The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the service policy, you can also optionally enable actions as defined in an inspection policy map. When the inspection policy map matches traffic within the service policy for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited).
See Configuring Application Layer Protocol Inspection for a list of applications that support inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available for an inspection policy map depends on the application.
– Some traffic matching options can specify regular expressions to match text inside a packet. Be sure to create and test the regular expressions before you configure the policy map, either singly or grouped together in a regular expression class map.
If a packet matches multiple different matches, then the order in which the ASA applies the actions is determined by internal ASA rules, and not by the order they are added to the inspection policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the Request Method field occurs before the action for the Header Host Length field.
If an action drops a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to reset the connection, then it will never match any further match criteria. If the first action is to log the packet, then a second action, such as resetting the connection, can occur.
If a packet matches multiple match criteria that are the same, then they are matched in the order they appear in the policy map.
A class map is determined to be the same type as another class map or direct match based on the lowest priority match option in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match option as another class map, then the class maps are matched according to the order they are added to the policy map. If the lowest priority match for each class map is different, then the class map with the higher priority match option is matched first.
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
Note There are other default inspection policy maps such as _default_esmtp_map. For example, an ESMTP inspection rule implicitly uses the policy map “_default_esmtp_map.”
When you enable an inspection engine in the service policy, you can also optionally enable actions as defined in an inspection policy map.
Step 1 (Optional) Create an inspection class map. Alternatively, you can identify the traffic directly within the policy map. See Identifying Traffic in an Inspection Class Map.
Step 2 (Optional) For policy map types that support regular expressions, create a regular expression. See the general operations configuration guide.
Step 3 Choose Configuration > Firewall > Objects > Inspect Maps.
Step 4 Choose the inspection type you want to configure.
Step 5 Click Add to add a new inspection policy map.
Step 6 Follow the instructions for your inspection type in the inspection chapter.
This type of class map allows you to match criteria that is specific to an application. For example, for DNS traffic, you can match the domain name in a DNS query.
A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of matches (in a match-any class map). The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you group multiple match commands, and you can reuse class maps. For the traffic that you identify in this class map, you can specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map. If you want to perform different actions on different types of traffic, you should identify the traffic directly in the policy map.
Step 1 Choose Configuration > Firewall > Objects > Class Maps.
Step 2 Choose the inspection type you want to configure.
Step 3 Click Add to add a new inspection class map.
Step 4 Follow the instructions for your inspection type in the inspection chapter.
To use an inspection policy, see Chapter1, “Service Policy”
Table 2-1 lists the release history for this feature.