|
Command or Action |
Purpose |
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
- Enter your password if prompted.
|
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode. |
|
appfw policy-name policy-name
Example:
Router(config)# appfw policy-name my_policy
|
Defines an application firewall policy and enters application firewall policy configuration mode. |
|
application protocol
Example:
Router(cfg-appfw-policy)# application im aol
|
Allows you to configure inspection parameters for a given protocol.
- protocol -- One of the following options:
- http (HTTP traffic will be inspected)
- im {aol | yahoo | msn} (Traffic for the specified instant messenger application will be inspected)
This command puts the router in appfw-policy-protocol configuration mode, where "protocol" is dependent upon the specified protocol. |
|
audit-trail {on | off
Example:
Router(cfg-appfw-policy-aim)# audit-trail on
|
(Optional) Enables message logging for established or torn-down connections. If this command is not issued, the default value specified via the ip inspect audit-trailcommand will be used. |
|
server {permit | deny} {name string | ip-address {ip-address | range ip-address-start ip-address-end}
Example:
Example:
Router(cfg-appfw-policy-aim)# server permit name login.cat.aol.com
|
Controls access to instant messenger servers.
Note |
The server command helps the instant messenger application engine to recognize the port-hopping instant messenger traffic and to enforce the security policy for that instant messenger application; thus, if this command is not issued, the security policy cannot be enforced if IM applications use port-hopping techniques. To deploy IM traffic enforcement policies effectively, it is recommended that you issue the appropriate server command. |
|
|
timeout seconds
Example:
Router(cfg-appfw-policy-aim)# timeout 30
|
(Optional) Specifies the elapsed length of time before an inactive connection is torn down.
- seconds --Available timeout range: 5 to 43200 (12 hours).
If this command is not issued, the default value specified via the ip inspect tcp idle-timecommand will be used.
Note |
Some IM applications continue to send "keepalive-like" packets that effectively prevent timeout even when the user is idle. |
|
|
service {default | text-chat} action {allow [alarm] | reset [alarm] | alarm}
Example:
Router(cfg-appfw-policy-aim)# service default action reset
|
(Optional) Specifies an action when a specific service is detected in the instant messenger traffic.
- If a specific action is not specified for a service, the service defaultcommand will be performed.
- If the service default command is not specified for an application, the action is considered "reset" by the system.
|
|
alert {on | off}
Example:
Router(cfg-appfw-policy-aim)# alert on
|
(Optional) Enables message logging when events, such as the start of a text-chat, begin. If this parameter is not configured, the global setting for the ip inspect alert-off command will take effect. |
|
exit
Example:
Router(cfg-appfw-policy-aim)# exit
Example:
Router(cfg-appfw-policy)# exit
Example:
Router(config)# exit
|
(Optional) Exits application firewall policy protocol configuration mode, application firewall policy configuration mode, and global configuration mode. |
|
show appfw {configuration | dns cache} [policy policy-name]
Example:
Router# show appfw dns cache policy abc
|
(Optional) Displays the IP addresses that have been resolved by the DNS server and stored in the DNS cache of the IM traffic policy enforcement component of the Cisco IOS router.
- If you don't indicate a specific policy via the policy policy-name option, IP addresses gathered for all DNS names for all policies are displayed.
|