Application
Inspection and Control for HTTP—Phase 2
|
12.4(9)T
|
The
Application Inspection and Control for HTTP—Phase 2 feature extends support for
HTTP application firewall policies.
The
following commands were introduced or modified by this feature:
regexmatch
body
regex,
match
header
count,
match
header
length,
match
header
regex,
match
request
length,
match
request,
match
response
status-line
regex.
|
E-mail
Inspection Engine
|
15.1(1)S
|
The E-mail
Inspection Engine feature allows users to inspect POP3, IMAP, and E/SMTP e-mail
traffic contained in SSL VPN tunneled connections that traverse the Cisco
device.
|
P2P
Application Inspection and Control—Phase 1
|
12.4(9)T
12.4(20)T
15.3(1)T
|
The P2P
Application Inspection and Control—Phase 1 feature introduces support for
identifying and enforcing a configured policy for the following peer-to-peer
applications: eDonkey, FastTrack, Gnutella Version 2, and Kazaa Version 2.
Support for
identifying and enforcing a configured policy for the following Instant
Messenger (IM) applications is also introduced: AOL, MSN Messenger, and Yahoo
Messenger.
In Release
12.4(20)T, support was added for the following applications: H.323, VoIP, and
SIP.
In Release
12.4(20)T, support for the following IM applications was also added: ICQ and
Windows Messenger.
The
following commands were introduced or modified by this feature:
class-map
type
inspect,
class
type
inspect,
clear
parameter-map
type
protocol-info,
debug
policy-firewall,
match
file-transfer,
match
protocol
(zone),
match
search-file-name,
match
service,
match
text-chat,
parameter-map
type,
policy-map
type
inspect,
server
(parameter-map),
show
parameter-map
type
protocol-info.
In
15.3(1)T and later releases, the following peer-to-peer protocols are
deprecated:
-
BitTorrent
-
DirectConnect
-
eDonkey
-
FastTrack
-
Gnutella Version 2
-
Kazaa
Version 2
-
WinMX
|
Rate-Limiting Inspected Traffic
|
12.4(9)T
|
The
Rate-Limiting Inspected Traffic feature allows users to rate limit traffic
within a Cisco firewall (inspect) policy. Also, users can limit the absolute
number of sessions that can exist on a zone pair.
The
following commands were introduced by this feature:
police
(zone policy) and
sessions
maximum.
|
Zone-Based Policy Firewalls
|
12.4(6)T
|
The
Zone-Based Policy Firewall feature provides a Cisco unidirectional firewall
policy between groups of interfaces known as zones.
The
following commands were introduced or modified by this feature:
class-map
type
inspect,
class
type
inspect,
clear
parameter-map
type
protocol-info,
debug
policy-firewall,
match
body
regex,
match
file-transfer,
match
header
count,
match
header
length,
match
header
regex,
match
protocol (zone),
match
request
length,
match
request
regex,
match
response
status-line
regex,
match
search-file-name,
match
service,
match
text-chat,
parameter-map
type,
policy-map
type
inspect,
server
(parameter-map),
service-policy
(policy-map),
service-policy
type
inspect,
show
parameter-map
type
protocol-info.
|
Zone-Based Firewall—Default Zone
|
15.6(1)T
|
The Zone-Based Firewall— Default Zone feature introduces a
default zone that enables a firewall policy to be configured on a zone pair
that consist of a zone and a default zone. Any interface without explicit zone
membership belongs to a default zone.
The following commands were introduced by this feature:
zone
pair security,
zone
security default.
|
Zone-Based Firewall Support for Microsoft Remote Procedure Call (MSRPC)
|
15.1(4)M
|
The
Zone-Based Firewall Support for MSRPC feature introduces zone-based policy
firewall support for MSRPC.
|
Zone-Based
Firewall Support of Multipoint TCP
|
15.4(3)M
|
Multipoint
TCP seamlessly works with zone-based firewall Layer 4 inspection. Multipoint
TCP does not work with application layer gateways (ALGs) and application
inspection and control (AIC).
|
Zone-Based Firewall Usability and Manageability
|
15.0(1)M
15.1(1)T
|
The
Zone-Based Firewall Usability and Manageability features covered in this
document are out-of-order (OoO) packet processing support in zone-based
firewalls, intrazone support in zone-based firewalls, and enhanced debug
capabilities.
The
following commands were introduced or modified by this feature:
clear
ip
ips
statistics,
debug
cce
dp
named-db
inspect,
debug
policy-firewall,
debug
ip
virtual-reassembly
list,
parameter-map
type
ooo
global,
show
parameter-map
type
ooo
global,
zone-pair
security.
Depending
on your release, the following commands were introduced or modified:
class-map
type
inspect,
clear
policy-firewall,
log
(parameter-map type),
match
request
regex,
parameter-map
type
inspect,
show
parameter-map
type
inspect,
show
policy-firewall
config,
show
policy-firewall
mib,
show
policy-firewall
sessions,
show
policy-firewall
stats,
show
policy-firewall
summary-log.
|