-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Firewall services policies are used to define firewall configurations for your devices. These reference topics describe the pages and dialog boxes used to configure firewall services policies.
This chapter contains the following topics:
•Botnet Traffic Filter Rules Page
•Web Filter Rules Page (PIX/ASA)
•Zone-based Firewall Rules Page
•Common Firewall Services Dialog Boxes
•Add and Edit Rule Section Dialog Boxes
•Import Rules Wizard—Enter Parameters Page
•Querying Device or Policy Dialog Box
•Hit Count Selection Summary Dialog Box
•Combine Rules Selection Summary Dialog Box
Use the AAA Rules page to identify AAA rules defined in Security Manager. For more information, see Working with AAA Rules, page 11-40.
From the AAA Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
From the AAA Rules page, you can also generate reports to discover object groups that are being used and identify policies associated with a particular device.
Navigation Path
To access the AAA Rules page, do one of the following:
•(Device view) Select a device, then select Firewall >AAA Rules from the Device selector.
•(Policy view) Select Firewall >AAA Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > AAA Rules.
Related Topics.
•Working with AAA Rules, page 11-40
Field Reference
|
|
---|---|
No. |
Identifies the ordered rule number in the table. |
Permit |
Whether the rule permits or denies traffic based on the conditions set. •Permit—Shown as a green check mark. •Deny—Shown as a red circle with slash. |
Source |
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See: •Understanding Network/Host Objects, page 8-65. •Understanding Interface Role Objects, page 8-33. Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object. |
Destination |
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See: •Understanding Network/Host Objects, page 8-65. •Understanding Interface Role Objects, page 8-33. Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object. |
Service |
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75. Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value. |
Interface |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33. For example: •All DMZs •All FastEthernets •All Interfaces •FastEthernet0 Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. |
Action |
Identifies the AAA methods. •Authentication—indicates that the rule controls traffic based on who the user is. •Authorization—indicates that the rule controls traffic based on what the user is allowed to do. •Accounting—indicates that the rule controls traffic based on what the user did. |
AuthProxy |
Identifies the authentication proxy method used for IOS devices. |
Server Group |
Identifies the AAA server group. Note The AAA server group must have at least one AAA server defined. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
Tools button |
Click this button to select tools that you can use with this type of policy. You can select from the following tools: •Combine Rules—To improve performance and memory usage by combining similar rules. This reduces the number of rules in the policy. See Combining Rules, page 11-9. •Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12 |
Find and Replace button (binoculars icon) |
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6. |
Up Row and Down Row buttons (arrow icons) |
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7. |
Add button |
Adds a rule to the table. |
Edit button |
Edits an existing rule in the table. |
Delete button |
Deletes a rule from the table. |
Use the Add and Edit AAA Rules dialog box to add and edit AAA rules.
Navigation Path
To access the Add and Edit AAA Rules dialog boxes, do one of the following:
•(Device view) Select a device, then select Firewall > AAA Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall > AAA Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
Related Topics
•Working with AAA Rules, page 11-40
Field Reference
|
|
---|---|
Enable Rule |
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed. When viewing the main rules tables: •An enabled rule is shown without hash marks. •A disabled rule is shown with hash marks. Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes. |
Authentication Action |
When selected, indicates that the rule controls traffic based on who the user is. |
Authorization Action (PIX/ASA/FWSM) |
When selected, indicates that the rule controls traffic based on what the user is allowed to do. |
Accounting Action (PIX/ASA/FWSM) |
When selected, indicates that the rule controls traffic based on what the user did. |
Action |
Describes what should occur based on the conditions set. •Permit—Allows traffic. •Deny—Denies traffic. |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). •Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33. If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles. |
Services |
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas. You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. Note Due to an issue in PIX 6.3 and FWSM devices, when a source port is specified in an AAA ACL, no traffic is authenticated. Therefore, the source address is ignored when the CLI is generated. |
AAA Server Group (PIX,ASA,FWSM) |
Identifies the AAA server group. See Understanding AAA Server and Server Group Objects, page 8-15. Enter the AAA Server Object in the field provided or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box. |
Interface |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33. For example: •All DMZs •All FastEthernets •All Interfaces •FastEthernet0 Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box. Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
HTTP Traffic Type Applies to Authentication Proxy (IOS) |
When selected, specifies HTTP to trigger the authentication proxy. |
FTP Traffic Type Applies to Authentication Proxy (IOS) |
When selected, specifies FTP to trigger the authentication proxy. |
Telnet Traffic Type Applies to Authentication Proxy (IOS) |
When selected, specifies Telnet to trigger the authentication proxy. |
Use the Edit AAA Option dialog box to edit the method for access entry.
Navigation Path
To access the Edit AAA Option dialog box, do one of the following:
•(Device view) Select a device, then select Firewall >AAA Rules from the Device selector. Right-click the entry in the Action column of the AAA Rules table, then click Edit AAA.
•(Policy view) Select Firewall >AAA Rules from the Policy selector. Right-click the entry in the Action column of the AAA Rules table, then click Edit AAA.
Related Topics
•Working with AAA Rules, page 11-40
Field Reference
Use the AuthProxy dialog box to edit an IOS traffic type entry in a table.
Navigation Path
To access the AuthProxy dialog box, right-click the entry in the AuthProxy column of the AAA Rules table, then click Edit AuthProxy.
Related Topics
•Working with AAA Rules, page 11-40
Field Reference
Use the Edit AAA Server Group dialog box to edit a server group entry in a table.
Navigation Path
To access the Edit AAA Server Group dialog box, right-click the entry in the Server Group column of the AAA Rules table, then click Edit Server Group.
Related Topics
•Working with AAA Rules, page 11-40
•Understanding AAA Server and Server Group Objects, page 8-15
Field Reference
Use the Access Rules page to configure access control rules for device interfaces. Access rules policies define the rules that allow or deny traffic to transit an interface. Typically, you create access rules for traffic entering an interface, because if you are going to deny specific types of packets, it is better to do it before the device spends a lot of time processing them. Access rules are processed before other types of firewall rules.
Read the following topics before you configure access rules:
•Understanding Access Rules, page 11-17
•Understanding Device Specific Access Rule Behavior, page 11-19
•Understanding Access Rule Address Requirements and How Rules Are Deployed, page 11-19
•Configuring Access Rules, page 11-21
Tip Disabled rules are shown with hash marks covering the table row. If the device supports the configuration of disabled rules, these are included in the configuration as disabled. Otherwise, they are not part of the configuration. For more information, see Enabling and Disabling Rules, page 11-8.
Navigation Path
To open the Access Rules page, do one of the following:
•(Device view) Select a device, then select Firewall > Access Rules from the Device selector.
•(Policy view) Select Firewall > Access Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > Access Rules.
Related Topics
•Configuring Expiration Dates for Access Rules, page 11-22
•Configuring Settings for Access Control, page 11-23
•Adding and Removing Rules, page 11-4
•Enabling and Disabling Rules, page 11-8
•Moving Rules and the Importance of Rule Order, page 11-7
•Using Sections to Organize Rules Tables, page 11-8
•Using Rules Tables, page 11-3
Field Reference
|
|
---|---|
No. |
The ordered rule number. |
Permit |
Whether a rule permits or denies traffic based on the conditions set: •Permit—Shown as a green check mark. •Deny—Shown as a red circle with slash. |
Source Destination |
The source and destination addresses for the rule. The "any" address does not restrict the rule to specific hosts, networks, or interfaces. These addresses are IP addresses for hosts or networks, network/host objects, interfaces, or interface roles. Multiple entries are displayed as separate subfields within the table cell. See: •Understanding Network/Host Objects, page 8-65 |
Service |
The services or service objects that specify the protocol and port of the traffic to which the rule applies. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75. |
Interface |
The interfaces or interface roles to which the rule is assigned. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33. |
Dir. |
The direction of the traffic to which this rule applies: •In—Packets entering the interface. •Out—Packets exiting the interface. |
Options |
The additional options configured for the rule. These include logging, time range, and some additional IOS rule options. See Advanced and Edit Options Dialog Boxes. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
The description of the rule, if any. |
Expiration Date |
The date that the rule expires. Expired rules show Expired in bold text. Expired rules are not automatically deleted. |
Tools button |
Click this button to select tools that you can use with this type of policy. You can select from the following tools: •Analysis—To identify rules that overlap or conflict with other rules. See Generating Analysis Reports, page 11-24. •Combine Rules—To improve performance and memory usage by combining similar rules. This reduces the number of rules in the policy. See Combining Rules, page 11-9. •Hit Count—To identify the number of times that traffic for a device is permitted or denied based on an access rule. This information is useful in debugging the deployed policies. See Generating Hit Count Reports, page 11-26. •Import Rules—To import rules from an ACL defined using device commands. See Importing Rules, page 11-28. •Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12 |
Find and Replace button (binoculars icon) |
Click this button to search for various types of items within the table and to optionally replace them. See Finding and Replacing Items in Rules Tables, page 11-6. |
Up Row and Down Row buttons (arrow icons) |
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7. |
Add Row button |
Click this button to add a rule to the table after the selected row using the Add and Edit Access Rule Dialog Boxes. If you do not select a row, the rule is added at the end of the local scope. For more information about adding rules, see Adding and Removing Rules, page 11-4. |
Edit Row button |
Click this button to edit the selected rule. You can also edit individual cells. For more information, see Editing Rules, page 11-5. |
Delete Row button |
Click this button to delete the selected rule. |
Use the Add and Edit Firewall Rule dialog boxes to add and edit firewall access rules. Read the following topics before you configure access rules:
•Understanding Access Rules, page 11-17
•Understanding Device Specific Access Rule Behavior, page 11-19
•Understanding Access Rule Address Requirements and How Rules Are Deployed, page 11-19
•Configuring Access Rules, page 11-21
Navigation Path
From the Access Rules Page, click the Add Row button or select a row and click the Edit Row button.
Related Topics
•Configuring Expiration Dates for Access Rules, page 11-22
•Adding and Removing Rules, page 11-4
•Understanding Network/Host Objects, page 8-65
•Understanding and Specifying Services and Service and Port List Objects, page 8-75
Field Reference
|
|
---|---|
Enable Rule |
Whether to enable the rule, which means the rule becomes active when you deploy the configuration to the device. Disabled rules are shown overlain with hash marks in the rule table. For more information, see Enabling and Disabling Rules, page 11-8. |
Action |
Permit or deny traffic based on the conditions defined. |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). •Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33. If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles. |
Service |
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas. You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. |
Interfaces |
The interfaces or interface roles to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33. |
Description |
An optional description of the rule (up to 1024 characters). |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Advanced button |
Click this button to configure other settings for the rule, including logging configuration, traffic direction, time ranges, and rule expiration dates. For more information, see Advanced and Edit Options Dialog Boxes. |
Use the Advanced and Edit Options dialog boxes to configure additional settings for an access rule. When you are in the Advanced dialog box, you have more fields available for configuration than when you edit options, which is a cell-level editing dialog box. The settings in the Advanced dialog box show up in three different cells in an access rule; direction, options, and rule expiration.
Navigation Path
To access the Advanced dialog box, do one of the following:
•Go to the Add and Edit Access Rule Dialog Boxes and click Advanced Options.
•Right-click the Options cell in an access rule (on the Access Rules Page) and select Edit Options. If you select multiple rows, your changes replace the options defined for all selected rules.
Related Topics
•Configuring Access Rules, page 11-21
•Understanding Access Rules, page 11-17
•Working with Access Rules, page 11-17
•Creating Time Range Objects, page 8-92
Field Reference
|
|
---|---|
Enable Logging (PIX, ASA, FWSM) |
Whether to generate syslog messages for the rule entries, or ACEs, for PIX, ASA, and FWSM devices. You can select these additional options: •Default Logging—Use the default logging behavior. If a packet is denied, message 106023 is generated. If a packet is permitted, no syslog message is generated. The default logging interval is 300 seconds. •Per ACE Logging—Configure logging specific to this entry. Select the logging level you want to use to log events for the ACE, and the logging interval, which can be from 1-600 seconds. Syslog message 106100 is generated for the ACE. Following are the possible logging levels: –Emergency—(0) System is unstable –Alert—(1) Immediate action is needed –Critical—(2) Critical conditions –Error—(3) Error conditions –Warning—(4) Warning conditions –Notification—(5) Normal but significant condition –Informational—(6) Informational messages only –Debugging—(7) Debugging messages |
Enable Logging (IOS) Log Input |
Whether to generate an informational logging message about the packet that matches the entry to be sent to the console for IOS devices. Select Log Input to include the input interface and source MAC address or virtual circuit in the logging output. |
Traffic Direction (Advanced dialog box only) |
The direction of the traffic to which this rule applies: •In—Packets entering an interface. •Out—Packets exiting an interface. |
Time Range |
The name of a time range policy object that defines the times when access to the device will be allowed by this rule. The time is based on the system clock of the device. The feature works best if you use NTP to configure the system clock. Enter the name or click Select to select the object. If the object that you want is not listed, click the Create button to create it. Note Time range is not supported on FWSM 2.x or PIX 6.3 devices. |
Options (IOS) |
Additional options for IOS devices: •Fragment—Allow fragmentation, which provides additional management of packet fragmentation and improves compatibility with NFS. By default, a maximum of 24 fragments is accepted to reconstruct a full IP packet; however, based on your network security policy, you might want to consider configuring the device to prevent fragmented packets from traversing the firewall. •Established—Allow outbound TCP connections to return access through the device. This option works with two connections: an original connection outbound from a network protected by the device, and a return connection inbound between the same two devices on an external host. |
Rule Expiration (Advanced dialog box only) |
Whether to configure an expiration date for the rule. Click the calendar icon to select a date. For more information, see Configuring Expiration Dates for Access Rules, page 11-22. If you configure an expiration date, you can also configure the number of days before which the rule expires to send out a notification of the pending expiration, and e-mail addresses to which to send the notifications. These fields are initially filled with the information configured on the Rule Expiration administrative settings page (select Tools > Security Manager Administration > Rule Expiration). Expired rules are not automatically deleted. You must delete them yourself and redeploy the configuration to the device. |
Use the Edit Firewall Rule Expiration Settings dialog box to edit the expiration settings for an access rule.
To set an expiration date for the rule, click the calendar icon to select a date.
If you configure an expiration date, you can also configure the number of days before which the rule expires to send out a notification of the pending expiration, and e-mail addresses to which to send the notifications. These fields are initially filled with the information configured on the Rule Expiration administrative settings page (select Tools > Security Manager Administration > Rule Expiration).
Expired rules are not automatically deleted. You must delete them yourself and redeploy the configuration to the device.
For more information, see Configuring Expiration Dates for Access Rules, page 11-22.
Navigation Path
Right-click the Expiration Date cell in an access rule (on the Access Rules Page) and select Edit Rule Expiration. If you select multiple rows, your changes replace the options defined for all selected rules.
Related Topics
•Working with Access Rules, page 11-17
Use the Inspection Rules page to identify inspection rules managed by Security Manager. For more information, see Understanding Inspection Rules, page 11-33.
From the Inspection Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
From the Inspection Rules page, you can generate reports to discover object groups that are being used and identify policies associated with a particular device.
Navigation Path
To access the Inspection Rules page, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > Inspection Rules.
Related Topics
•Understanding Inspection Rules, page 11-33
Field Reference
|
|
---|---|
No. |
Identifies the ordered rule number in the table. |
Permit |
Whether a rule permits or denies traffic based on the conditions set. •Permit—Shown as a green check mark. •Deny—Shown as a red circle with slash. |
Source |
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following: •Understanding Network/Host Objects, page 8-65 •Understanding Interface Role Objects, page 8-33 Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object. |
Destination |
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. For more information, see the following: •Understanding Network/Host Objects, page 8-65 •Understanding Interface Role Objects, page 8-33 Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object. |
Service |
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75. Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value. |
Interface |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33. For example: •All DMZs •All Fast Ethernets •All Interfaces •FastEthernet0 Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. |
Dir. |
(Direction) Identifies traffic direction within a network. Direction is always associated with an interface: •In—Packets entering a network. •Out—Packets exiting a network. Note The Direction parameter is supported on IOS devices only. |
Inspected Protocol |
Identifies the protocol to be inspected. |
Time Range |
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. See Creating Time Range Objects, page 8-92. Note Time range is not supported on FWSM 2.x or PIX 6.3 devices. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
Tools button |
Click this button to select tools that you can use with this type of policy. You can select from the following tools: •Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12 |
Find and Replace button (binoculars icon) |
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6. |
Up Row and Down Row buttons (arrow icons) |
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7. |
Add button |
Adds a rule to the table. |
Edit button |
Edits an existing rule in the table. |
Delete button |
Deletes a rule from the table. |
Use the Add and Edit Inspection Rule dialog boxes to add and edit inspection rules.
Navigation Path
To access the Add and Edit Inspection Rule dialog boxes, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then select Add Rule, or right-click a rule, then select Edit Rule.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then select Add Rule, or right-click a rule, then select Edit Rule.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
|
|
---|---|
|
|
Enable Rule |
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed. When viewing the main rules tables: •An enabled rule is shown without hash marks. •A disabled rule is shown with hash marks. Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes. |
All Interfaces |
Enables you to add an inspection rule that will be associated with all interfaces. Note Global inspection is supported for PIX and ASA devices only; however, although IOS doesn't support global inspection, it is simulated when you create an IOS inspection rule and apply it globally. Such a rule is applied to all interfaces in the direction "in". |
Interface (PIX 7.x, ASA, FWSM 3.x, IOS) |
Enables you to add an inspection rule based on an interface. |
Traffic Direction |
Enables you to further define deep packet inspection by identifying traffic direction within a network: •In—Packets entering a network. •Out—Packets exiting a network. Note Traffic direction is active only when inspection is based on an interface. |
Interfaces |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. For example: •All DMZs •All Fast Ethernets •All Interfaces •FastEthernet0 This is a required field if you apply the rule to ASA or IOS device interfaces. Enter the interface information or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box. Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33. |
|
|
Default Protocol Ports |
Enables you to inspect traffic based on a default protocol setting. Select this option if you want to inspect a protocol without applying any constraints to the inspected traffic. For a description of the GUI elements, see Table I-11. Note You must click Next to open the appropriate wizard page. |
Limit inspection between source and destination IP addresses (ASA, FWSM 3.x) |
When selected, enables you to limit inspection between source and destination IP addresses. This setting applies to PIX 7.0, ASA, and FWSM 3.x devices only. For a description of the GUI elements, see Table I-13. Note You must click Next to open the appropriate wizard page. |
Custom Destination Ports |
Enables you to inspect traffic based on TCP or UDP destination ports. Select this option if you want to associate additional TCP or UDP traffic with a given protocol, for example, treating TCP traffic on destination port 8080 as HTTP traffic. For a description of the GUI elements, see Table I-14. Note You must click Next to open the appropriate wizard page. |
Destination Address and Port (IOS) |
Enables you to inspect traffic on IOS devices based on destination IP addresses. Select this option if you want to associate additional traffic with a given protocol only when the traffic is going to certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP only when the traffic is going to server 192.168.1.1. For a description of the GUI elements, see Table I-15. Note You must click Next to open the appropriate wizard page. |
Source and Destination Address and Port (PIX 7.x, ASA, FWSM 3.x) |
Enables you to inspect traffic on ASA and FWSM 3.x devices based on source and destination IP addresses and ports. For a description of the GUI elements, see Table I-16. Note You must click Next to open the appropriate wizard page. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
Use the Inspected Protocol page of the Add Inspect/Application FW Rule wizard, or the Edit Inspected Protocol dialog box, to configure the protocol inspected by an inspection rule.
Navigation Path
Do one of the following:
•To access the Inspected Protocol page, go to the Inspection Rules Page and click Add Row to add a new rule, or select a rule and click Edit Row. Advance the wizard to this page.
•To access the Edit Inspected Protocols dialog box, right-click the Inspected Protocol cell in an inspection rule and select Edit Inspected Protocol. If you select multiple rows, your changes replace the inspected protocol defined for all selected rules.
Related Topics
•Adding Inspection Rules, page 11-34
•Configuring Default Protocol Ports, page 11-36
•Understanding Inspection Rules, page 11-33
Field Reference
|
|
---|---|
Protocols table |
Lists the protocols that you can inspect. You can select one protocol per rule. The list includes information on the device operating systems that allow inspection of the protocol: do not select protocols that are not supported by the device type on which you will use the inspection rule policy. The group column provides additional information on the use of some of the protocols. |
Selected Protocol Configure button |
Displays the protocol you selected. If the protocol allows additional configuration, the Configure button becomes active; click it to see your options, and click the Help button in the dialog box that is opened for information about the options. For more information about protocols that allow configuration, see Protocols Supporting Configuration Options. |
Rule Settings (IOS) |
Additional settings for the rule if it is used on devices running Cisco IOS software. If you select Use Default Inspection settings, the IOS defaults, or the settings defined in the inspection settings policy (see Inspection Settings Page), are used. These are the settings you can enable or disable: •Alert—Whether to generate stateful packet inspection alert messages on the console. •Audit—Whether audit trail messages are logged to the syslog server or router. •Timeout—Whether to configure the length of time, in seconds, for which a session is managed while there is no activity. If you select Specify Timeout, enter the timeout value; the range is 5 to 43200 seconds. •Inspect Router Generated Traffic—Whether to inspect traffic that is generated by the device itself. This option is available for a limited number of the protocols. |
Table I-12 is a partial list of protocols that allow you to configure additional settings options.
|
|
---|---|
DNS |
Sets maximum DNS packet length (PIX/ASA/FWSM/IOS). Values are 512-65535. Also, you can configure DNS policy maps and dynamic snooping. For more information, see Configure DNS Dialog Box. |
FTP Strict |
Enables you to select or create an FTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure FTP strict inspection, no map is required. |
GTP |
Enables you to select or create a GTP Map object to configure application firewall (PIX/ASA 7.x/FWSM 3.x). To configure GTP inspection, no map is required. |
HTTP |
Enables you to select or create an HTTP Map object to configure application firewall (PIX/ASA 7.x/FWSM/IOS). To configure HTTP inspection, no map is required. |
RPC |
Requires a program number and wait time (IOS/FWSM 2.x). •Program number values are 1-4294967295. •Wait time values are 0-35791. For more information, see Configure RPC Dialog Box. |
SMTP |
Sets maximum data length (PIX/FWSM/IOS). Values are 0-4294967295. For more information, see Configure SMTP Dialog Box. |
Custom protocol |
Requires a custom protocol name. Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000. For more information, see Custom Protocol Dialog Box. |
ESMTP |
Sets maximum data length (PIX/ASA/FWSM 3.x/IOS). Values are 0-4294967295. For more information, see Configure ESMTP Dialog Box. |
Fragment |
Sets maximum fragments and timeout values (IOS). •Fragment values are 0-10000. •Timeout values are 1-1000. For more information, see Configure Fragments Dialog Box. |
IMAP |
Includes optional settings for retrieving email (IOS). For more information, see Configure IMAP Dialog Box. |
POP3 |
Includes optional settings for retrieving email (IOS). For more information, see Configure POP3 Dialog Box. |
Use this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA devices.
Navigation Path
To access the Limit Inspection Between Source and Destination Addresses (ASA, FWSM 3.x) wizard page, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
For more information, see:
•Adding Inspection Rules, page 11-34
Related Topics
•Configuring Default Protocol Ports, page 11-36
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
•Understanding Network/Host Objects, page 8-65
•Understanding Interface Role Objects, page 8-33
•Creating Time Range Objects, page 8-92
Field Reference
|
|
---|---|
Action |
Describes what should occur based on the conditions set. •Permit—Allows traffic •Deny—Denies traffic |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). •Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33. If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles. |
Time Range |
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box. Note Time range is not supported on FWSM 2.x or PIX 6.3 devices. |
Use this wizard page (Step 2) to select protocol and port values for TCP or UDP destination ports.
Navigation Path
To access the Match Traffic By Custom Destination Ports wizard page, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
For more information, see:
•Adding Inspection Rules, page 11-34
Related Topics
•Configuring Custom Destination Ports, page 11-36
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use this wizard page (Step 2) to select protocol and port values for specific destinations for IOS devices.
To treat this matched traffic type as a supported inspect protocol only when destined to certain hosts, you should create a network policy object and include the list of hosts in it. Alternatively, you can also enter a list of host IP addresses as Destinations.
Navigation Path
To access the Match Traffic By Destination Address and Port (IOS) wizard page, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
For more information, see:
•Adding Inspection Rules, page 11-34
Related Topics
•Configuring Destination Address and Port (IOS), page 11-37
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
•Understanding Network/Host Objects, page 8-65
Field Reference
|
|
---|---|
Destinations |
The destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). |
Protocol |
The protocol for the traffic, either TCP, UDP, or both (TCP/UDP). |
Ports |
•Single—Identifies a single port value. Values are 1-65535. •Range—Identifies a range of port values. Values are 1-65535. |
Use this wizard page (Step 2) to inspect traffic for specific sources and destinations for ASA and FWSM 3.x devices.
Select this matched traffic type if you want to limit inspection of traffic flowing between a set of source and destination addresses, for example, if you want to inspect FTP traffic flowing between 192.168.1.0/24 and 192.168.2.0/24.
You can use policy objects for sources, destinations and services. A time range can also be specified, which will activate the traffic criteria only during that period of time.
Navigation Path
To access the Match Traffic By Source and Destination Address and Port (ASA, FWSM 3.x) wizard page, do one of the following:
•(Device view) Select a device, then select Firewall >Inspection Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall >Inspection Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
Related Topics
•Configuring Source and Destination Address and Port (ASA, FWSM 3.x), page 11-38
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
•Understanding Network/Host Objects, page 8-65
•Understanding Interface Role Objects, page 8-33
•Understanding and Specifying Services and Service and Port List Objects, page 8-75
•Creating Time Range Objects, page 8-92
Field Reference
|
|
---|---|
Action |
Describes what should occur based on the conditions set. •Permit—Allows traffic. •Deny—Denies traffic. |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). •Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33. If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles. |
Services |
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas. You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. |
Time Range |
Defines access to a firewall device or security appliance based on specific times of the day and weekly access. Time range relies on the system clock of the device or appliance; however, the feature works best with NTP synchronization. Enter the time range value in the field provided or click Select, which opens the Object Selector dialog box from which to make your selection. You can also create a Time Range object by clicking the Create button in the Object Selector dialog box. Note Time range is not supported on FWSM 2.x or PIX 6.3 devices. |
Use the Configure DNS dialog box to configure settings for DNS inspection on PIX 7.0+, ASA, FWSM, and IOS devices.
Navigation Path
Go to the Add Inspect/Application FW Rule Wizard Inspected Protocol Page and Edit Inspected Protocol Dialog Boxes, select DNS in the protocols table, and click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
•Botnet Traffic Filter Rules Page
Field Reference
Use the SMTP dialog box to edit settings for Simple Mail Transfer Protocol (SMTP) inspection (PIX/FWSM/IOS). SMTP is used to transfer email between servers and clients on the Internet. email clients and mail servers that use protocols other than Message Application Programming Interface (MAPI) can use the SMTP protocol to transfer a message from a client to the server, and then forward it to a message recipient's server.
SMTP inspection causes Simple Mail Transfer Protocol (SMTP) commands to be inspected for illegal commands. Any packets with illegal commands are dropped, and the SMTP session will hang and eventually time out.
Navigation Path
You can access the Configure SMTP dialog box from the Inspection Rules table. Select SMTP as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
|
|
---|---|
Maximum Data |
Values are 0 to 4294967295. |
Use the Custom Protocol dialog box to edit settings for custom protocol inspection (IOS). Custom protocols allow you to associate protocols with destination ports and inspect them, for example, TCP with destination ports 12000, UDP with destination ports 8000-9000.
Navigation Path
You can access the Custom Protocol dialog box from the Inspection Rules table. Select, Custom Protocol as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
|
|
---|---|
Custom Protocol Name |
Identifies the name associated with the custom protocol. |
Use the Configure ESMTP dialog box to edit settings for Extended Simple Mail Transport Protocol (ESMTP) inspection (PIX/ASA/FWSM 3.x/IOS). ESMTP enables users who install mail servers behind Cisco IOS firewalls to install their servers on the basis of ESMTP (instead of Simple Mail Transport Protocol [SMTP]).
Navigation Path
You can access the Configure ESMTP dialog box from the Inspection Rules table. Select ESMTP as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
|
|
---|---|
Maximum Data |
Values are 0 to 4294967295. |
Use the Configure Fragments dialog box to edit settings for fragment inspection.
Navigation Path
You can access the Configure Fragments dialog box from the Inspection Rules table. Select Fragments as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use the Configure IMAP dialog box to edit settings for Internet Message Access Protocol (IMAP) inspection (IOS). IMAP is a method for accessing electronic mail or bulletin board messages that are kept on a mail server that may be shared. It permits a client email program to access remote messages as though they were local.
Navigation Path
You can access the Configure IMAP dialog box from the Inspection Rules table. Select IMAP as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use the Configure POP3 dialog box to edit settings for Post Office Protocol, Version 3 (POP3) inspection (IOS). POP3 is used to receive email that is stored on a mail server. Unlike IMAP, POP retrieves mail only from a remote host.
Navigation Path
You can access the Configure POP3 dialog box from the Inspection Rules table. Select POP3 as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use the RPC dialog box to edit settings for RPC inspection (IOS). RPC inspection allows the specification of various program numbers. You can define multiple program numbers by creating multiple entries for RPC inspection, each with a different program number. If a program number is specified, all traffic for that program number will be permitted. If a program number is not specified, all traffic for that program number is blocked. For example, if you create an RPC entry with the NFS program number, all NFS traffic will be allowed through the firewall.
Navigation Path
You can access the Configure RPC dialog box from the Inspection Rules table. Select RPC as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use the Configure (Protocol Platform) dialog box to choose a policy object based on device type.
Navigation Path
You can access the Configure (Protocol Platform) dialog box from the Inspection Rules table. Select HTTP or IM as the protocol for inspection, then click Configure.
Related Topics
•Adding Inspection Rules, page 11-34
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
You can use the Botnet Traffic Filter Rules page to define rules for identifying malicious traffic passing through your ASA security device.
The Botnet Traffic Filter Rules page is divided into three sections:
•Dynamic Blacklist Configuration Tab
Navigation Path
To access the Botnet Traffic Filter Rules page, do one of the following:
•(Device view) Select a device, then select Firewall > Botnet Traffic Filter Rules from the Policy selector.
•(Policy view) Select Firewall > Botnet Traffic Filter Rules from the Policy Type selector. Select an existing policy or create a new one.
•(Map view) Right-click a device and select Edit Firewall Policies > Botnet Traffic Filter Rules.
Related Topics
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Dynamic Blacklist Configuration Tab
•Traffic Classification Dialog Box
•Device Whitelist or Device Blacklist Dialog Box
Use the Dynamic Blacklist Configuration tab to enable database updates from the Cisco update server and to enable use of the downloaded dynamic database by the security appliance.
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Dynamic Blacklist Configuration tab.
Related Topics
•Configuring the Dynamic Database, page 11-49
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Botnet Traffic Filter Rules Page
•Traffic Classification Dialog Box
•Device Whitelist or Device Blacklist Dialog Box
Field Reference
Use the Traffic Classification tab to view or to configure the traffic classification definitions for a device or shared policy. Traffic classification definitions consist of an interface or interface role with an associated ACL that identifies the traffic that is monitored by the Botnet Traffic Filter. You can configure settings for specific interfaces or for interface roles. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override any settings defined for an interface role.
The columns in the table summarize the settings for an entry and are explained in Traffic Classification Dialog Box.
Tip You can use the "Click here to go to Inspect Rules..." link at the bottom of the Traffic Classification tab to navigate directly to the Inspection Rules page so that you can enable DNS snooping. For more information, see Enabling DNS Snooping, page 11-51.
To configure traffic classification:
•Click the Add Row button to add an interface or interface role to the table, and fill in the Traffic Classification Dialog Box.
•Select an entry and click the Edit Row button to edit an existing entry.
•Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Traffic Classification tab.
Related Topics
•Traffic Classification Dialog Box
•Enabling Traffic Classification for Botnet Traffic Filter Logging, page 11-52
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Botnet Traffic Filter Rules Page
•Dynamic Blacklist Configuration Tab
•Device Whitelist or Device Blacklist Dialog Box
Use the Traffic Classification dialog box to specify the interfaces on which you want to enable the Botnet Traffic Filter and to identify the traffic that you want to monitor.
Navigation Path
To access the Traffic Classification dialog box, right-click inside the work area of the Traffic Classification tab and then select Add Row, or right-click an existing entry and select Edit Row.
Related Topics
•Enabling Traffic Classification for Botnet Traffic Filter Logging, page 11-52
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Botnet Traffic Filter Rules Page
•Dynamic Blacklist Configuration Tab
•Device Whitelist or Device Blacklist Dialog Box
Field Reference
|
|
---|---|
Interfaces |
The interfaces or interface roles on which you want to enable the Botnet Traffic Filter. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list. You can use the All Interfaces role object to enable botnet filtering globally (selected by default). If you configure an interface-specific classification, the settings for that interface override the global settings. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33. |
ACL |
Specifies the access-list to use for identifying the traffic that you want to monitor. If you do not specify an access list, by default you monitor all traffic. To specify the traffic that you want to monitor, click Select to the right of the ACL field to select an Access Control List object that identifies the traffic that you want to monitor. For example, you might want to monitor all port 80 traffic on the outside interface. For more information about Access Control List objects, see Creating Access Control List Objects, page 8-23. |
Use the Whitelist/Blacklist tab to view or to configure the static database entries for a device or shared policy. The Device Blacklist contains domain names or IP addresses of malicious or undesirable sites. You can use the static blacklist to supplement the Cisco dynamic database or you can use the static blacklist alone if you can identify all the malware sites that you want to target.
The Device Whitelist contains domain names or IP addresses of sites that are deemed to be acceptable. If the dynamic database includes blacklisted addresses that you think should not be blacklisted, you can manually enter them into a static whitelist. Static whitelist entries take precedence over entries in the static blacklist and the Cisco dynamic database. Whitelisted addresses still generate syslog messages, but because you are only targeting blacklist syslog messages, they are informational.
To configure the static database:
•Click the Add Row button to define static database entries using the Device Whitelist or Device Blacklist Dialog Box.
•Select an entry and click the Edit Row button to edit an existing entry.
Timesaver Select an entry and press F2 or double-click on an entry in the Device Whitelist or Device Blacklist to edit that entry in place.
•Select an entry and click the Delete Row button to delete it.
Navigation Path
From the Botnet Traffic Filter Rules Page, click the Whitelist/Blacklist tab.
Related Topics
•Adding Entries to the Static Database, page 11-50
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Device Whitelist or Device Blacklist Dialog Box
•Botnet Traffic Filter Rules Page
•Dynamic Blacklist Configuration Tab
Use the Device Whitelist or Device Blacklist dialog box to manually define domain names or IP addresses that you want to add to the whitelisted (safe) or blacklisted (malicious) lists. You can use the static blacklist to supplement the Cisco dynamic database or you can use the static blacklist alone if you can identify all the malware sites that you want to target. Names or addresses that appear on both the whitelist and the dynamic blacklist are identified only as whitelist addresses in syslog messages and reports.
Domain names can be complete (including the host name, such as www.cisco.com), or partial (such as cisco.com). For partial names, all web site hosts on that domain are either whitelisted or blacklisted. You can also enter host IP addresses. Use a comma or new line to separate multiple entries.
Navigation Path
From the Whitelist/Blacklist Tab, click the Add Rows button beneath the Device Whitelist or Device Blacklist tables, or select an entry and click the Edit Row button.
Related Topics
•Adding Entries to the Static Database, page 11-50
•Understanding Botnet Traffic Filtering, page 11-47
•Task Flow for Configuring the Botnet Traffic Filter, page 11-48
•Botnet Traffic Filter Rules Page
•Dynamic Blacklist Configuration Tab
•Traffic Classification Dialog Box
Use the Transparent Rules page to identify EtherType rules defined in Security Manager. Before you can configure transparent rules on ASA/PIX 7.x+ security appliances or FWSM firewall devices, they must be configured in transparent mode.
To configure transparent rules on IOS devices, you must configure a bridge group with two or more layer 3 interfaces (see Bridging on Cisco IOS Routers, page 13-50 and Defining Bridge Groups, page 13-51) and create a bridge group virtual interface (BVI) (see Bridge-Group Virtual Interfaces, page 13-50).
From the Transparent Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
Only EtherType rules are configured as firewall policies. To configure other types of transparent firewall features, select Platform > Bridging.
Note Transparent rules are not supported on PIX 6.x devices or IOS devices with an image lower than 12.3(7)T.
Navigation Path
To access Transparent Rules, do one of the following:
•(Device view) Select a device, then select Firewall >Transparent Rules from the Device selector.
•(Policy view) Select Firewall > Transparent Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > Transparent Rules.
Related Topics
•Working with Transparent Firewall Rules, page 11-58
Field Reference
|
|
---|---|
No. |
Identifies the ordered rule number in the table. |
Permit |
Whether a rule permits or denies traffic based on the conditions set. •Permit—Shown as a green check mark. •Deny—Shown as a red circle with slash. |
EtherType |
Specifies Ethernet packet type. •Supports PIX/FWSM/ASA EtherType access-lists: –IPX –BPDU—Spanning Tree Bridge Protocol Data Units –MPLS-UNICAST –MPLS-MULTICAST –Other—Any valid hex value from 0x600-0xFFFF. •Supports IOS devices: –Other—Any valid hex value from 0x0-0xFFFF. |
Mask |
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.) |
Interface |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. Multiple entries are displayed as separate subfields within the table cell. See Understanding Interface Role Objects, page 8-33. For example: •All DMZs •All FastEthernets •All Interfaces •FastEthernet0 Enter interface information, or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box. Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected for PIX/FWSM/ASA. The bridge-group command is generated as a subcommand of the interface role. |
Dir. |
(Direction) Identifies traffic direction within a network. Direction is always associated with an interface: •In—Packets entering a network. •Out—Packets exiting a network. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. Note For PIX/FWSM/ASA, the description is mapped to access-list remark. |
Up Row and Down Row buttons (arrow icons) |
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7. |
Add button |
Adds a rule to the table. |
Edit button |
Edits an existing rule in the table. |
Delete button |
Deletes a rule from the table. |
Use the Add and Edit Transparent Firewall Rule dialog boxes to add and edit EtherType rules.
Navigation Path
To access Transparent Rules, do one of the following:
•(Device view) Select a device, then select Firewall >Transparent Rules from the Device selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall > Transparent Rules from the Policy selector. Right-click inside the table, then click Add Row, or right-click a rule, then click Edit Row.
Related Topics
•Adding Transparent Rules, page 11-59
•Working with Transparent Firewall Rules, page 11-58
Field Reference
|
|
---|---|
Enable Rule |
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed. When viewing the main rules tables: •An enabled rule is shown without hash marks. •A disabled rule is shown with hash marks. Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes. |
Action |
Describes what should occur based on the conditions set. •Permit—Allows traffic. •Deny—Denies traffic. |
Interfaces |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33. For example: •All DMZs •All Fast Ethernets •All Interfaces •FastEthernet0 Click Edit, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box. Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. The access-group command is generated for the interface role selected for PIX/FWSM/ASA. The bridge-group command is generated as a subcommand of the interface role. |
Traffic Direction |
Identifies traffic direction within a network. Direction is always associated with an interface. •In—Packets entering a network. •Out—Packets exiting a network. |
EtherType |
Specifies Ethernet packet type. •Supports PIX/FWSM/ASA EtherType access-lists: –IPX –BPDU—Spanning Tree Bridge Protocol Data Units –MPLS-UNICAST –MPLS-MULTICAST –Other—Any valid hex value from 0x600-0xFFFF. •Supports IOS devices: –Other—Any valid hex value from 0x0-0xFFFF. |
Wildcard Mask (IOS) |
Identifies a 16-bit hexadecimal number whose ones bits correspond to bits in the type-code argument that should be ignored when making a comparison. (A mask for a DSAP/SSAP pair should always be at least 0x0101. This is because these two bits are used for purposes other than identifying the SAP codes.) |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. Note For PIX/FWSM/ASA, the description is mapped to access-list remark. |
Use the Edit Transparent EtherType dialog box to edit EtherType settings in a table.
Navigation Path
To access the Edit Transparent EtherType dialog box, right-click the entry in the EtherType column of the Transparent Rules table, then click Edit EtherType.
Related Topics
•Adding Transparent Rules, page 11-59
•Working with Transparent Firewall Rules, page 11-58
Field Reference
Use the Edit Transparent Mask dialog box to edit mask settings in a table.
Navigation Path
To access the Edit Transparent Mask dialog box, right-click the entry in the Mask column of the Transparent Rules table, then click Edit Mask.
Related Topics
•Adding Transparent Rules, page 11-59
•Working with Transparent Firewall Rules, page 11-58
Field Reference
Use the Web Filter Rules page to identify web filter rules defined in Security Manager for PIX and ASA devices.
From the Web Filter Rules page, you can add, edit, and delete rules, reorder rules, and enable or disable rules in the table. You perform these tasks using either the shortcut menu, which is accessed by right-clicking a table cell, or by selecting the appropriate buttons located below the table.
Navigation Path
To access the Web Filter Rules page for PIX/ASA devices, do one of the following:
•(Device view) Select a device, then select Firewall >Web Filter Rules from the Device selector.
•(Policy view) Select Firewall >Web Filter Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > Web Filter Rules.
Related Topics
•Understanding Web Filter Rules, page 11-54
Field Reference
|
|
---|---|
No. |
Identifies the ordered rule number in the table. |
Source |
Identifies the source network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a source. Multiple entries are displayed as separate subfields within the table cell. See: •Understanding Network/Host Objects, page 8-65. •Understanding Interface Role Objects, page 8-33. Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object. |
Destination |
Identifies the destination network object names or addresses of hosts and networks, for example, 10.1.1.1, 10.1.1.1/32, 10.1.1.1/255.255.255.255 and net10. Interface roles can also be used to identify a destination. Multiple entries are displayed as separate subfields within the table cell. See: •Understanding Network/Host Objects, page 8-65. •Understanding Interface Role Objects, page 8-33. Note If you manually enter 0.0.0.0/0 for the destination, it automatically matches the "any" predefined object. |
Service |
Identifies service objects that specify protocol and port information. Multiple entries are displayed as separate subfields within the table cell. See Understanding and Specifying Services and Service and Port List Objects, page 8-75. Note If you manually enter a service, such as TCP / 80, and that data translates directly to a predefined service object, such as HTTP, the rule takes the predefined object as its value. |
Type |
Displays filtering parameters. |
Options |
Displays additional configuration options for the selected protocol. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
Tools button |
Click this button to select tools that you can use with this type of policy. You can select from the following tools: •Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12 |
Find and Replace button (binoculars icon) |
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6. |
Up Row and Down Row buttons (arrow icons) |
Click these buttons to move the selected rules up or down within a scope or section. For more information, see Moving Rules and the Importance of Rule Order, page 11-7. |
Add button |
Adds a rule to the table. |
Edit button |
Edits an existing rule in the table. |
Delete button |
Deletes a rule from the table. |
Use the Add and Edit PIX/FWSM/ASA Rules dialog boxes to set values for Web Filter Rules for those platforms.
Navigation Path
To access the PIX/FWSM/ASA Rules dialog box, do one of the following:
•(Device view) Select a device, then select Firewall >Web Filter Rules from the Device selector. Right-click inside the work area, then click Add Row or right-click a rule, then click Edit Row.
•(Policy view) Select Firewall >Web Filter Rules from the Policy selector. Right-click inside the work area, then click Add Row or right-click a rule, then click Edit Row.
Related Topics
•Adding Web Filter Rules (PIX/ASA), page 11-54
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
Field Reference
|
|
---|---|
Enable Rule |
When selected, indicates that the rule becomes active on a device after the configuration is generated and deployed. When viewing the main rules tables: •An enabled rule is shown without hash marks. •A disabled rule is shown with hash marks. Note A disabled rule is not generated and deployed to devices; however, it is retained in the rules table for debugging purposes. |
Filtering |
Lists options for handling filtering: •Filter—Limits traffic to particular sites and limits traffic between two entities. •Filter Except—Exempts specific traffic from filtering. Note Filter except rules are recognized before filter rules. |
Type |
Describes what should be filtered. •URL—HTTP filtering using an external filtering server, such as Websense or N2H2. •HTTPS—Supported on Websense filtering servers only. •Java—Supported on Websense and N2H2 servers. •ActiveX—Supported on Websense and N2H2 servers. •FTP—Supported on Websense filtering servers only. |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). •Interface role object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33. If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles. |
Services |
The services that define the type of traffic to act on. You can enter more than one value by separating the items with commas. You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. Note The Services field is not applicable when Filter Except is selected. |
Allow traffic if URL Filter Server unavailable |
When selected, permits outbound connections to pass through the security appliance without filtering if the server is unavailable. If you omit this option and if the N2H2 or Websense server goes offline, the security appliance stops outbound port 80 (Web) traffic until the N2H2 or Websense server is back online. |
Block connection to HTTP Proxy Server. |
When selected, prevents users from connecting to an HTTP proxy server. |
Truncate CGI request by removing CGI parameters. |
When selected, truncates CGI URLs to include only the CGI script location and the script name without any parameters.When a URL has a parameter list starting with a question mark (?), the URL sent to the filtering server is truncated by removing all characters after and including the question mark. |
Long URL |
Lists options for handling long URLs: •Drop—Drops the packet if a URL exceeds the maximum permitted size. (Default). To avoid this, you can set the security appliance to truncate a long URL •Truncate—Sends only the originating hostname or IP address to the Websense server if the URL is over the URL buffer limit. •Deny—Denies the URL request if the URL is over the URL buffer size limit or the URL buffer is not available. Note Filtering URLs up to 4 KB is supported for the Websense filtering server, and up to 1159 bytes for the N2H2 filtering server. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
Shows a user-defined description to help you identify a rule when viewing the rules table. A maximum of 1024 characters is allowed. |
Use the Edit Web Filter Type dialog box to edit filtering and service entries.
Navigation Path
To access the Edit Web Filter Type dialog box, right-click the entry in the Type column of the Web Filter Rules table, then click Edit Web Filter Type.
Related Topics
•Adding Web Filter Rules (PIX/ASA), page 11-54
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
Field Reference
Use the Edit Web Filter Options dialog box to edit additional options entries based on the service selected.
Navigation Path
Right-click the entry in the Options column of the Web Filter Rules table, then click Edit Web Filter Rule Options.
Related Topics
•Adding Web Filter Rules (PIX/ASA), page 11-54
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
Field Reference
Use the Web Filter Rules page for IOS devices to configure web, or URL, filtering rules. Web filtering is a type of HTTP inspection. If your access rules allow HTTP traffic on an interface, you can configure rules to apply local and server-based web filtering to prevent users from accessing undesirable web servers.
When you configure web filter rules, also configure web filter settings in the Firewall > Settings > Web Filter policy. The settings identify the web filtering server and contain other settings that control the overall functioning of the policy. For example, you can use the settings policy to allow all web traffic if the filtering server becomes unavailable. For more information, see Web Filter Settings Page.
Tip You can also configure web filtering as a zone based firewall rule. For more information, see Zone-based Firewall Rules Page.
Navigation Path
To access the Web Filter Rules page for IOS devices, do one of the following:
•(Device view) Select an IOS device and select Firewall > Web Filter Rules from the policy selector.
•(Policy view) Select Firewall > Web Filter Rules (IOS) from the policy selector.
•(Map view) Right-click an IOS device and select Edit Firewall Policies > Web Filter Rules.
Related Topics
•Understanding Web Filter Rules, page 11-54
•Configuring Web Filter Rules for IOS devices, page 11-56
•Working with Web Filter Rules, page 11-53
Field Reference
|
|
---|---|
Web Filter Rules tab |
The URL filtering rules defined for the policy. Each rule shows the interface on which it is defined, whether the rule is applied to incoming or outgoing traffic, and the permitted or denied Java applet sources if Java applet scanning is enabled. You might have more than one rule for an interface if you configure both a permit and deny list for Java applet scanning. •To add a rule, click the Add Row button and fill in the IOS Web Filter Rule and Applet Scanner Dialog Box. •To edit a rule, select it and click the Edit Row button. •To delete a rule, select it and click the Delete Row button. |
Exclusive Domains tab |
The local web filter list. This list is checked before web requests are sent to the filtering server and applies to all interfaces on which you configure web filtering. If you know there are specific domains that you will always allow (such as your organization's own domain name), or disallow, you can list them here. By configuring a local filter list, you can improve performance because the device does not need to wait for a response from the filtering server. •To add a domain, click the Add Row button and fill in the IOS Web Filter Exclusive Domain Name Dialog Box. •To edit a domain, select it and click the Edit Row button. •To delete a domain, select it and click the Delete Row button. |
Use the IOS Web Filter Rule and Applet Scanner dialog box to create web filtering rules for IOS devices.
Navigation Path
To open this dialog box, select the Web Filter Rules tab on the Web Filter Rules Page (IOS), click Add Row to create a new rule, or select a row and click Edit Row to edit an existing rule.
Related Topics
•Configuring Web Filter Rules for IOS devices, page 11-56
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
•Configuring Settings for Web Filter Servers, page 11-57
Field Reference
|
|
---|---|
Enable Web Filtering |
Whether to enable the web filtering rule. |
Interface |
The interface or interface role to which the rule is assigned. Enter the name of the interface or the interface role, or click Select to select the interface or role from a list, or to create a new role. An interface must already be defined to appear on the list. Interface role objects are replaced with the actual interface names when the configuration is generated for each device. See Understanding Interface Role Objects, page 8-33. |
Traffic Direction |
The direction of the traffic to which this rule applies: •In—Packets entering an interface. •Out—Packets exiting an interface. |
Java Applet Scanning Enable Java Applet Scanner |
If you select Enable Java Applet Scanning, the device checks for the presence of Java applets in HTTP traffic coming from web servers to internal hosts. If a Java applet is present and the web server (applet source) is in the list of permitted sources, the Java applet is left unmodified in the HTTP traffic. Otherwise, the Java applets are removed from HTTP pages. |
Permit Traffic Applet Sources |
The list of permitted or denied source addresses for Java applets. To configure a list of permitted or denied sources: •Select either Permit from Specified Sources or Deny from Specified Sources. If you want to create both a permit and deny list, create two separate web filter rules. If you do not configure a permit list, all sources are denied. •Enter the list of permitted or denied addresses in the Applet Sources field. The list can include host IP addresses, network addresses, address ranges, or network/host objects, but cannot include domain names. Separate multiple addresses with commas. For more information on entering addresses, see Specifying IP Addresses During Policy Definition, page 8-68. |
Use the IOS Web Filter Exclusive Domain Name dialog box configure local web filtering rules for IOS devices. You can create a list of permitted or denied domain names or IP addresses. The device checks this list before forwarding web requests to your web filtering server.
Using local filtering saves the wait time for getting a response from the server when a user requests a web site that you know you will either always permit or always deny.
Navigation Path
To open this dialog box, select the Exclusive Domains tab on the Web Filter Rules Page (IOS), click Add Row to create a new rule, or select a row and click Edit Row to edit an existing rule.
Related Topics
•Configuring Web Filter Rules for IOS devices, page 11-56
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
Field Reference
Zone-based firewall rules provide unidirectional application of firewall policies between groups of interfaces known as "zones." That is, interfaces are assigned to zones, and specific inspection policies are applied to traffic moving between zones in one direction or the other.
A zone defines a boundary where traffic is subjected to specific restrictions as it crosses into another region of your network. The default zone-based firewall policy between zones is deny all. Thus, if no policy is explicitly configured, all traffic between zones is blocked.
Note Zone-based firewall policies can be configured only on Cisco IOS and ASR devices.
The Zone Based Firewall Rules page displays a list of currently configured zone-based firewall rules, and lets you add, edit and delete rules.
Navigation Path
To access the Zone Based Firewall Rules page, do one of the following:
•(Device view) Select a device, then select Firewall > Zone Based Firewall Rules from the Device selector.
•(Policy view) Select Firewall > Zone Based Firewall Rules from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Policies > Zone Based Firewall Rules.
Related Topics
•Understanding the Zone-based Firewall Rules, page 11-62
•Zone Restrictions, page 11-63
•Adding Zone-Based Firewall Rules, page 11-67
Field Reference
|
|
---|---|
Note Hatching (a series of slanted lines) across an entry in the table indicates that rule is currently disabled. (See Adding and Editing Zone-based Firewall Rules for information about enabling and disabling these rules.) |
|
No. |
This number indicates the rule's position in the ordering of the list. You can use the Up Row and Down Row buttons to change the position of the selected rule. |
Permit |
Indicates whether the rule permits or denies traffic. •Permit—Shown as a green check mark. •Deny—Shown as a red circle with a slash. |
Source |
Identifies source networks and hosts for this rule. Networks/hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information. |
Destination |
Identifies destination networks and hosts for this rule. Networks and hosts can be provided as named objects, or as IP addresses. See Understanding Network/Host Objects, page 8-65 for more information. |
Service |
The services that define the types of traffic matched by this rule. Services are defined by objects that specify protocol and port information. See Understanding and Specifying Services and Service and Port List Objects, page 8-75 for more information. |
From Zone |
This rule applies only to traffic originating from this zone. |
To Zone |
This rule applies only to traffic destined for this zone. |
Inspected Protocol |
The protocol(s) on which the rule performs the chosen Action. |
Action |
Identifies how matched protocols are processed: •Drop - Matched traffic is silently dropped. The default action for all traffic. •Drop and Log - Matched traffic is logged and dropped. •Pass - The router forwards matched traffic from the source zone to the destination zone. •Pass and Log - Traffic is logged and forwarded. •Inspect - State-based traffic control; Inspect can provide application inspection and control for certain protocols, based on Port to Application Mapping (PAM). •Content Filter - HTTP content inspection based on a WebFilter parameter map, or a WebFilter policy map. Note The Log options generate system-log messages; you must ensure that syslog logging is configured to capture these messages. |
Options |
The Inspect Parameter map assigned to this rule; available only with Inspect and Content Filter actions. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Description |
The description of this rule, if provided. A maximum of 1024 characters is allowed. |
Tools button |
Click this button to select tools that you can use with this type of policy. You can select from the following tools: •Query—To run policy queries, which can help you evaluate your rules and identify ineffective rules that you can delete. See Generating Policy Query Reports, page 11-12 |
Find and Replace button (binoculars icon) |
Searches for values in rules tables, such as IP addresses and policy object names, to facilitate locating and making changes to rules in tables. See Finding and Replacing Items in Rules Tables, page 11-6. |
Up button |
Moves the selected rule up one row in the table. |
Down button |
Moves the selected rule down one row in the table. |
Add button |
Opens the Add Zone-based Firewall Rule dialog box, where you can create a new rule. |
Edit button |
Used to edit the selected rule in the table; opens the Edit Zone-based Firewall Rule dialog box. |
Delete button |
Deletes the selected rule from the table. |
Use the Add and Edit Zone based Firewall Rule dialog boxes to add and edit zone-based firewall rules on Cisco IOS and ASR devices.
Navigation Path
From the Zone-based Firewall Rules Page, click the Add Row button, or select a row and click the Edit Row button.
Related Topics
•Understanding the Zone-based Firewall Rules, page 11-62
•Configuring Settings for Zone Based Firewall Rules, page 11-70
•Adding Zone-Based Firewall Rules, page 11-67
Field Reference
|
|
---|---|
Enable Rule |
When selected, the rule is enabled on the device after the configuration is generated and deployed. Deselect this option to disable the rule without deleting it. |
|
Define the traffic flow to which this rule is applied. |
Match |
Choose whether to Permit or Deny matched traffic. |
Sources Destinations |
Provide the source networks/hosts and destination networks/hosts for matching traffic. Each field allows multiple values separated by commas. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects in the selection dialog box. •Host IP address; for example, 10.10.10.100. •Network address, including subnet mask, in either 10.10.10.0/24 or 10.10.10.0/255.255.255.0 formats. •A range of IP addresses; for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). |
Services |
Specify the services that define the type of traffic to matched by this rule. You can enter any combination of service objects and service types (which are typically a protocol and port combination), separated by commas. If you type in a service, you are prompted as you type with valid values. You also can click Select to select services from a list. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. |
From Zone To Zone |
Basic zone-based firewall rules are unidirectional; that is, they define a traffic flow that moves in only one direction between two zones. Enter or Select the zone from which traffic flows can originate for this rule, and enter or Select the zone to which traffic can flow. |
Advanced button |
Opens the Advanced Options dialog box where you can select time-range options. See Zone-based Firewall Rule: Advanced Options Dialog Box. |
|
The action applied to traffic that matches this rule. Choose the desired Action: |
Action: Drop, Drop and Log, Pass, Pass and Log |
•Drop - Silently drops all packets for the specified Services. The default action for all traffic. •Drop and Log - Matched traffic is logged and dropped. •Pass - The router forwards matched packets from the source zone to the destination zone. Return traffic is not recognized, so you have to specify additional rules for return traffic. This option is useful only for protocols such as IPsec-encrypted traffic. •Pass and Log - Traffic is logged and forwarded. For any of these Actions, you can select one or more protocols to be matched by clicking the Select button next to the Protocol table to open the Protocol Selector Dialog Box. However, this is not necessary; you can leave the Protocol table empty and pass or drop traffic based on the Sources, Destinations, and Services parameters. The Protocol Selector dialog box also provides access to the Configure Protocol Dialog Box, where you can edit the Port Application Mapping (PAM) parameters for the selected protocol. Note The Log options generate system-log messages; you must ensure that syslog logging is configured to capture these messages. |
Action: Inspect |
Inspect provides state-based traffic control—the device maintains connection or session information for TCP and UDP traffic, meaning return traffic in reply to connection requests is permitted. Choose this option to apply packet inspection based on your selected Layer 4 (TCP, UDP) and Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocols. You also can edit PAM settings for the selected protocols, and you can set up deep packet inspection (DPI) and provide additional protocol-related information for the Layer 7 protocols. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information. 1. You can select one or more protocols for inspection by clicking the Select button next to the Protocol table to open the Protocol Selector Dialog Box. 2. The Protocol Selector dialog box also provides access to the Configure Protocol Dialog Box, where you can create custom protocols, and edit the PAM and DPI parameters for the selected protocol. 3. Inspect Parameters - You can apply a customized set of connection, timeout, and other settings by entering the name of an Inspect Parameter map in this field, or you can click Select to select one from a list. You also can create new Inspect Parameter maps from the selection-list dialog box; see Add or Edit Inspect Parameter Map Dialog Boxes, page F-74 for more information. If you do not specify an Inspect Parameters map, the default settings are used. |
Action: Content Filter |
Content Filter provides URL filtering based on a supplied parameter or policy map. The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts a third-party server to determine whether the requests should be allowed or blocked. You can provide a WebFilter parameter map, which defines filtering based on local URL lists, as well as information from an external SmartFilter (previously N2H2) or Websense server. Alternately, you can provide a WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro filtering data. 1. When Content Filter is the chosen Action, HTTP is the specified Protocol. You can click Configure to open the Configure Protocol Dialog Box, where you can edit the HTTP PAM settings, and apply an HTTP DPI map. 2. Select WebFilter Parameter Map, or WebFilter Policy Map, and supply the name of an appropriate map. You can click the appropriate Select button to select the map from a list; you also can create new maps from the selection-list dialog box. See Configuring Maps for Content Filtering in Zone-Based Firewall Rules Policies, page 8-59 for information about configuring these maps. 3. Inspect Parameters - You can apply a customized set of connection, timeout, and other settings by entering the name of an Inspect Parameter map in this field, or you can click Select to select one from a list. You also can create new Inspect Parameter maps from the selection-list dialog box; see Add or Edit Inspect Parameter Map Dialog Boxes, page F-74 for more information. If you do not specify an Inspect Parameters map, the default settings are used. |
Description |
(Optional) You can enter a description of up to 1024 characters to help you identify the rule when viewing the rules table. |
Category |
(Optional) You can assign a category to the rule, to help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Use the Zone-Based Firewall Rule Advanced Options dialog box to apply specific time-range information to a zone-based firewall rule.
Navigation Path
In the Traffic section of the Add or Edit Zone based Firewall Rule dialog box, click the Advanced button.
Related Topics
•Adding and Editing Zone-based Firewall Rules
•Understanding the Zone-based Firewall Rules, page 11-62
Field Reference
|
|
---|---|
Time Range |
This feature lets you define time periods during which this zone-based firewall rule is active. If you do not specify a time range, the rule is immediately and always active. Enter the name of a time-range object, or click Select to choose one from a list in the Time Ranges Selector dialog box. You can create and edit time-range objects from this dialog box. See Creating Time Range Objects, page 8-92 for more information. |
Options |
This feature lets you apply a packet-fragment or an established-connection restriction to this zone-based firewall rule. Choose one of the following options: •None - No packet-fragment or established-connection restrictions are applied. •Fragment - If chosen, non-initial packet fragments are blocked. •Established - Permits return traffic only for connections already established. |
Use the Protocol Selector dialog box to specify one or more communication protocols as part of the definition of traffic for a zone-based firewall rule.
The Protocol Selector dialog box also provides access to the Configure Protocol dialog box, which you can use to create custom protocols and edit Port Application Mapping (PAM) parameters for existing protocols. The Configure Protocol dialog box is also where you select Deep Inspection policy maps, and Protocol Info parameter maps, for certain protocols. See Configure Protocol Dialog Box for more information.
Navigation Path
The Protocol Selector dialog box can be accessed from the Add and Edit Zone based Firewall Rule dialog boxes (described in Adding and Editing Zone-based Firewall Rules). In either dialog box, choose any Action except Content Filter and then click the Select button next to the Protocol table.
You can also open the Protocol Selector dialog box by right-clicking the Inspected Protocol column for any entry in the Zone Based Firewall Rules table, and then choosing Edit Protocols.
Related Topics
•Understanding the Zone-based Firewall Rules, page 11-62
•Adding and Editing Zone-based Firewall Rules
•Selecting Objects for Policies, page 8-2
•Configure Protocol Dialog Box
|
|
---|---|
Available Protocols |
A list of protocols that can be selected for a zone-based firewall rule. |
Selected Protocols |
The list of protocols you have selected for this zone-based firewall rule. |
>> button |
Moves the highlighted protocols from the Available Protocols column to the Selected Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions. |
<< button |
Moves the highlighted protocols from the Selected Protocols column back to the Available Protocols column. You can select multiple protocols using the standard Shift-click and Ctrl+click functions. |
Packet inspection can be configured in zone-based firewall rules by the selection of specific protocol objects, which define Port Application Mapping (PAM) parameters (Layer 4 protocols and ports, and optionally specific networks and hosts). A Layer 7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocol can also include a deep-packet inspection policy specific to that protocol. Refer to Adding and Editing Zone-based Firewall Rules for information about selecting protocols during zone-based firewall rule definition.
The Configure Protocol dialog box is used to edit existing protocol definitions, and to create custom definitions, for use with zone-based firewall rules. For example, if a protocol does not use its default ports for some or all networks, you can configure different port mappings.
Navigation Path
The Configure Protocol dialog box is accessed from the Protocol Selector Dialog Box, as follows:
•Click the Create (+) button below the Selected Protocols list to create a new protocol.
•Select a protocol in the Selected Protocols list, and click the Edit (pencil) button to edit that protocol.
Related Topics
•Understanding the Zone-based Firewall Rules, page 11-62
•Adding Zone-Based Firewall Rules, page 11-67
|
|
---|---|
Protocol Name |
The name of the selected protocol. If you are creating a custom protocol, you can enter a name of up to 19 characters. Custom protocol names must begin with user-. |
Enable Signature |
This option is available only when editing the peer-to-peer (eDonkey, FastTrack, Gnutella, Kazaa2) protocols. Select this option to enable signature-based classification of peer-to-peer (P2P) packets. |
Deep Inspection |
This option is available only when editing the H.323, HTTP, IM (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger), IMAP, P2P (eDonkey, FastTrack, Gnutella, Kazaa2), POP3, SIP, SMTP, Sun RPC protocols, and Inspect is the chosen Action for the zone-based firewall rule. Enter or Select the name of the Inspect policy map to be used with the selected protocol. See Configuring Maps for Inspection in Zone-Based Firewall Rules Policies, page 8-57 for more information about these policy maps. |
Protocol Info |
This option is available only when editing the Instant Messaging (AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger) and the Stun-ice protocols. Enter or Select the name of the Protocol Info parameter map to be used with the selected protocol. These parameter maps define the DNS servers that interact with these applications, which helps the Instant Messaging (IM) application engine recognize the IM traffic and enforce the configured policy for that IM application. See Add or Edit Protocol Info Parameter Map Dialog Boxes, page F-76 for more information about these parameter maps. |
|
These options let you customize the Port Application Mapping (PAM) parameters for the selected protocol. |
Protocol |
Select the transport protocol(s) for this mapping: •TCP/UDP •TCP •UDP |
Ports |
Enter any combination of a single port number, multiple port numbers, or a range of ports (for example, 60000-60005). Separate multiple entries with commas. Do not specify a range that overlaps already mapped ports. |
Networks |
If this protocol/port mapping is only for specific networks or hosts, enter the names or IP addresses of the networks or hosts, or the names of the network/host objects. You can click Select to open the Networks/Hosts Selector. Separate multiple entries with commas. |
There are several dialog boxes that are used by many of the firewall services rules policies. These dialog boxes are used when editing or viewing the contents of rules cells, as opposed to editing the entire rule. For detailed information about editing or viewing cell contents, see Editing Rules, page 11-5.
Use the Add or Edit Sources or Destinations dialog boxes to edit the source or destination entry in a firewall rules table that includes sources or destinations. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
You can enter any combination of the following address types to define the source or destination of the traffic. You can enter more than one value by separating the items with commas. For more information, see Specifying IP Addresses During Policy Definition, page 8-68.
•Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list.
•Host IP address, for example, 10.10.10.100.
•Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0.
•A range of IP addresses, for example, 10.10.10.100-10.10.10.200.
•An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65).
•Interface roles object. Enter the name of the object or click Select to select it from a list (you must select Interface Role as the object type). When you use an interface role, the rule behaves as if you supplied the IP address of the selected interface. This is useful for interfaces that get their address through DHCP, because you do not know what IP address will be assigned to the device. For more information, see Understanding Interface Role Objects, page 8-33.
If you select an interface role as a source, the dialog box displays tabs to differentiate between hosts or networks and interface roles.
Navigation Path
Do any of the following in a rules policy that includes sources or destinations:
•Right-click a Sources or Destinations cell in a rules table and select Edit Sources or Edit Destinations or a similar command. The data replaces the content of the selected cells.
•Select an entry in a Sources or Destinations cell and select Edit <Entry>. The data replaces the selected entry.
•Select multiple rules, right-click a Sources or Destination cell, and select Add Sources or Add Destinations. The data is appended to the data already in the cell.
Use the Edit Services dialog box to edit the services that define the type of traffic to act on. You can enter more than one value by separating the items with commas.
You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. You can also click Select to select the service from a list, or to create a new service.
For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75.
For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Do any of the following in a rules policy that includes services:
•Right-click a Services cell in a rules table and select Edit Services. The data replaces the content of the selected cells.
•Select an entry in a Services cell and select Edit <Entry>. The data replaces the selected entry.
•Select multiple rules, right-click a Services cell, and select Add Services. The data is appended to the data already in the cell.
Tip For inspection rules, services appear in the Traffic Match column and only for rules where the traffic matches source, destination, and port.
Use the Add or Edit Interfaces (or Zones) dialog box to edit the interfaces or zones for which the rule is defined. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
•When editing interfaces, you can enter any combination of specific interface names or interface roles. You can enter more than one value by separating the items with commas. Enter the names or click Select to select the interfaces and roles from a list, or to create new roles. An interface must already be defined to appear on the list.
When you deploy the policy to the device, interface roles are replaced by actual interface names, and only to interfaces that are actually configured on the device. To see which interfaces will actually be selected by a rule, right-click the Interfaces cell and select Show Interfaces.
•When editing zones, you can select only one interface role, and you cannot select individual interfaces. The interface roles are used to create zones for zone based firewall rules. To see the interfaces that will belong to the zone, right-click the Zones cell and select Show Zone Contents.
For more information about interface roles and selecting interfaces, see the following topics:
•Understanding Interface Role Objects, page 8-33
•Specifying Interfaces During Policy Definition, page 8-35
Navigation Path
Do any of the following in a rules policy that includes interfaces or zones:
•Right-click an Interfaces or Zones cell in a rules table and select Edit Interfaces, Edit Zones, or similar command. The data replaces the content of the selected cells.
•Select an entry in an Interfaces cell and select Edit <Entry>. The data replaces the selected entry. You cannot edit an entry in a zone.
•Select multiple rules, right-click an Interfaces cell, and select Add Interfaces. The data is appended to the data already in the cell. You cannot add entries to a zone.
Use the Edit Category dialog box to change the category assigned to a rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Right-click a Category cell in a rules policy that includes categories and select Edit Category.
Use the Edit Description dialog box to edit the description of the rule. The description helps you identify the purpose of a rule and can be up to 1024 characters. For detailed information on editing firewall rules cells, see Editing Rules, page 11-5.
Navigation Path
Right-click a Description cell in a rules policy that includes descriptions and select Edit Description.
Use the Show Contents dialog boxes to display the actual, translated data defined in a source, destination, services, interfaces, zones, or other cell in a rules table that includes addresses, interfaces, services, or policy objects that define those things. The title of the dialog box indicates which cell or entry you are examining. Use this information to determine to which addresses, services, or interfaces the rule will actually apply when deployed to the device. For detailed information about editing or viewing cell contents, see Editing Rules, page 11-5.
What you see in the dialog box depends on the view you are in:
•Device View, Map View—You are shown the actual IP addresses, services, or interfaces to which the rule will apply for the specific device. For example, if the rule uses network/host objects, you will see the specific IP addresses defined by the objects. If the rule uses interface objects, you will see the specific interfaces defined on the device that the object identifies, if any.
–The IP addresses for network/host objects are sorted in ascending order on the IP address, and then descending order on the subnet mask.
–Service objects are sorted on protocol, source port, and destination port.
–Interface objects are listed in alphabetical order. If the interface is selected because it matches a pattern in an interface object, the pattern is listed first, and the matching interface is shown in parentheses. For example, "* (Ethernet1)" indicates that the Ethernet1 interface on the device is selected because it matches the * pattern (which matches all interfaces).
•Policy View—You are shown the patterns defined in the policy objects and entries defined for the policy. Entries are sorted alphabetically, with numbers and special characters coming first.
Navigation Path
Do any of the following in a rules policy that includes sources, destinations, services, interfaces, zones, or other fields that specify networks, interfaces, or services. You can also show contents when using tools that work with rules, such as importing rules.
•Right-click one of those cells and select Show <Attribute Type> Contents, where the attribute type is the name of the cell. The data includes all entries defined in the cell.
•Right-click an entry in one of those cells and select Show <Entry> Contents, where the name of the selected entry is included in the command name. The data displayed is only for the selected entry.
Tip For inspection rules, services appear in the Traffic Match column and only for rules where the traffic matches source, destination, and port.
The firewall settings policy relate directly to the similarly-named rules policy, and provide additional options for configuring the behavior of the rules policies.
This section contains the following topics:
•AAA Firewall Page, Advanced Setting Tab
•AAA Firewall Page, MAC-Exempt List Tab
Use the Access Control Settings page to configure settings to use in conjunction with your access rules policy. You can control some performance and logging features, and configure ACL names for individual interfaces.
Tip Many of these settings apply only to specific device types or software versions. If you configure an option and apply the policy to unsupported device types, the option is ignored for those unsupported devices.
Navigation Path
To access the Access Control Page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Access Control from the Device selector.
•(Policy view) Select Firewall > Settings > Access Control from the Policy selector. Create a new policy or select an existing policy.
•(Map view) Right-click a device and select Edit Firewall Settings > Access Control.
Related Topics
•Configuring Settings for Access Control, page 11-23
•Understanding Access Rules, page 11-17
•Understanding Device Specific Access Rule Behavior, page 11-19
•Understanding Access Rule Address Requirements and How Rules Are Deployed, page 11-19
•Understanding Access Rules, page 11-17
•Understanding Interface Role Objects, page 8-33
Field Reference
|
|
---|---|
Maximum number of concurrent flows (PIX, ASA, FWSM) |
The maximum number of concurrent deny flows that the device is allowed to create. Syslog message 106101 is generated when the device reaches the number. The range you should use depends on the amount of flash memory available in the device: •More than 64 MB—Values are 1-4096. The default is 4096. •More than 16 MB—Values are 1-1024. The default is 1024. •Less than or equal to 16 MB—Values are 1-256. The default is 256. |
Syslog interval (PIX, ASA, FWSM) |
The interval of time for generating syslog message 106101, which alerts you that the security appliance has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if the specified number of seconds has passed since the last 106101 message. Values are 1 to 3600 milliseconds. The default is 300. |
Enable Access List Compilation (Global) |
Whether to compile access lists, which speeds up the processing of large rules tables. Compilation optimizes your policy rules and performance for all ACLs, but is supported on a limited number of older platforms: •Routers (global configuration only): 7120, 7140, 7200, 7304, and 7500. •PIX 6.3 firewalls, in global mode or per interface. ACL compilation speeds up the processing of large rules tables and optimizes your policy rules and performance. An ACL is compiled only if the number of access list elements is greater than or equal to 19. The maximum recommended number of entries is 16,000. To compile access lists, the device must have a minimum of 2.1 MB of memory for the device. Access list compilation is also known as Turbo ACL. |
Interfaces table |
The table lists the interfaces for which you want to configure special processing. The interface name can be a specific interface or an interface role (which can apply settings to more than one interface at a time). The main use of this table is to configure names for ACLs if you do not want Security Manager to configure system-generated names. The name applies to the ACL generated for an interface in a specific direction. You can also configure interface-level settings for object group search, per user downloadable ACLs, and ACL compilation. •To add an interface setting, click the Add button and fill in the Firewall ACL Setting Dialog Box. •To edit an interface setting, select it and click the Edit button. •To delete an interface setting, select it and click the Delete button. |
Use the Firewall ACL Setting dialog box to configure settings for specific interfaces or interface roles for use with access rules policies.
Navigation Path
Go to the Access Control Settings Page and click the Add Row button below the interface table, or select a row in the table and click the Edit Row button.
Related Topics
•Configuring Settings for Access Control, page 11-23
•Understanding Access Rules, page 11-17
•Understanding Device Specific Access Rule Behavior, page 11-19
•Understanding Access Rule Address Requirements and How Rules Are Deployed, page 11-19
•Understanding Interface Role Objects, page 8-33
Field Reference
Use the Inspection settings page to configure options that work with inspection rules on IOS devices. Many of these settings are used for helping to prevent or mitigate Denial of Service (DoS) attacks. The default settings for most of these options are appropriate for most networks, so configure this policy only if you need to adjust one or more settings.
Navigation Path
To open the Inspection settings page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Inspection from the Device selector.
•(Policy view) Select Firewall > Settings > Inspection from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Settings > Inspection.
Related Topics
•Understanding Inspection Rules, page 11-33
•Working with Inspection Rules, page 11-32
Field Reference
Use the Settings for AAA Firewalls to define HTTPS, proxy, and MAC settings for PIX 6.3, ASA/PIX 7.x and FWSM 3.2 devices.
Navigation Path
To access the AAA Firewall settings page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AAA Firewall from the Device selector, then select the Advanced Setting tab.
•(Policy view) Select Firewall > Settings > AAA Firewall from the Policy selector. Create a new policy or select and existing one, then select the Advanced Setting tab.
•(Map view) Right-click a device and select Edit Firewall Settings > AAA Firewall, then select the Advanced Setting tab.
Related Topics
•Configuring Settings for AAA Firewall (PIX/ASA/FWSM), page 11-43
•Working with AAA Rules, page 11-40
Field Reference
Use the Interactive Authentication Configuration dialog box to configure listening ports to authenticate network users. When you enable a listening port, the security appliance serves an authentication page for direct connections and/or for through traffic.
Navigation Path
Go to the AAA Firewall Page, Advanced Setting Tab and click the Add Row button beneath the Interactive Authentication table, or select an item in the table and click the Edit Row button.
Related Topics
•Working with AAA Rules, page 11-40
Field Reference
Use the Clear Connection Configuration dialog box to define when the connection from the certain interface and source will be cleared when the uauth timer expires.
Navigation Path
Go to the AAA Firewall Page, Advanced Setting Tab and click the Add Row button beneath the Clear Connections When Uauth Timer Expires table, or select an item in the table and click the Edit Row button.
Related Topics
•Working with AAA Rules, page 11-40
Field Reference
|
|
---|---|
Interface |
Identifies the logical name of the interface (interface role) or physical interface to which a rule is assigned. See Understanding Interface Role Objects, page 8-33 For example: •All DMZs •All FastEthernets •All Interfaces •FastEthernet0 Enter the information in the field provided or click Select, which opens the Interface Selector dialog box from which to make your selection. You can also create an interface role by clicking the Create button in the Interface Selector dialog box. Note Interface roles are objects that are used to help you configure firewall rules. The objects are replaced with the actual interface names when the configuration is generated for each device. |
Source IP Address/Netmask |
Identifies the network object names or addresses of hosts and networks. Multiple entries are separated by commas. Accepted formats are: •a.b.c.d where a,b,c,d = 0-255 (host) •a.b.c.d/e where a,b,c,d = 0-255 and e = 1-32 (subnet) •a.b.c.d-e.f.g.h where a,b,c,d,e,f,g,h = 0-255 (range)* •a.b.c.d/e where e = subnet in x.x.x.x format** •Freeform text that is the name of a network object *IP address ranges can span more than one subnet. **For information on how network masks are handled, see Contiguous and Discontiguous Network Masks, page 8-65. Enter the addresses or names in the field provided, or click Select, which opens the Object Selector dialog box from which to make your selections. You can also create an object by clicking the Create button in the Object Selector dialog box. Note If you manually enter 0.0.0.0/0 for the source, it automatically matches the "any" predefined object. |
Use the MAC Exempt List tab of the AAA Firewall settings policy to identify hosts that should be exempt from authentication and authorization for ASA, PIX, and FWSM 3.x devices. For example, if the security appliance authenticates TCP traffic originating on a particular network but you want to allow unauthenticated TCP connections from a specific server, create a rule permitting traffic from the MAC address of the server.
You can use masks to create rules for groups of MAC addresses. For example, if you want to exempt all Cisco IP phones whose MAC addresses start with 0003.e3, create a permit rule for 0003.e300.0000 with the mask ffff.ff00.0000. (An f in a mask exactly matches the corresponding number in the address, whereas a 0 matches anything.)
Deny rules are necessary only if you are permitting a group of MAC addresses but there are some addresses within the permitted group that you want to require to use authentication and authorization. Deny rules do not prohibit traffic; they simply require the host to go through normal authentication and authorization. For example, if you want to allow all hosts with MAC addresses that start with 00a0.c95d, but you want to force 00a0.c95d.0282 to use authentication and authorization, enter these rules in order:
1. Deny 00a0.c95d.0282 ffff.ffff.ffff
2. Permit 00a0.c95d.0000 ffff.ffff.0000
When you deploy the policy to the device, these entries are configured using the mac-list and aaa mac-exempt commands.
Tip The MAC exempt list is processed on a first match basis. Thus, the order of entries matters. If you want to permit a group of MAC addresses, but deny a subset of them, the deny rule must come before the permit rule. However, Security Manager does not allow you to order MAC exempt rules: they are implemented in the order shown. If you sort the table, your policy changes. If your entries do not depend on each other, this does not matter. Otherwise, ensure that you enter rows in the proper order.
Navigation Path
To access the MAC Exempt List tab, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AAA Firewall. Select the MAC-Exempt List tab.
•(Policy view) Select Firewall > Settings > AAA Firewall from the Policy selector. Select the MAC-Exempt List tab.
•(Map view) Right-click a device and select Edit Firewall Settings > AAA Firewall, then select the MAC-Exempt List tab.
Related Topics
•Configuring Settings for AAA Firewall (PIX/ASA/FWSM), page 11-43
Field Reference
|
|
---|---|
MAC-Exempt List Name |
The name of the MAC exempt list. |
MAC Exempt List table |
The MAC exempt rules that you want to implement. The table shows the MAC addresses and masks (in hexadecimal) and whether you are permitting them (exempting them from authentication and authorization) or denying them (making them go through standard authentication and authorization). The device processes the entries in order and uses the first match (not the best match). •To add an exemption rule, click the Add Row button and fill in the Firewall AAA MAC Exempt Setting Dialog Box. •To edit an exemption rule, select it and click the Edit Row button. •To delete an exemption rule, select it and click the Delete Row button. |
Use the Firewall AAA MAC Exempt Setting dialog box to add and edit exemption entries in the MAC Exempt List table. The security appliance skips authentication and authorization for hosts associated with permitted MAC addresses.
Navigation Path
Go to the AAA Firewall Page, MAC-Exempt List Tab and click the Add Row button beneath the MAC Exempt List table, or select an item in the table and click the Edit Row button.
Related Topics
•Configuring Settings for AAA Firewall (PIX/ASA/FWSM), page 11-43
Field Reference
The AuthProxy page for IOS devices is divided into two sections:
Navigation Path
To access the AuthProxy page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AuthProxy from the Device selector.
•(Policy view) Select Firewall > Settings > AuthProxy from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Settings > AuthProxy.
Related Topics
•Configuring Settings for AAA (IOS), page 11-44
Navigation Path
To access the AuthProxy General page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AuthProxy from the Device selector.
•(Policy view) Select Firewall > Settings > AuthProxy from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Settings > AuthProxy.
Related Topics
•Configuring Settings for AAA (IOS), page 11-44
Field Reference
Navigation Path
To access the AuthProxy Timeout page for IOS devices, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AuthProxy from the Device selector.
•(Policy view) Select Firewall > Settings > AuthProxy from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Settings > AuthProxy.
Related Topics
•Configuring Settings for AAA (IOS), page 11-44
Field Reference
Use the Firewall AAA IOS Timeout Value Setting dialog box to set inactivity and cache time, absolute time, and authentication proxy methods for interfaces on IOS devices.
Navigation Path
To access the Firewall AAA IOS Timeout Value Setting dialog box for IOS devices, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > AuthProxy from the Device selector. Click the Timeout tab. Right-click inside the table, then click Add Row or Edit Row.
•(Policy view) Select Firewall > Settings > AuthProxy from the Policy selector. Click the Timeout tab. Right-click inside the table, then click Add Row or Edit Row.
Related Topics
•Configuring Settings for AAA (IOS), page 11-44
Field Reference
Use the Web Filter settings page to configure the web filter servers and other settings to use with your web filter rules policy.
You must install and configure the web filter servers as directed by the documentation for the server before configuring and deploying this policy. Security Manager cannot confirm that the servers exist or that are configured correctly.
Tip These settings work only with the web filter rules policy. The web servers you configure here are not used with zone based firewall rules policies that configure web content filtering.
Navigation Path
To access the Web Filter settings page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Web Filter from the Device selector.
•(Policy view) Select Firewall > Settings > Web Filter from the Policy selector.
•(Map view) Right-click a device and select Edit Firewall Settings > Web Filter.
Related Topics
•Configuring Settings for Web Filter Servers, page 11-57
•Adding Web Filter Rules (PIX/ASA), page 11-54
•Configuring Web Filter Rules for IOS devices, page 11-56
Field Reference
|
|
---|---|
Web Filter Server Type |
The type of web filter server you are using: •None—You are not using web filter servers. •Websense—You use Websense servers. •Secure Computing SmartFilter/N2H2—You use Smartfilter servers. If you select this option, you can specify the server port to use for communication in the Port field. |
Web Filter Servers table |
The servers that the device should use for web filtering. Enter the servers in priority order; the device uses the first one in the list until it fails to respond, and moves to the next server in the list until it receives a response. If you select None for filter type, this list is ignored. •To add a server, click the Add Row button and fill in the Web Filter Server Configuration Dialog Box. •To edit a server, select it and click the Edit Row button. •To delete a server, select it and click the Delete Row button. |
|
|
Allow Traffic when Servers Unreachable |
Whether the device should allow web traffic if the web filter servers are not responding. If you do not select this option, all web access is prevented until the servers come back online. If you allow web traffic when the servers are down, the web requests are not filtered and access to all web servers is allowed. |
Enable Alerts |
Whether to generate stateful packet inspection alert messages on the console. |
Enable Audit Trail |
Whether audit trail messages are logged to the syslog server or router. |
Enable Web Filter Server Logging |
Whether to send system messages to the URL filtering server for logging. The device sends a log request immediately after the URL lookup request. The log request contains the URL, hostname, source IP address, and the destination IP address. The server records the log request into its own log server so your can view this information as necessary. |
Cache Size |
The maximum number of destination IP addresses (and their authorization status) that can be cached in the device. The default value is 5000. When the cache reaches 80% full, the device starts removing older inactive entries. |
Maximum Requests |
The maximum number of outstanding requests that can exist at any given time. If the specified number is exceeded, new requests are dropped. The default is 1000. |
Packet Buffer |
The maximum number of HTTP responses that can be stored in the packet buffer of the device while it waits for the web filter server to allow or deny the request. The device drops responses when the maximum is reached. The default (and maximum) value is 200. When users make web requests, the device simultaneously sends the request to the web site and to the web filtering server. If the response from the web site is received before the server provides a permit or deny response, the device keeps the request in the packet buffer until it gets a response from the server. The response is removed from the buffer when the server responds or if the device determines that the server is unavailable and you also selected Allow Traffic when Servers Unreachable. |
|
|
Cache Match Criteria |
How to cache web requests: •Source and Destination—Cache entries are based on both the address initiating the request and the destination web address. Select this mode if users do not share the same filtering policy on the filtering server. •Destination—Cache entries are based on the destination web address. Select this mode if all users share the same filtering policy on the filtering server. |
URL Buffer Memory (ASA 7.2+, PIX 7.2+ only.) |
The size of the URL buffer memory pool in KB. Values are 2 to 10240. |
Maximum Allowed URL Size (ASA 7.2+, PIX 7.2+ only.) |
The maximum allowed URL size in KB for each URL being buffered. The possible values differ depending on server type: •Websense—From 2 to 4. •Smartfilter (N2H2)—2 or 3. |
Cache Size |
The size of the cache, in KB, for storing responses from the filtering server. Values are 1 to 128. Caching stores URL access privileges in memory on the security appliance. When a host requests a connection, the security appliance first looks in the URL cache for matching access privileges instead of forwarding the request to the Websense server. |
URL Block Buffer Limit |
The size of the buffer for storing web server responses while waiting for a filtering decision from the filtering server. The values are 1 to 128, which specifies the number of 1550-byte blocks. |
Use the Web Filter Server Configuration dialog box to configure the external web filter servers you want to use with your Web Filter Rules policies. You can configure Websense or Smartfilter (N2H2) servers.
Navigation Path
From the Web Filter Settings Page, click Add Row beneath the Web Filter Servers table, or select a row and click Edit Row.
Related Topics
•Configuring Settings for Web Filter Servers, page 11-57
•Understanding Web Filter Rules, page 11-54
•Working with Web Filter Rules, page 11-53
Field Reference
Use the Zone Based Firewall page to configure and identify unreferenced zones, specify a VPN zone, enable or disable WAAS support, maintain Trend Micro server and certificate information, and specify global Log settings on supported ASR devices.
The following tabs are described in the table on this page:
•Zones
•VPN
•WAAS
•Global Parameters (ASR)
The Content Filtering tab is detailed in Zone Based Firewall Page - Content Filter Tab.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the Device selector.
•(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy selector.
•(Map view) Right-click a device and choose Edit Firewall Settings > Zone Based Firewall.
Related Topics
•Configuring Settings for Zone Based Firewall Rules, page 11-70
•Understanding the Zone-based Firewall Rules, page 11-62
•Adding Zone-Based Firewall Rules, page 11-67
Field Reference
|
|
---|---|
Zones tab |
This tab displays the Zones table, which lists unreferenced zones; that is zones without any associated interfaces, rules or policies. Unreferenced zones are usually found and listed during device discovery, but you also can create named, "empty" zones here. The Zones table lists the following information for each unreferenced zone: •Zone - The name of the Zone/Interface Role. •Content - Any interfaces assigned to the zone. •Description - Any user-provided comments about the zone. To add a zone to this table, click the Add Row button and provide a Zone name in the Zone dialog box. |
VPN tab |
This tab presents the VPN Zone field; a zone entry in this field ensures that dynamic VPN traffic can be processed by the zone-based firewall rules on this router. See Using VPNs with Zone-based Firewall Policies, page 11-65 for more information about this zone. Enter or Select the zone through which VPN traffic will pass. |
WAAS tab |
This tab presents the Enable WAAS check box. Select this option to enable Wide Area Application Services interoperability. If this option is not enabled, packets being optimized by a WAAS device may be dropped because WAAS increases the TCP packet sequence number during the TCP handshake. This behavior may be viewed as a possible attack by the IOS device. |
Content Filtering tab |
This tab displays server settings and certificate links for Trend Micro-based content filtering. For more information, see Zone Based Firewall Page - Content Filter Tab. |
Global Parameters (ASR) tab |
This tab displays global, logging-related settings specific to ASR devices. Configure these settings as follows: •Log Dropped Packets - Select this option to log all packets dropped by the device; syslog logging must be enabled to view the information. •Log Flow export timeout rate - NetFlow logs are created after a flow either expires or is timed out, and it is important to put a time limit on how long a flow can be active before expiring. This value is maximum number of minutes a flow can remain active before it is expired. The value can be any integer from 1 to 3600; the default is 30. •Log Flow export destination IP - The IP address or host name of the NetFlow collector to which flow data is to be sent. •Log Flow export destination port - The UDP port monitored by the NetFlow collector for flow data. |
To use Trend Micro-based content filtering, you must configure contact information for the Trend Micro server on this tab of the Zone Based Firewall page. This tab also provides links to Trend Micro registration and certificate download. You must have an active subscription with Trend Micro to utilize this form of content filtering, and you must download and install a valid subscription certificate on this IOS device.
Navigation Path
To access the Zone Based Firewall page, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the Device selector.
•(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy selector.
•(Map view) Right-click a device and choose Edit Firewall Settings > Zone Based Firewall.
Related Topics
•Zone-based Firewall Rules Page
•Configuring Maps for Content Filtering in Zone-Based Firewall Rules Policies, page 8-59
•Understanding the Zone-based Firewall Rules, page 11-62
•Adding Zone-Based Firewall Rules, page 11-67
Field Reference
Use the Add and Edit Zone dialog boxes to add and edit unreferenced zones.
Navigation Path
To access the Add and Edit Zone dialog boxes, do one of the following:
•(Device view) Select a device, then select Firewall > Settings > Zone Based Firewall from the Device selector. Right-click inside the Zones table, then select Add Row, or right-click a line item, then select Edit Row.
•(Policy view) Select Firewall > Settings > Zone Based Firewall from the Policy selector. Right-click inside the table, then select Add Row, or right-click a line item, then select Edit Row.
•(Map view) Right-click a device and select Edit Firewall Policies > Settings > Zone Based Firewall Rules.
Enter a zone name in the Zone field, or click Select to choose one from the Interfaces Selector dialog box.
Related Topics
•Understanding the Zone-based Firewall Rules, page 11-62
•Configuring Settings for Zone Based Firewall Rules, page 11-70
Use the Add and Edit Rule Section dialog boxes to add or edit a user-defined section heading in a rules table.
Navigation Path
Do one of the following:
•Select one or more rules in a rules table, right-click and select Include in New Section.
•Right-click a section heading and select Edit Section.
Related Topics
•Using Sections to Organize Rules Tables, page 11-8
•Using Rules Tables, page 11-3
Field Reference
|
|
---|---|
Name |
The name of the section. |
Description |
A description for the section, up to 1024 characters. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Use the Find and Replace dialog box to locate and optionally replace items in rule table cells. The types of items you can search for differ based on the policy you are viewing.
Navigation Path
Click the Find and Replace (binoculars icon) button at the bottom of any policy that uses rules tables. In the Firewall folder, this includes AAA rules, access rules, inspection rules, zone based firewall rules, and web filter rules (for ASA/PIX/FWSM devices only). For ASA/PIX/FWSM devices, it also includes the NAT translation rules policy (but not for every combination of context and operational mode) and the IOS, QoS, and connection rules platform service policy.
Related Topics
•Finding and Replacing Items in Rules Tables, page 11-6
Field Reference
Use the Rule Analysis Results page to view an analysis of the rules in an access rules policy. The results show rules that overlap or conflict with other rules. Use this information to identify rules that need to be deleted, moved, or edited.
The type of overlap can be one of the following. The specifics are displayed in the lower right pane when you select an overlapping rule in the upper right pane.
•Redundant Base Rule—Although not identical to the overlapping rule, the rules apply the same action to the same type of traffic, and removing the base rule would not change the ultimate result. For example, the base rule might prohibit a service during a specific time range, but the overlapping rule prohibits the service at all times. Another example is where the overlapping rule might allow any source, whereas the base rule specifies a particular network.
•Redundant Overlapping Rule—This is the reverse of a redundant base rule. In this case, the base rule will match the same traffic as the overlapping rule, meaning the overlapping rule will never be applied to any traffic (because it comes later in the access list). You can delete the overlapping rule.
•Conflicting Rule—The base rule and the overlapping rule specify different actions for traffic. It might not always be apparent that the rules specify different policies. However, because the base rule comes before the overlapping rule, it is the base rule that will decide what happens to the traffic. You might need to move the overlapping rules, or edit the base or overlapping rules, to implement your desired policy.
For example, the base rule might deny IP traffic, and the overlapping rule might permit FTP traffic, for a given source or destination.
•Duplicate Rule—The base rule and the overlapping rule are identical. You can delete one of them.
Navigation Path
From the Access Rules Page, click the Tools button and select Analysis.
Related Topics
•Generating Analysis Reports, page 11-24
Field Reference
|
|
---|---|
Base Rules (Left pane.) |
Lists conflicting groups of rules identified by the base rule, which is the rule with the lowest rule number. |
Conflict Overview (Top right pane.) |
The top right pane shows the base rule selected in the left pane and the rules that overlap, or conflict, with it. The scope indicates whether the rule is local to a device or inherited from a shared rule (mandatory or default). The other columns are the same as the regular access rule attributes (see Access Rules Page). Select an overlapping rule in this pane to view a detailed comparison in the lower right pane. |
Overlap Details (Lower right pane.) |
The lower right pane displays the base rule and the selected overlap rule for easier direct comparison. Conflicting elements are shown in bold text. The types of overlap are explained above. Use the previous and next buttons to page through the details if necessary. |
Use the Import Rules wizard to import a set of access control entries from an ACL in device running-configuration format to your access rules policy. The command syntax you can enter is controlled by the type of device to which you are importing rules.
Beside access control rules, you should also include the CLI for the following items if they are referred to by the rules:
•Time range objects (the time-range command with its subcommands).
•Object groups for PIX, ASA, and FWSM devices only (the object-group command with its subcommands).
Navigation Path
(Device view only) Click the Tools button and select Import Rules from the Access Rules Page.
Related Topics
•Understanding Interface Role Objects, page 8-33
Field Reference
|
|
---|---|
CLI |
The OS commands that define the rules and related objects that you want to import. These rules must be in running-configuration format, so they are best copied and pasted from a configuration (use Ctrl+V to paste into the field). You can also type in the commands; you will be prompted if they cannot be interpreted. You can import only one ACL at a time. To see some examples of the CLI you can import, see Examples of Imported Rules, page 11-29. Tips •If you refer to an object but do not include the CLI, the rule might be created but it will not use the object. •For PIX/FWSM/ASA, you can include object group and name commands. •If you import an ACL that is inactive, it is shown as disabled in Security Manager. If you deploy the configuration, it is removed from the device. •You can import extended ACLs for all device types, and standard ACLs for IOS devices. However, standard ACLs are converted to extended ACLs. |
Interface |
The name of the interface or interface role for which you are defining this rule. You can enter any combination of interface or interface role names, separated by commas. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it. |
Traffic Direction |
The direction of the traffic with respect to the interface, in or out. |
Category |
The category assigned to the rule. Categories help you organize and identify rules and objects. See Using Category Objects, page 8-6. |
Use the Status page of the Import Rules wizard to view information about the results of the import process.
Navigation Path
For information on starting the Import Rules wizard, see Import Rules Wizard—Enter Parameters Page
Related Topics
Field Reference
Use the Preview page of the Import Rules wizard to view the rules and objects that will be imported if you click Finish.
This preview is read-only; you cannot edit the rules or objects. If the rules or objects are not exactly what you want, you can click Finish to add the rules and objects, and then edit them from the access rules page. For example, you cannot import rule expiration dates, because those dates have meaning only in Security Manager.
The tabs on this dialog box appear only if the data you are importing includes items to be displayed on the tab.
Tip If your CLI refers to an object that does not exist, such as a time range, the object is not included in the rule. You can either go back and add the CLI for the object, or you can click Finish, create the object yourself, and edit the rule.
Navigation Path
For information on starting the Import Rules wizard, see Import Rules Wizard—Enter Parameters Page
Related Topics
•Understanding Network/Host Objects, page 8-65
•Understanding Interface Role Objects, page 8-33
•Understanding and Specifying Services and Service and Port List Objects, page 8-75
Field Reference
Use the Querying Device or Querying Policy dialog box to set up the parameters for a query. The query results show the rules that match your parameters. The title of the dialog box indicates what you are querying:
•In Device or Map view, you are querying rules defined for the selected device.
•In Policy view, you are querying rules within the selected policy only.
You can query rules from these types of policies: AAA rules, access rules, inspection rules, web filter rules for ASA/PIX/FWSM, and zone based firewall rules.
When setting up your query, you must select at least one rule type; enabled, disabled or both; permitted, denied, or both; and mandatory, default, or both.
Note For inspection rules, if you enter Global as the interface value, the match status results will be shown as a partial match even if the match is complete.
Results are displayed in the Policy Query Results dialog box (see Policy Query Results Dialog Box).
Navigation Path
To generate Policy Query reports, do one of the following:
•(Device view) Select a device, then select one of the supported firewall rules policies from the Firewall folder. Click the Tools button and select Query.
•(Policy view) Select any of the supported firewall rules policies from the Firewall folder and select a specific policy from the Shared Policy selector. Click the Tools button and select Query.
•(Map view) Right-click a device and select a supported firewall rules policy from the Edit Firewall Policies menu. Click the Tools button and select Query.
Related Topics
•Generating Policy Query Reports, page 11-12
•Understanding Policy Query Results, page 11-14
Field Reference
|
|
---|---|
Rule Types |
The type of rules you want to query. When querying in Policy view, you cannot change the selection. When querying in Device view, you can select any of the following types of rules; the scope of the query is limited to the selected device: •AAA Rules •Access Rules •Inspection Rules •Web Filter Rules •Zone Based Rules |
Enabled and/or Disabled Rules |
Whether you want to query enabled or disabled rules, or both. |
Mandatory and/or Default Rules |
Whether you want to query rules that are in the mandatory or default sections, or both. |
Match |
Whether you want to query rules that permit or deny traffic, or both. |
Sources Destinations |
The source or destination of the traffic. You can enter more than one value by separating the items with commas. Note If you leave a field blank, the query matches any address for that field. You can enter any combination of the following address types to define the source or destination of the traffic. For more information, see Specifying IP Addresses During Policy Definition, page 8-68. •Network/host object. Enter the name of the object or click Select to select it from a list. You can also create new network/host objects from the selection list. •Host IP address, for example, 10.10.10.100. •Network address, including subnet mask, in either the format 10.10.10.0/24 or 10.10.10.0/255.255.255.0. •A range of IP addresses, for example, 10.10.10.100-10.10.10.200. •An IP address pattern in the format 10.10.0.10/255.255.0.255, where the mask is a discontiguous bit mask (see Contiguous and Discontiguous Network Masks, page 8-65). |
Services |
The services that define the type of traffic that is acted on. You can enter more than one value by separating the items with commas. Note If you leave the field blank, the query matches any service. You can enter any combination of service objects and service types (which are typically a protocol and port combination). If you type in a service, you are prompted as you type with valid values. You can select a value from the list and press Enter or Tab. For complete information on how to specify services, see Understanding and Specifying Services and Service and Port List Objects, page 8-75. |
Interfaces |
The interfaces for which the rule is defined. You can enter any combination of interface or interface role names, separated by commas. Enter the name or click Select to select the interface or interface role. If the object that you want is not listed, click the Create button to create it. Note If you leave the field blank, the query matches any interface or interface role. |
From Zone To Zone |
For zone based firewall rules, the zones defined for the rule. Enter the zone names (which are interface roles), or click Select to select them from a list. If the object that you want is not listed, click the Create button to create it. |
Actions |
For zone based firewall rules, the actions defined for the rule. |
Check if Matching Rules Are Shadowed by Rules Above |
Whether to have the policy query results include rule conflict detection information. Selecting this option might have an impact on performance and cost results. |
Use the Policy Query Results dialog box to view the results of a policy query that you defined on the Query Device or Policy dialog box.
Tip In the query results table, you can double-click a row, or right-click and select Go to Rule, to select the rule in the rules policy page, where you can edit the rule. If the appropriate rules policy is not already selected in the policy selector, you might have to do this twice to actually select the rule.
Navigation Path
After defining your query parameters on the Querying Device or Policy Dialog Box, click OK.
Related Topics
•Generating Policy Query Reports, page 11-12
•Understanding Policy Query Results, page 11-14
Field Reference
|
|
---|---|
Query Parameters Edit Query button |
The parameters you defined for the query. Click Edit Query to change the parameters and run a new query. |
Display |
Which type of query results to display based on rule type. If you selected more than one type of rule, you must select a rule type to display the query results for that type. |
Results table |
Lists the rules that match your query. The table includes these fields: •Match Status—Indicates how the rule matches your query: –Complete Match—The rule matches all query parameters. –Partial Match—All of the search criteria overlap or are a superset of the matched rule. –No Effect—Rules are blocked by other matching rules, or a conflict exists that has no effect. For more information, see Understanding Policy Query Results, page 11-14. •Scope—Identifies whether a rule is shared or local, mandatory or default. •The remaining fields—All remaining fields are the attributes of the rule. For an explanation of the attributes for each type of rule, see the following topics: –Web Filter Rules Page (PIX/ASA) |
Details |
The details section shows the detailed query match information for the rule selected in the results table. The folders on the left represent the attributes for which you can see detailed information. Select a folder to view the details. The details show the query value, which is the parameter you defined, and the item in the rule that matches the parameter. The matching relationship is one of the following: •Identical—The parameter is identical to the value in the rule. •Contains—The parameter is a superset that contains the value in the rule. •Is contained by—The parameter is a subset nested within the value of the rule. •Overlaps—The query parameter shows results that overlap between more than one policy object used in the rule. |
Use the Hit Count Selection Summary dialog box to select the rules for which you want to generate hit count information. Your options are limited by the rules you selected before initiating the hit count report.
When you click OK, the hit count information is obtained from the device, which can take some time so you are given the option to abort the operation. The results are shown in the Hit Count Query Results Page.
Navigation Path
(Device view only) From the Access Rules Page, click the Tools button and select Hit Count.
Related Topics
•Generating Hit Count Reports, page 11-26
•Understanding Access Rules, page 11-17
Field Reference
Use Hit Count Query Results page to view information about the number of times an access rule was applied to traffic. These rules are the ones that become interface ACLs on the device. The hit count results do not show counts for any other type of ACL (for example, those used with class maps or AAA rules).
Use the hit count information to help you debug your access rules. The information can help you identify rules that are never hit (which might mean you do not need them, or that they are duplicates of rules higher in the ACL), and rules that are hit often (which means you might want to refine the rules). For an example of a hit count report, see Generating Hit Count Reports, page 11-26.
Consider the following points when analyzing the hit count results:
•You get best results if you deploy policies to the device before viewing hit count. If you discover a device and then generate a hit count report before deployment, the results might be incomplete or hard to interpret. For example, an access rule might not have any hit count information.
•If you enable network object group optimization, as described in Optimizing Network Object Groups When Deploying Firewall Rules, page 11-15, you might not get good hit count information.
•If you enable ACL optimization, as described in Optimizing Access Rules Automatically During Deployment, page 11-31, the hit count results might have problems matching ACEs from the device to access rules. Thus, when you select an access rule, you might not get any hit count results for it.
Navigation Path
(Device view only) From the Access Rules Page, click the Tools button, select Hit Count, and then click OK in the Hit Count Selection Summary Dialog Box.
Related Topics
•Generating Hit Count Reports, page 11-26
•Understanding Access Rules, page 11-17
•Table Columns and Column Heading Features, page 2-18
•Using Category Objects, page 8-6
Field Reference
|
|
---|---|
Select Device |
The device for which you are displaying hit count information. |
Refresh Hit Count button |
Click this button to update the hit count information. The difference between the last hit count and the updated hit count is listed in the Delta column in the expanded table (in the lower pane).The amount of time since the last refresh is shown next to the button to help you evaluate the delta count. Obtaining refreshed information can take some time, so you are given the opportunity to abort the refresh. |
Selected Access Rules table |
The rules you selected for obtaining hit count information. The hit count is the sum of the hit counts for all ACEs created by the rule. The other information is the same as in the Access Rules Page. Select one or more rules in this table to see detailed information for the access control entries (ACEs) associated with the rule in the tables in the lower half of the window. |
Choose |
Select whether you want to see the expanded table or the raw ACE table (both explained below). |
Expanded table |
Lists the device's access control list entries (ACEs) for the rule selected in the upper table (Selected Access Rules table). The list contains more than one ACE if the access rule generated more than one ACE when you deployed the policy to the device. The columns in the table match those of the upper table, except they contain the specific data configured in the ACE in place of any network/host, service, or interface role objects contained in the rule. Also, the name of the ACL that contains the ACE is listed. The additional Delta column contains the number of hits for the ACE since the last time you clicked the Refresh Hit Count button. The Hit Count column shows the hits for the specific ACE rather than the overall rule. |
Raw ACE table |
Shows the actual CLI for the access control entry, along with the hit count. Use this information if you are more comfortable evaluating device commands. |
Use the Combine Rules Selection Summary dialog box to define the parameters used for combining rules in firewall rules policies. When you click OK, the combination results are displayed in the Rule Combiner Results Dialog Box, where you can choose to save or discard the results.
Navigation Path
You can combine rules from the AAA Rules Page and the Access Rules Page. Click Tools located at the bottom of the tables and select Combine Rules.
Related Topics
Field Reference
|
|
---|---|
Policy Selected |
Shows the policy selected and the scope. Local indicates the local device rules. Otherwise, the field indicates the name of the shared policy and the scope selected within the policy, if any. |
Rules to be combined |
The rules you want the tool to consider combining: •All Rules—Consider combining all rules within the selected policy. •Selected Rules—Consider combining only those rules you selected in the policy before starting the tool. For detailed information on selecting rules before running the tool, see Combining Rules, page 11-9. |
Choose which columns to combine |
The columns in the rules table that can be combined. Any columns that you do not select must have the identical content for two rules to be combined (even those not listed as combinable, except for the Description column). The columns you can combine are: •Source •Destination •Service •Interface •For AAA rules, these additional columns: –Action –Auth Proxy |
Use the Rule Combiner Results dialog box to evaluate the results of a rule combination. The dialog box includes a summary of the results, and shows the new rules that will be created if you click OK.
Changed rule cells are outlined in red. Select a combined rule in the upper table to see the rules in the lower table that were combined to create the rule.
You can refine some elements of the results in this window:
•You can right-click on the Source, Destination, and Service cells with multiple elements and select Create Network (or Service) Object from Cell Contents to create a new policy object that contains the contents of the combined cell. The new object replaces the contents of the cell.
•You can right-click on Description and select Edit Description to change the description.
For more information about interpreting the results, see Understanding Rule Combiner Results, page 11-11.
Tip You are allowed to run the Combine Rules tool even if you are combining rules for a policy that you are not allowed to save. For example, you cannot save combined rules for a shared or inherited policy in Device view. You are warned before running the tool if you will not be allowed to save the results.
Navigation Path
You can combine rules from the AAA Rules Page and the Access Rules Page. Click Tools located at the bottom of the tables and select Combine Rules, fill in the Combine Rules Selection Summary Dialog Box and click OK.
Related Topics
Field Reference
|
|
---|---|
Result Summary |
Provides a summary of the results of the combination and indicates the number of original rules, the number of rules remaining after the combination, and the number of changed and unchanged rules, if any combinations could be made. |
Resulting Rules table |
The rules that will replace the rules currently in the policy. If you click OK, these rules become part of your policy. The columns are the same as those in the associated policy (see AAA Rules Page or Access Rules Page), with the addition of the Rule State column. The Rule State column shows the status of the rule: •Modified, Combined—The new rule is the result of combining one or more rules or modifying an existing rule. A red box around a cell indicates cells that have combined contents. •Unchanged—The rule remains unchanged, as it could not be combined with any other rule. •Not Selected—You did not select the rule for possible combination. If there are a large number of rules, you can use the buttons beneath the table to scroll through the rules that have changes. Unchanged and unselected rules are skipped. |
Original rules table (lower table) |
The table in the lower half of the dialog box shows the original rules that were combined to create the rule you select in the upper table. |
Detail Report button |
Click this button to create an HTML report of the results. The report summarizes the results and also provides the details about the resulting rules and the rules that were combined to create the new rule. |