating Security Group Objects for more information about security groups.
• Users – Enter or Select the Active Directory (AD) user names, user groups, or identity user group objects for the rule, if any. You can enter any combination of the following:

– Individual user names: NetBIOS_DOMAIN\username

– User groups (note the double \): NetBIOS_DOMAIN\\user_group

– Identity user group object names.

For more information, see:

– Selecting Identity Users in Policies

– Configuring Identity-Based Firewall Rules

– Creating Identity User Group Objects

Note Enter more than one value in any of these fields by separating the items with commas.

Each specification is combined with any others to limit traffic matches to only those flows that include all definitions. For example, specified user traffic originating from within a specified source address range.

Destinations

Provide traffic destinations for this rule; can be networks or security groups. As with Sources, you can enter values or object names, or Select objects, for one or more destinations of Network and Security Group (ASA 9.0+) type.

Services

The services that define the type of traffic upon which to act. You can enter or Select any combination of service objects and service types (which are typically a protocol and port combination).

Enter more than one value by separating the items with commas.

For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects.

Time Range

The name of a time range policy object that defines the times when this rule applies. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock.

Enter the name or click Select to select the object. If the object that you want is not listed, click the Create button to create it.

Protocols table

Lists the protocols that can be inspected. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type to which you will apply the inspection rule.

The Options column displays configured options for the selected protocol, if any.

The Group column provides additional information on the use of some of the protocols.

Selected Protocol

Configure button

Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Configuring Protocols and Maps for Inspection.

Rule Settings (IOS)

Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Configuring Settings for Inspection Rules for IOS Devices), are used. These are the settings you can enable or disable:

• Alert—Whether to generate stateful packet inspection alert messages on the console.
• Audit—Whether audit trail messages are logged to the syslog server or router.
• Timeout—Whether to configure the length of time, in seconds, for which a session is managed while there is no activity. If you select Specify Timeout, enter the timeout value; the range is 5 to 43200 seconds.
• Inspect Router Generated Traffic—Whether to inspect traffic that is generated by the device itself. This option is available for a limited number of the protocols.

Maximum DNS Packet Length

The maximum DNS packet length. Values are 512 to 65535.

DNS Map

The DNS policy map object that defines traffic match conditions and actions, protocol conformance policies, and filter settings. Enter the object name, or click Select to select it. If the object that you want is not listed, click the Create button to create it.

Enable Dynamic Filter Snooping

Whether to allow the security appliance to snoop DNS packets in order to build a database of DNS lookup information. This information is used by botnet traffic filtering to match DNS names to IP addresses.

If you configure a botnet traffic filtering rules policy, select this option. Otherwise, do not select the option. For more information, see Botnet Traffic Filter Rules Page.

Maximum Fragments

The maximum number of unassembled packets for which state information (structures) is allocated by Cisco IOS software. Unassembled packets are packets that arrive at the router interface before the initial packet for a session. Values are 0-10000 state entries. The default is 256.

Note Memory is allocated for the state structures, and setting this value to a larger number may cause memory resources to be exhausted.

Timeout (sec)

The number of seconds that a packet state structure remains active. When the timeout value expires, the router drops the unassembled packet, freeing that structure for use by another packet. Values are 1-1000. The default timeout value is one second.

Reset Connection on Invalid IMAP/POP3 packet

Whether to reset, or drop, the connection between the client and server if an invalid packet is encountered. The client will have to repeat the validation process to reconnect to the server.

Enforce Secure Authentication

Whether to require that the client use a secure login to the server, that is, so that passwords are not sent in clear text.

Program Number

The program number to permit. Values are 1-4294967295.

Wait Time

The number of minutes to keep a hole in the firewall open to allow subsequent connections from the same source address to the same destination address and port. Values are 0-35791 minutes. The default is 0.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Match table

Match Type

The Match table lists the criteria included in the class map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion and the criterion and value that is inspected.

• To add a criterion, click the Add button and fill in the Match Criterion dialog box. For more information, see the topics referenced above.
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Pinhole Timeout

The timeout for DCE/RPC pinholes. The default is 2 minutes (00:02:00). Valid values are between 00:00:01 and 1193:00:00.

Enforce Endpoint Mapper Service

Whether to enforce the endpoint mapper service during binding. Using this service, a client queries a server, called the Endpoint Mapper, for the dynamically allocated network information of a required service.

Enable Endpoint Mapper Service Lookup

Service Lookup Timeout

Whether to enable the lookup operation of the endpoint mapper service. If you select this option, you can enter the time out for the lookup operation. If you do not specify a timeout, the pinhole timeout or default pinhole timeout value is used. Valid values are between 00:00:01 and 1193:00:00.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see DCE/RPC Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing DCE/RPC class map or define a new DCE/RPC class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing DCE/RPC class map policy object. Enter the name of the DNS class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of traffic to match:

• ms-rpc-epm—Matches Microsoft RPC EPM messages.
• ms-rpc-isystemactivator—Matches ISystemMapper messages.
• ms-rpc-oxidresolver-—Matches OxidResolver messages.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

• Reset—Drop the packet, close the connection, and send a TCP reset to the server or client.
• Log—Send a system log message. You can use this option alone or with one of the other actions.
• Reset and Log— Perform the reset and log actions.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Protocol Conformance Tab

Defines DNS security settings and actions. For a description of the options on this tab, see DNS Map Protocol Conformance Tab.

Filtering Tab

Defines the filtering settings for DNS. For a description of the options on this tab, see DNS Map Filtering Tab.

Mismatch Rate Tab

The Log When DNS ID Mismatch Rate Exceeds option determines whether you want to report excessive instances of DNS identifier mismatches based on the following criteria:

• Threshold—The maximum number of mismatch instances before a system message log is sent. Values are 0 to 4294967295.
• Time Interval—The time period to monitor (in seconds). Values are 1 to 31536000.

Umbrella Connector Tab

Defines DNS umbrella connector settings for a DNS. For a description of the options on this tab, see DNS Umbrella Connector Tab.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Enable DNS Guard Function

Whether to perform a DNS query and response mismatch check using the identification field in the DNS header. One response per query is allowed to go through the security appliance.

Generate Syslog for ID Mismatch

Whether to create syslog entries for excessive instances of DNS identifier mismatches.

Randomize the DNS Identifier for DNS Query

Whether to randomize the DNS identifier in the DNS query message.

Enable NAT Rewrite Function

Whether to enable IP address translation in the A record of the DNS response.

Enable Protocol Enforcement

Whether to enable DNS message format check, including domain name, label length, compression, and looped pointer check.

Enable DNS on TCP

Whether to enable inspection of DNS over TCP traffic.Ensure that DNS/TCP port 53 traffic is part of the class to which you apply DNS inspection. The inspection default class includes TCP/53.

Require Authentication Between DNS Server (RFC2845)

Action

Whether to require authentication between DNS servers as defined in RFC 2845. If you select this option, select the action to take when there is no authentication.

Drop Packets that Exceed Specified Length

Maximum Packet Length

Whether to drop packets that exceed the maximum length in bytes that you specify. This is a global setting.

Drop Packets Sent to Server that Exceed Specified Maximum Length

Maximum Length

Whether to drop packets sent to the server that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Server that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the server that exceed the length indicated by the resource record.

Drop Packets Sent to Client that Exceed Specified Length

Maximum Length

Whether to drop packets sent to a client that exceed the maximum length in bytes that you specify.

Drop Packets Sent to Client that Exceed Length Indicated by Resource Record

Whether to drop packets sent to the client that exceed the length indicated by the resource record.

Enable Umbrella Connector Tag for Umbrella Policy

Select the check box and enter the DNS policy-map umbrella tag name. The tag name can be a maximum of 50 characters. Cisco Security manager throws an error message if the tag name is greater than 50 characters.

Note If the Umbrella global policy is not configured, Cisco Security Manager displays activity validation error. For more information on Umbrella global policy configuration, see Configuring Umbrella Global Policy.

Enable DNScrypt

Select this check box to enable the DNS crypt in the Umbrella datapath. For every hour, the secret key is exchanged between the key exchange thread and the Umbrella resolver.

Ensure that the Enable Umbrella Connector check box is selected. If the check box is not selected, an error message is displayed for configuration discrepancy.

Note If the Umbrella global policy is not configured, Cisco Security Manager displays activity validation error. For more information on Umbrella global policy configuration, see Configuring Umbrella Global Policy.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing DNS class map or define a new DNS class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing DNS class map policy object. Enter the name of the DNS class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of traffic to match:

• DNS Class—Matches a DNS query or resource record class.
• DNS Type—Matches a DNS query or resource record type.
• Domain Name—Matches a domain name from a DNS query or resource record.
• Header Flag—Matches a DNS flag in the header.
• Question—Matches a DNS question.
• Resource Record—Matches a DNS resource record.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

(for DNS Class criterion)

The DNS class you want to inspect:

• Internet—Matches the Internet DNS class.
• DNS Class Field Value—Matches the specified number.
• DNS Class Field Range—Matches the specified range of numbers.

Value

(for DNS Type criterion)

The DNS type you want to inspect:

• DNS Type Field Name—Matches the name of a DNS type:

– A—IPv4 address.

– AXFR—Full (zone) transfer.

– CNAME—Canonical name.

– IXFR—Incremental (zone) transfer.

– NS—Authoritative name server.

– SOA—Start of a zone of authority.

– TSIG—Transaction signature.

• DNS Type Field Value—Matches the specified number.
• DNS Type Field Range—Matches the specified range of numbers.

Value

(for Domain Name criterion)

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Options

Value

(for Header Flag criterion)

The header flag you want to inspect. Use the Options field to indicate whether you want an exact match (Equals) or a partial match (Contains).

• Header Flag Name—Matches the selected header flag names:

– AA (authoritative answer)

– QR (query)

– RA (recursion available)

– RD (recursion denied)

– TC (truncation) flag bits

• Header Flag Value—Matches the specified 16-bit hexadecimal value.

Resource Record

Lists the sections to match:

• Additional—DNS additional resource record.
• Answer—DNS answer resource record.
• Authority—DNS authority resource record.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Mask Server Banner

Whether to mask the server banner to prevent the client from discovering server information.

Configure Mail Relay

Domain Name

Action

Whether to have ESMTP inspection detect mail relay. When you select this option, enter the domain name you are inspecting and select the action you want to take when mail relay is detected.

Special Character (ASA7.2.3+/PIX7.2.3+)

Action

Whether you want to detect special characters in sender or receiver email addresses. If you select this option, select the action you want to take when special characters are detected.

Allow TLS (ASA7.2.3+, 8.0.3+/PIX7.2.3)

Action Log

Whether to allow a TLS proxy on the security appliance. If you select this option, you can also select Action Log to create a log entry when TLS is detected.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see ESMTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Criterion

Specifies which criterion of ESMTP traffic to match. The criteria are described above.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

The dialog box indicates the valid range for the length, except for Body Length and Header length, which can be 1 to 4294967295.

Commands

The ESMTP command verbs you want to inspect.

Greater Than Count

The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.

Parameters

The ESMTP EHLO reply parameters you want to inspect.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

MIME Encoding

The type of MIME encoding schemes you want to inspect.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Mask Greeting Banner from Server

Whether to mask the greeting banner from the FTP server to prevent the client from discovering server information.

Mask Reply to SYST Command

Whether to mask the reply to the syst command to prevent the client from discovering server information.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see FTP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing FTP class map or define a new FTP class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing FTP class map policy object. Enter the name of the FTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of FTP traffic to match:

• Request Command—Matches an FTP request command.
• Filename—Matches a filename for FTP transfer.
• File Type—Matches a file type for FTP transfer.
• Server—Matches an FTP server name.
• Username—Matches an FTP username.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Request Commands

The FTP commands you want to inspect:

• Append (APPE)—Appends to a file.
• Delete (DELE)—Deletes a file at the server site.
• Help (HELP)—Provides help information from the server.
• Put (PUT)—FTP client command for the stor (store a file) command.
• Rename From (RNFR)—Specifies rename-from filename.
• Server Specific Command (SITE)—Specifies commands that are server specific. Usually used for remote administration.
• Change to Parent (CDUP)—Changes to the parent directory of the current working directory.
• Get (GET)—FTP client command for the retr (retrieve a file) command.
• Create Directory (MKD)—Creates a directory.
• Remove Directory (RMD)—Removes a directory.
• Rename To (RNTO)—Specifies rename-to filename.
• Store File with Unique Name (STOU)—Stores a file with a unique filename.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Country and Network Codes Table

The three-digit Mobile Country Code (mcc) and Mobile Network Code (mnc) to include in the map. The codes are 000 to 999.

• To add codes, click the Add button and fill in the dialog box.
• To edit a row, select it and click the Edit button.
• To delete a row, select it and click the Delete button.

Permit Response Table

The Network/Host policy objects for which you will allow GTP responses from a GSN that is different from the one to which the response was sent.

• To add objects, click the Add button and fill in the dialog box. For more information, see Add and Edit Permit Response Dialog Boxes.
• To edit a row, select it and click the Edit button.
• To delete a row, select it and click the Delete button.

Request Queue

The maximum requests allowed in the queue. When the limit has been reached and a new request arrives, the request that has been in the queue for the longest time is removed. Values are 1-9999999. The default is 200.

Tunnel Limit

The maximum number of tunnels allowed.

Permit Errors

Whether to permit packets with errors or different GTP versions. By default, all invalid packets or packets that failed during parsing are dropped.

Enable Data Packet Replay Window

Select the check box to configure the anti-replay and select one of the four window sizes—128, 256, 512, or 1024. Messages that are outside of the window size are dropped.

For information on configuration of GTP Map policy, refer to Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page.

Enable Header

Check Select the check box to enable header check of the data packets.

Anti-User Spoofing

This field is enabled only when you select the Enable Header Check check box. Select the relevant option:

• Bypass—to forward the packets that pass the header check.
• Drop—to drop the packets that pass the header check.

Edit Timeouts button

Click this button to configure time out values for various operations. For more information about the options, see GTP Map Timeouts Dialog Box.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see GTP Policy Maps Add or Edit Match Condition and Action Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Validate For

Validate button

The device platforms for which to validate the object. Select the platform for which you intend to use this object and click Validate to determine if the object is configured in a way that will prevent policy deployment.

GSN Timeout (Prior to ASA 9.5(1))

Endpoint Timeout (ASA 9.5(1) or higher)

The period of inactivity (hh:mm:ss) after which a GSN is removed. The default is 30 minutes. Enter 0 to never tear down immediately.

PDP Context Timeout

The maximum period of time allowed (hh:mm:ss) before beginning to receive the PDP context. The default is 30 minutes. Enter 0 to specify no limit.

Request Queue Timeout

The maximum period of time allowed (hh:mm:ss) before beginning to receive the GTP message. The default is 60 seconds. Enter 0 to specify no limit.

Signaling Connections Timeout

The period of inactivity (hh:mm:ss) after which the GTP signaling is removed. The default is 30 minutes. Enter 0 to not remove the signal.

Tunnel Timeout

The period of inactivity (hh:mm:ss) after which the GTP tunnel is torn down. The default is 60 seconds (when a Delete PDP Context Request is not received). Enter 0 to never tear down immediately.

T3 Response Timeout

The maximum wait time for a response before removing the connection.

Criterion

Specifies which criterion of GTP traffic to match:

• Access Point Name—Matches the access point name so you can define the access points to drop when GTP application inspection is enabled.
• Message ID—Matches the numeric identifier for the message that you want to drop. By default, all valid message IDs are allowed.
• Message Length—Matches the length of the UDP packet. Use this criterion to change the default for the maximum allowed message length for the UDP payload.
• Version—Matches the GTP version.
• MSISDN—Matches the MSISDN with regular expressions or class and drop all GTP packets that have matching MSISDN.
• Selection Mode—Ranges between 0 and 3.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

The action you want the device to take for traffic that matches the defined criteria.

• Drop Packet—By default, all invalid packets or packets that failed during parsing are dropped.
• Drop Packet and Log
• Rate Limit

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Access Point Name

The access points to act on when GTP application inspection is enabled.

• Specified By—An access point name to be dropped. By default, all messages with valid APNs are inspected, and any APN is allowed.
• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

ID type

The numeric identifier of the message that you want to act on.

• Value—A single message ID. The Value can be between 1 and 255.
• Range—A range of message IDs. The Range can be between 1 and 255.

Minimum Length

The minimum number of bytes in the UDP payload.

Maximum Length

The maximum number of bytes in the UDP payload.

Version

Beginning with version 4.9, Security Manager provides support for GPRS Tunnel Protocol (GTP) v2 and enhanced v1 in the GTP Map Object for ASA devices 9.5(1) or higher. You can now configure separate message ID matching for GTPv1 and GTPv2.

For ASA devices 9.5(1) or higher, if you select Message ID as the Criterion, two options for Version, v1 and v2, are displayed. Select v1 or v2 and enter a single Value between 1 and 255, or a Range of values from 1 to 255.

Version Type

Prior to ASA version 9.5(1)—Use 0 to identify Version 0 and 1 to identify Version 1. Version 0 of GTP uses port 2123, while Version 1 uses port 3386. By default all GTP versions are allowed.

Regular Expression

Beginning with version 4.18, Cisco Security Manager allows configuring of MSISDN with regular expressions and drop all GTP packets that have matching MSISDN. This field appears when you select MSISDN in the Criterion drop-down.

Regular Expression Group

Beginning with version 4.18, Cisco Security Manager allows configuring of MSISDN with regular expressions class and drop all GTP packets that have matching MSISDN. This field appears when you select MSISDN in the Criterion drop-down.

Mode Value

If Selection is selected in the Criterion drop-down, this field appears. Enter the mode value in the range of 0 – 3. This is a mandatory field.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

HSI Group table

The HSI groups to include in the map. The group number, IP address of the HSI host, and IP addresses and interface names of the clients connected to the security appliance are shown in the table. Up to five HSI hosts per group, and up to ten end points per HSI group, are allowed.

• To add a group, click the Add button and fill in the dialog box (see Add or Edit HSI Group Dialog Boxes).
• To edit a group, select it and click the Edit button.
• To delete a group, select it and click the Delete button.

Call Duration Limit

The call duration limit in seconds. The range is from 0:0:0 to 1163:0:0. A value of 0 means never timeout.

Enforce Presence of Calling and Called Party Numbers

Whether to enforce calling and called party numbers used in call setup.

Allow the facility message before SETUP for H.460.18

Whether to allow the FACILITY message to be sent before the SETUP message as part of the Incoming Call Message Procedure.

Note H.460.18 defines a method for traversal of H.323 signaling across network address translators and firewalls.

Check State Transition on H.225 Messages

Whether to enable state checking validation on H.225 messages.

Check State Transition on RAS Messages

Whether to enable state checking validation on RAS messages.

Create Pinholes on Seeing RCF Packets

Whether to enable call setup between H.323 endpoints when the Gatekeeper is inside the network. The device opens pinholes for calls based on Registration Request/Registration Confirm (RRQ/RCF) messages. Because these RRQ/RCF messages are sent to and from the Gatekeeper, the calling endpoint’s IP address is unknown and the device opens a pinhole through source IP address/port 0/0.

This option is available for ASA 8.0(5)+ devices.

Check for H.245 Tunneling

Action

Whether to enforce H.245 tunnel blocking and perform the action you select in the Action list box.

Check RTP Packets for Protocol Conformance

Whether to check RTP packets flowing through the pinholes for protocol conformance.

Payload Type must be Audio or Video based on Signaling Exchange

Whether to enforce the payload type to be audio or video based on the signaling exchange.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see H.323 Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Group ID

The HSI group ID number (0 to 2147483647).

IP Address

The IP address of the HSI host.

Endpoint table

The end points associated with HSI group. You can add up to 10 end points per group. For each end point, you specify the IP address and interface policy group.

• To add an end point, click the Add button and fill in the dialog box (see Add or Edit HSI Endpoint IP Address Dialog Boxes).
• To edit an end point, select it and click the Edit button.
• To delete an end point, select it and click the Delete button.

Network/Host

The IP address of the end point host or network.

Interface

The Interface policy group that identifies the interface connected to the security appliance. Enter the name of a policy group, or click Select to select it from a list, where you can also create new policy groups.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing H.323 class map or define a new H.323 class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing H.323 class map policy object. Enter the name of the H.323 class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of H.323 traffic to match:

• Called Party—Matches the called party address.
• Calling Party—Matches the calling party address.
• Media Type—Matches the media type.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

Media Type

The type of media you want to inspect, audio, video, or data.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

General tab

Defines the action taken when non-compliant HTTP requests are received and to enable verification of content type. For a description of the options, see HTTP Map General Tab.

Entity Length tab

Defines the action taken if the length of the HTTP content falls outside of configured targets. For a description of the options, see HTTP Map Entity Length Tab.

RFC Request Method tab

Defines the action that the security appliance should take when specific RFC request methods are used in the HTTP request. For a description of the options, see HTTP Map RFC Request Method Tab.

Extension Request Method tab

Defines the action taken when specific extension request methods are used in the HTTP request. For a description of the options, see HTTP Map Extension Request Method Tab.

Port Misuse tab

Defines the action taken when specific undesirable applications are encountered. For a description of the options, see HTTP Map Port Misuse Tab.

Transfer Encoding tab

Defines the action taken when specific transfer encoding types are used in the HTTP request. For a description of the options, see HTTP Map Transfer Encoding Tab.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Take action for non-RFC 2616 compliant traffic

Whether you want to configure the action to be taken for traffic that does not comply with RFC 2616. Possible actions are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

You can also select Generate Syslog to write a message to the syslog if non-compliant traffic is encountered.

Verify Content-type field belongs to the supported internal content-type list.

Whether you want to configure the action to be taken for traffic whose content type does not belong to the supported internal content-type list. Possible actions are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

You can also select these options:

• Verify Content-type field for response matches the ACCEPT field of request —To also verify that the content type of the response matches the request.
• Generate Syslog —To write a message to the syslog if non-compliant traffic is encountered.

Override Global TCP Idle Timeout (IOS only)

Whether to change the TCP idle timeout default setting. An IOS device terminates a connection if there is no communication activity after this length of time. If you select this option, specify the desired timeout value in seconds.

Override Global Audit Trail Setting (IOS only)

Enable Audit Trail

Whether to change the audit trail setting for IOS devices. If you select this option, you can select Enable Audit Trail to generate audit trail messages.

Inspect URI Length

Whether to enable inspection based on the length of the URI. If you select this option, configure the following:

• Maximum—The desired maximum length, in bytes, of the URI, from 1 to 65535.
• Excessive URI Length Action—The action to take when the length is exceeded:

– Allow Packet—Allow the message.

– Drop Packet—Close the connection.

– Reset Connection—Send a TCP reset message to client and server.

• Generate Syslog—Whether to generate a syslog message when a violation occurs.

Inspect Maximum Header Length

Whether to enable inspection based on the length of the HTTP header. If you select this option, configure the following:

• Request—The desired maximum length, in bytes, of the request header, from 1 to 65535.
• Response—The desired maximum length, in bytes, of the response header, from 1 to 65535.
• Excessive Header Length Action—The action to take when the length is exceeded:

– Allow Packet—Allow the message.

– Drop Packet—Close the connection.

– Reset Connection—Send a TCP reset message to client and server.

• Generate Syslog—Whether to generate a syslog message when a violation occurs.

Inspect Body Length

Whether to enable inspection based on the length of the message body. If you select this option, configure the following:

• Minimum Threshold—The desired minimum length, in bytes, of the message body, from 1 to 65535.
• Maximum Threshold—The desired maximum length, in bytes, of the message body, from 1 to 65535.
• Body Length Threshold Action—The action to take when the message body falls outside of the configured boundaries:

– Allow Packet—Allow the message.

– Drop Packet—Close the connection.

– Reset Connection—Send a TCP reset message to client and server.

• Generate Syslog—Whether to generate a syslog message when a violation occurs.

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

The actions you can specify are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.

Available and Selected Methods

Action

Generate Syslog

The Available Methods list contains the extension request methods defined in RFC 2616.

To configure an action for a method, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected method is encountered. Click the >> button to add it to the Selected Methods list. (To remove a method from the selected list, select it and click the << button.)

The actions you can specify are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available methods above.

Whether to define a default action for the methods for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.

Available and Selected Application Categories

Action

Generate Syslog

The Available Application Categories list contains the categories for which you can define firewall inspection settings.

To configure an action for a category, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected application is encountered. Click the >> button to add it to the Selected Categories list. (To remove a category from the selected list, select it and click the << button.)

The actions you can specify are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available categories above.

Whether to define a default action for the categories for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.

Available and Selected Encoding Types

Action

Generate Syslog

The Available Encoding Types list contains the types of transfer encoding for which you can define firewall inspection settings.

To configure an action for a type, select it, then select an action and optionally select Generate Syslog if you want a message added to the syslog when an HTTP request containing the selected type is encountered. Click the >> button to add it to the Selected Encoding Types list. (To remove a type from the selected list, select it and click the << button.)

The actions you can specify are:

• Allow Packet—Allow the message.
• Drop Packet—Close the connection.
• Reset Connection (default)—Send a TCP reset message to client and server.

Specify the action to be applied for the remaining available encoding types above.

Whether to define a default action for the types for which you have not configured specific actions above. If you select this option, select the action and syslog setting to use for the default action.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Body Match Maximum

The maximum number of characters in the body of an HTTP message that should be searched in a body match.

Check for protocol violations

Whether to check for protocol violations.

Action

The action to take based on the defined settings. You can drop, reset, or log the connection.

Spoof Server

Enables you to replace the server HTTP header value with the specified string.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see HTTP Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Overrides: None

Shows that no overrides exist on the device. You must manually set overrides in order to change the display. For more information, see Understanding Policy Object Overrides for Individual Devices.

Note Selecting Allow Value Override per Device does not automatically set overrides.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing HTTP class map or define a new HTTP class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing HTTP class map policy object. Enter the name of the HTTP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of HTTP traffic to match. The criteria are described above.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion. For some criteria, this is the only available option.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria. The types of action depend on the criterion you select.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Field Name

The name of the header field to evaluate. You can select one of the following:

• Predefined—The predefined HTTP header fields.
• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

When you are evaluating the Request Header Transfer Encoding or Response Header Transfer Encoding criteria, you can also select these options:

• Specified By—One of the following predefined types of transfer encoding:

– Chunked—The message body is transferred as a series of chunks.

– Compressed—The message body is transferred using UNIX file compression.

– Deflate—The message body is transferred using zlib format (RFC 1950) and deflate compression (RFC 1951).

– GZIP—The message body is transferred using GNU zip (RFC 1952).

– Identity—No transfer encoding is performed.

• Empty—The transfer-encoding field in request header is empty.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

Greater Than Count

The number of evaluated items. The criterion matches if the count is greater than the specified number, and does not match if the count is less than the specified number.

Content Type

The content type to evaluate as specified in the content-type header field. You can select one of the following:

• Specified By—A predefined MIME type.
• Unknown—The MIME type is not known. Select Unknown when you want to evaluate the item against all known MIME types.
• Violation—The magic number in the body must correspond to the MIME type in the content-type header field.
• Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Request Method

The specified request method to match. You can select one of the following:

• Specified By—The predefined request method.
• Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see IM Class and Policy Map (ASA 7.2+/PIX 7.2+) Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing IM class map or define a new IM class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing IM class map policy object. Enter the name of the IM class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of IM traffic to match. The criteria are:

• Filename—Matches the filename from IM file transfer service.
• Client IP Address—Matches the source client IP address.
• Client Login Name—Matches the client login name from IM service.
• Peer IP Address—Matches the peer, or destination, IP address.
• Peer Login Name—Matches the peer, or destination, login name from IM service.
• Protocol—Matches IM protocols.
• Service—Matches IM services.
• File Transfer Service Version—Matches the IM file transfer service version.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

IP Address

The IP address you want to match.

Protocol

The IM protocol, either MSN Messenger or Yahoo! Messenger.

Services

The IM services you want to inspect. Select one or more of the listed services.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Service Tabs

The tabs represent different IM service providers. The settings available on each tab are identical. You must configure the settings separately for each service provider. The descriptions of the following fields apply to each of the services: Yahoo!, MSN, and AOL.

Text Chat

How you want the text chat service to be handled, for example, allowed, denied, logged, or some combination.

Other Services

How you want services other than text chat to be handled, for example, allowed, denied, logged, or some combination. IOS software recognizes all services other than text chat, such as voice-chat, video-chat, file sharing and transferring, and gaming as a single group.

Permit Servers

The servers from which to permit traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Deny Servers

The servers from which to deny traffic. Accepted formats are IP addresses, IP ranges, and hostnames separated by commas.

Alert

Whether you want to enable or disable alerts. The default is to use the default inspection settings.

Audit

Whether you want to enable or disable an audit trail. The default is to use the default inspection settings.

Timeout

A timeout for the service. You can use the default inspection settings, or you can elect to specify a timeout. If you select Specify Timeout, enter the timeout value in seconds.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Name

The name of the policy object. A maximum of 128 characters is allowed.

Description

A description of the policy object.

End of Options List

End of Options List (EOOL), or IP Option 0, contains just a single zero byte and appears at the end of all options to mark the end of a list of options. This might not coincide with the end of the header according to the header length.

No operation

No Operation (NOP), or IP Option 1, is used for padding. The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the NOP option is used as to align the options on a 32-bit boundary.

Router alert

Router Alert (RTRALT), or IP Option 20, notifies transit routers to inspect the contents of the packet even when the packet is not destined for that router. This inspection is valuable when implementing RSVP and similar protocols require relatively complex processing from the routers along the packet’s delivery path.

Basic Security (ASA devices 9.5(1) or higher)

IP-option Basic Security (number 130) from RFC 1108, default is to drop.

Commercial Security (ASA devices 9.5(1) or higher)

IP-option Commercial Security (number 134), default is to drop.

Default (ASA devices 9.5(1) or higher)

IP-option default configuration, default is drop.

Experimental Flow Control (ASA devices 9.5(1) or higher)

IP-option Experimental Flow Control (number 205), default is to drop.

Experimental Measurement (ASA devices 9.5(1) or higher)

IP-option Experimental Measurement (number 10), default is to drop.

Extended-Security (ASA devices 9.5(1) or higher)

IP-option Extended Security (number 133) from RFC 1108, default is to drop.

IMI Traffic Descriptor (ASA devices 9.5(1) or higher)

IP-option IMI Traffic Descriptor (number 144), default is to drop.

Quick Start (ASA devices 9.5(1) or higher)

IP-option Router Alert (number 25) from RFC 4782, default is to drop.

Record Route (ASA devices 9.5(1) or higher)

IP-option Record Route (number 7) from RFC 791, default is to drop.

Time Stamp (ASA devices 9.5(1) or higher)

IP-option Router Alert (number 68) from RFC 791, default is to drop.

Note Beginning with version 4.9, Security Manager supports 10 new IP Options for ASA devices running the software version 9.5(1) or higher. You can tune the inspection to allow, clear, or drop any standard or experimental options. You can also configure specific IP Options apart from the ones that are defined. For example, a value ranging between 0 and 255 can be used to configure an IP Option directly. Security Manager supports the CLI ’[no] 0-255 allow | clear’. You can also set a default behavior for options not explicitly defined in an IP options inspection map. You now select which options to allow and optionally clear. For a list of IP options, with references to the relevant RFCs, see the IANA page, http://www.iana.org/assignments/ip-parameters/ip-parameters.xhtml

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Permit only known Extension Headers

Whether the ASA should verify the IPv6 extension header. When selected and an unknown IPv6 extension header is encountered, the ASA drops the packet and logs the action.

This option is selected by default.

Enforce Extension Header Order

Whether the ASA should enforce extension header order as defined in the RFC 2460 specification. When selected and an error is detected, the ASA drops the packet and logs the action.

This option is selected by default.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

These criteria entries are created and edited in the IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides in the Policy Object Overrides Window. The Overrides field indicates the number of devices that have overrides for this object.

Criterion

Choose the type of IPv6 Extension Header to match:

• Authentication Header (AH)—Provides integrity and data-origin authentication for IP packets.
• Destination Options Header—Used for IPv6 Mobility, as well as in support of certain applications.
• Encapsulating Security Payload Header (ESP)—All information following the ESP header is encrypted and not accessible to intermediate network devices.
• Fragment Header—Supports traffic-source fragmented-packet communications.
• Hop-by-Hop Options Header—Optional information that must be examined by every node in the packet’s delivery path.
• Header Count—The number of headers in the packet. When you choose this option, the following field appears; specify an upper bound for the number of headers:

– Greater Than Count—Enter a value between 0 and 255.

The packet is considered a match if the Header Count is greater than the specified number; it is not a match if the count is equal to, or less than the specified number.

• Routing Header Type—Use this option to match one or EH types based on their header codes. When you choose this type, the following Value options appear; specify one or the other:

– Routing Type—Enter one Extension Header code; for example, 51 for Authentication Header.

– Routing Type Field Range—Enter a starting value and an ending value to define a range of EH codes.

• Routing Header Address Count—The number of IP addresses embedded in the packet. When you choose this option, the following field appears; specify an upper bound for the number of addresses:

– Greater Than Count—Enter a value between 0 and 255.

The packet is considered a match if the address count is greater than the specified number; it is not a match if the count is equal to, or less than the specified number.

Type

Specifies that the map is applied only to traffic that matches the defined criteria.

Action

Choose the action you want the device to take for traffic that matches the defined criteria:

• Drop Packet—Matching packets are dropped without notification.
• Drop Packet and Log—Matching packets are logged and then dropped.
• Log—Matching packets are logged and processing continues.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Allow ESP

Maximum ESP Tunnels per Client

ESP Idle Timeout

Whether to allow ESP traffic. If you select this option, you can configure the maximum number of ESP tunnels that each client can have and the amount of time that an ESP tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).

Allow AH

Maximum AH Tunnels per Client

AH Idle Timeout

Whether to allow AH traffic. If you select this option, you can configure the maximum number of AH tunnels that each client can have and the amount of time that an AH tunnel can be idle before it is closed (in hours:minutes:seconds format). The default timeout is 10 minutes (00:10:00).

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Check for Protocol Violation

Action

Whether to check for NETBIOS protocol violations. If you select this option, select the action you want to take when violations occur.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Transport Protocol

Allows you to select either HTTPS or HTTP.

For HTTPS, the allowed range of values is 1-65535.

For HTTP, the allowed range of values is 1-65535. The default value is 8080.

Default User Name

The default user name for the ScanSafe server

Default Group Name

The default group name for the ScanSafe server

Category

Allows you to select Cat-A through Cat-G.

This is the category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Match Condition and Action tab only

Class

The name of the class map

Action

Allows you to select the action you want to take when policy violations occur

+ [the "add" button]

Opens the Add Match Condition and Action dialog box. This dialog box has the following fields:

• Match Type
• Class Map
• Action

Name

The name of the policy object. A maximum of 40 characters is allowed.

Description

A description of the policy object. A maximum of 200 characters is allowed.

Enable SIP Instant Messaging Extensions

Whether to enable Instant Messaging extensions.

Permit Non-SIP Traffic on SIP Port

Whether to permit non-SIP traffic on the SIP port.

Hide Server’s and Endpoint’s IP Address

Whether to hide the IP addresses, which enables IP address privacy.

Check RTP Packets for Protocol Conformance

Limit Payload to Audio or Video based on the Signaling Exchange

Whether to check RTP/RTCP packets flowing on the pinholes for protocol conformance. If you select this option, you can also elect to enforce the payload type to be audio/video based on the signaling exchange.

If Number of Hops to Destination is Greater Than 0

Whether to check if the value of Max-Forwards header is zero. When it is greater than zero, the action you select in the Action field is implemented. The default is to drop the packet.

If State Transition is Detected

Whether to check SIP state transitions. When a transition is detected, the action you select in the Action field is implemented. The default is to drop the packet.

If Header Fields Fail Strict Validation

Whether to take the action specified in the Action field if the SIP header fields are invalid. The default is to drop the packet.

Inspect Server’s and Endpoint’s Software Version

Whether to inspect the SIP endpoint software version in User-Agent and Server headers. The default is to mask the information.

If Non-SIP URI is Detected

Whether to take the action specified in the Action field if a non-SIP URI is detected in the Alert-Info and Call-Info headers. The default is to mask the information.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see SIP Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.

Match Type

Class Name

(Policy Map only)

Enables you to use an existing SIP class map or define a new SIP class map.

• Use Specified Values—You want to define the class map on this dialog box.
• Use Values in Class Map—You want to select an existing SIP class map policy object. Enter the name of the SIP class map in the Class Name field. Click Select to select the map from a list or to create a new class map object.

Criterion

Specifies which criterion of SIP traffic to match.

• Called Party—Matches the called party as specified in the To header.
• Calling Party—Matches the calling party as specified in the From header.
• Content Length—Matches the Content Length header.
• Content Type—Matches the Content Type header.
• IM Subscriber—Matches the SIP Instant Messenger subscriber.
• Message Path—Matches the SIP Via header.
• Third Party Registration—Matches the requester of a third-party registration.
• URI Length—Matches a URI in the SIP headers.
• Request Method—Matches the SIP request method.

Type

Specifies whether the map includes traffic that matches or does not match the criterion. For example, if Doesn’t Match is selected on the string “example.com,” then any traffic that contains “example.com” is excluded from the map.

• Matches—Matches the criterion.
• Doesn’t Match—Does not match the criterion.

Action

(Policy Map only)

The action you want the device to take for traffic that matches the defined criteria.

Variable Fields

The following fields vary based on what you select in the Criterion field. This list is a super-set of the fields you might see.

Value

The regular expression you want to evaluate. You can select one of the following:

• Regular Expression—The regular expression object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression object.
• Regular Expression Group—The regular expression group object that defines the regular expression you want to use for pattern matching. Enter the name of the object. You can click Select to choose the object from a list of existing ones or to create a new regular expression group object.

URI Type

The type of URI to match, either SIP or TEL.

Greater Than Length

The length in bytes of the evaluated field. The criterion matches if the length is greater than the specified number, and does not match if the field is less than the specified number.

Content Type

The content type to evaluate as specified in the content-type header field. You can select one of the following:

• SDP—Matches an SDP SIP content header type.
• Regular Expression, Regular Expression Group—The regular expression or regular expression group to evaluate. See the explanation for the Value field for an explanation of these options.

Resource Method

The request method you want to inspect:

• ack—Confirms that the client has received a final response to an INVITE request.
• bye—Terminates a call and can be sent by either the caller or the called party.
• cancel—Cancels any pending searches but does not terminate a call that has already been accepted.
• info—Communicates mid-session signaling information along the signaling path for the call.
• invite—Indicates a user or service is being invited to participate in a call session.
• message—Sends instant messages where each message is independent of any other message.
• notify—Notifies a SIP node that an event which has been requested by an earlier SUBSCRIBE method has occurred.
• options—Queries the capabilities of servers.
• prack—Provisional response acknowledgment.
• refer—Requests that the recipient REFER to a resource provided in the request.
• register—Registers the address listed in the To header field with a SIP server.
• subscribe—Requests notification of an event or set of events at a later time.
• unknown—Uses a nonstandard extension that could have unknown security impacts on the network.
• update—Permits a client to update parameters of a session but has no impact on the state of a dialog.

Name

The name of the Skinny map. A maximum of 40 characters is allowed.

Description

A description of the Skinny map, up to 200 characters.

Enforce Endpoint Registration

Whether to enforce registration before calls can be placed.

Maximum SCCP Station Message ID 0x

The maximum SCCP station message ID allowed, in hexadecimal.

Check RTP Packets for Protocol Conformance

Enforce Payload Type to be Audio or Video based on Signaling Exchange

Whether to check RTP packets flowing through the pinholes for protocol conformance. If you select this option, you can also select whether to enforce the payload type.

Minimum SCCP Prefix Length

The minimum SCCP length allowed.

Maximum SCCP Prefix Length

The maximum SCCP length allowed.

Media Timeout

The timeout value for media connections.

Signaling Timeout

The timeout value for signaling connections.

Match Condition and Action Tab

The Match All table lists the criteria included in the policy map. Each row indicates whether the inspection is looking for traffic that matches or does not match each criterion, the criterion and value that is inspected, and the action to be taken for traffic that satisfies the conditions.

• To add a criterion, click the Add button and fill in the Match Condition and Action dialog box (see Skinny Policy Maps Add or Edit Match Condition and Action Dialog Boxes).
• To edit a criterion, select it and click the Edit button.
• To delete a criterion, select it and click the Delete button.

Category

The category assigned to the object. Categories help you organize and identify rules and objects. See Using Category Objects.

Allow Value Override per Device

Overrides

Edit button

Whether to allow the object definition to be changed at the device level. For more information, see Allowing a Policy Object to Be Overridden and Understanding Policy Object Overrides for Individual Devices.

If you allow device overrides, you can click the Edit button to create, edit, and view the overrides. The Overrides field indicates the number of devices that have overrides for this object.