- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Information About Enabling ALGs and AICs in Zone-Based Policy Firewalls
- How to Enable ALGs and AICs in Zone-Based Policy Firewalls
- Configuration Examples for Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Additional References for Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Feature Information for Enabling ALGs and AICs in Zone-Based Policy Firewalls
Enabling ALGs and AICs in Zone-Based Policy Firewalls
Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection and control (AIC). Layer 7 application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic that passes through a security module.
Prior to the introduction of Enabling ALGs and AICs in Zone-Based Policy Firewalls feature, the Layer 7 protocol inspection was automatically enabled along with the ALG/AIC configuration. With this feature you can enable or disable Layer 7 inspection by using the no application-inspect command.
This module provides an overview of the Enabling ALGs and AICs in Zone-Based Policy Firewalls feature and describes how to configure it.
- Finding Feature Information
- Information About Enabling ALGs and AICs in Zone-Based Policy Firewalls
- How to Enable ALGs and AICs in Zone-Based Policy Firewalls
- Configuration Examples for Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Additional References for Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Feature Information for Enabling ALGs and AICs in Zone-Based Policy Firewalls
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Enabling ALGs and AICs in Zone-Based Policy Firewalls
Application-Level Gateways
-
Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
-
Recognize application-specific commands and offer granular security control over them.
-
Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
-
Translate the network-layer address information that is available in the application payload.
The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.
Enabling Layer 7 Application Protocol Inspection Overview
Zone-based policy firewalls support Layer 7 protocol inspection along with application-level gateways (ALG) and application inspection and control (AIC). Layer 7 protocol inspection is automatically enabled along with the ALG/AIC configuration.
Layer 7 application protocol inspection is a technique that interprets or understands application-layer protocols and performs appropriate firewall or Network Address Translation (NAT) action. Certain applications require special handling of the data portion of a packet when the packet passes through the security module on a device. Layer 7 application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic that passes through the security module. Based on the configured traffic policy, the security module accepts or rejects packets to ensure the secure use of applications and services.
Sometimes, application inspection implementation issues can cause application packet drop and make networks unstable. Prior to the introduction of the Enabling ALGs and AICs in Zone-Based Policy Firewall feature, to disable application inspection you had to define an access control list (ACL) with the target Layer 7 protocol port define a class map that matches this ACL and matches either the TCP or UDP protocol to bypass the inspection for a specific Layer 7 protocol.
With the introduction of the Enabling ALGs and AICs in Zone-Based Policy Firewall feature, you can enable or disable Layer 7 protocol inspection for a specific protocol or for all supported Layer 7 protocols with the application-inspect command. Any configuration changes to a parameter map applies only to new sessions. For example, when you disable FTP Layer 7 inspection, the newly created sessions skip FTP Layer 7 inspection, while existing sessions before the configuration change will perform FTP Layer 7 inspection. For all sessions to perform the configuration change, you must delete all sessions and re-create them.
You can enable Layer 7 application protocol inspection for an individual parameter map or for a global firewall.
How to Enable ALGs and AICs in Zone-Based Policy Firewalls
Enabling Layer 7 Application Protocol Inspection on Firewalls
Application protocol inspection is enabled by default. Use the no application-inspect command to disable application protocol inspection.
Use the application-inspect command to reconfigure application protocol inspection, if you have disabled it for any reason. Configure either the parameter-map type inspect command or the parameter-map type inspect-global command before configuring the application-inspect command.
You can only configure either the parameter-map type inspect command or the parameter-map type inspect-global command at any time.
Use the
1.
enable
2.
configure terminal
3.
Do one of the following:
4.
application-inspect
{all
|
protocol-name}
5.
exit
6.
class-map type inspect
{match-all
|
match-any} class-map-name
7.
match protocol
protocol-name
8.
exit
9.
policy-map type inspect
policy-map-name
10.
class type inspect
{class-map-name |
class-default}
11.
inspect
parameter-map-name
12.
exit
13.
class
{class-map-name |
class-default}
14.
end
DETAILED STEPS
Configuring Zones for Enabling Layer 7 Application Protocol Inspection
1.
enable
2.
configure terminal
3.
zone security
{default
|
security-zone}
4.
exit
5.
zone security
{default
|
security-zone}
6.
exit
7.
zone-pair security
zone-pair
source
source-zone
destination
destination-zone
8.
service-policy type inspect
policy-map-name
9.
exit
10.
interface
type
number
11.
zone-member security
security-zone
12.
exit
13.
interface
type number
14.
zone-member security
security-zone
15.
end
DETAILED STEPS
Configuration Examples for Enabling ALGs and AICs in Zone-Based Policy Firewalls
Example: Enabling Layer 7 Application Protocol Inspection on Firewalls
The following example shows how to enable Layer 7 application protocol inspection after configuring the parameter-map type inspect command. You can enable application inspection after configuring the parameter-map type inspect-global command also.
You can only configure either the parameter-map type inspect or the parameter-map type inspect-global command at any time.
Device# configure terminal Device(config)# parameter-map type inspect pmap-fw Device(config-profile)# application-inspect msrpc Device(config-profile)# exit Device(config)# class-map type inspect match-any internet-traffic-class Device(config-cmap)# match protocol msrpc Device(config-cmap)# exit Device(config)# policy-map type inspect private-internet-policy Device(config-pmap)# class type inspect internet-traffic-class Device(config-pmap-c)# inspect pmap-fw Device(config-pmap-c)# exit Device(config-pmap)# class class-default Device(config-pmap)# end
Example: Configuring Zones for Enabling Layer 7 Application Protocol Inspection
Device# configure terminal Device(config)# zone security private Device(config-sec-zone)# exit Device(config)# zone security internet Device(config-sec-zone)# exit Device(config)# zone-pair security private-internet source private destination internet Device(config-sec-zone-pair)# service-policy type inspect private-internet-policy Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0 Device(config-if)# zone-member security private Device(config-if)# exit Device(config)# interface gigabitethernet 0/2/2 Device(config-if)# zone-member security internet Device(config-if)# end
Additional References for Enabling ALGs and AICs in Zone-Based Policy Firewalls
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
Firewall commands |
|
Technical Assistance
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Enabling ALGs and AICs in Zone-Based Policy Firewalls
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Enabling ALGs and AICs in Zone-Based Policy Firewalls |
Cisco IOS XE Release 3.11S |
Zone-based policy firewalls support Layer 7 application protocol inspection along with application-level gateways (ALGs) and application inspection and control (AIC). Layer 7 application protocol inspection helps to verify the protocol behavior and identify unwanted or malicious traffic that passes through security module. Prior to the introduction of Enabling ALGs and AICs in Zone-Based Policy Firewalls feature, the Layer 7protocol inspection was automatically enabled along with the ALG/AIC configuration. With this feature you can enable or disable Layer 7 inspection by using the no application-inspect command. In Cisco IOS XE Release 3.11S, this feature was introduced on Cisco ASR 1000 Series Aggregation Services Routers, Cisco 4400 Series Integrated Services Routers, and Cisco Cloud Services Routers 1000V. The following commands were introduced or modified: application-inspect, show parameter-map type inspect, and show platform software firewall. |
Feedback