|
|
|
Enable IPS for this Traffic |
Enables or disables intrusion prevention for this traffic flow. When this box is checked, the other parameters on this panel are available. Note These parameters are applicable only on ASA 7.0+ devices that have an IPS module installed. See About IPS Modules on ASA Devices for more information. |
IPS Mode |
Select the operating mode for intrusion prevention:
- Inline —This mode places the IPS module directly in the traffic flow. No traffic that you identified for IPS inspection can continue through the ASA without first passing through, and being inspected by, the IPS module. This mode is the most secure because every packet identified for inspection is analyzed before being allowed through. Also, the IPS module can implement a blocking policy on a packet-by-packet basis. However, this mode can affect throughput.
- Promiscuous —This mode sends a duplicate stream of traffic to the IPS module. This is less secure than Inline mode, but has little impact on traffic throughput. Unlike Inline mode, in Promiscuous mode the IPS module cannot drop the original packets, it can only block traffic by instructing the ASA to shun the traffic, or by resetting the connection on the appliance.
Also, while the IPS module is analyzing the traffic, a small amount of traffic may pass through the ASA before the IPS module can shun it. |
On IPS Card Failure |
Specify the action to be taken if the IPS module becomes inoperable. Select either:
- Open —Permits traffic if the module or card fails.
- Close —Blocks traffic if the module or card fails.
|
Virtual Sensor |
Text box in which you can view, edit, or remove the virtual sensor in the service policy that you are adding or editing |
CXSC tab Note Security Manager uses “CXSC” in places to refer to an ASA CX Security Services Processor (SSP). |
Enable CXSC For This Traffic |
Check this box to enable redirection of this traffic flow to an ASA CX installed in the ASA. When this box is checked, the other parameters on this panel are available. Note These parameters are applicable only on ASA 5585-X devices running version 8.4(4)+ and ASA 55xx-X devices running version 9.1(1)+ that have an ASA CX SSP installed. |
On Context Security Card Failure |
Specify the action to be taken if the ASA CX becomes inoperable. Select either:
- Open – If the ASA CX fails for any reason, the ASA will continue to pass traffic that would otherwise be redirected to the ASA CX.
- Close – If the ASA CX fails, the ASA will drop any traffic that would otherwise be redirected to the ASA CX.
|
Enable Auth Proxy |
Check this box to enable the authentication proxy, which is required if you want to use active authentication in the identity policies on the ASA CX. If not checked, no authentication is performed. Note You can change the port used for authentication proxy; see ASA CX Auth Proxy Configuration for more information. |
|
Enable FirePOWER Card For This Traffic |
Check this box to enable redirection of this traffic flow to an ASA FirePOWER module installed in the ASA. When this box is checked, the other parameters on this panel are available. Note These parameters are applicable only on ASA 55xx-X devices running version 9.2(1)+. |
On FirePOWER Card Failure |
Specify the action to be taken if the ASA FirePOWER module becomes inoperable. Select either:
- Open – If the ASA FirePOWER module fails for any reason, the ASA will continue to pass traffic that would otherwise be redirected to the ASA FirePOWER module.
- Close – If the ASA FirePOWER module fails, the ASA will drop any traffic that would otherwise be redirected to the ASA FirePOWER module.
|
Enable Monitor Only |
Sets the module to monitor-only mode. In monitor-only mode, the module can process traffic for demonstration purposes, but then drops the traffic. You cannot use the traffic-forwarding interface or the device for production purposes. |
|
Enable Connection Settings For This Traffic |
Enables or disables connection settings for this traffic flow. When this box is checked, the other parameters on this panel become active. From the Connection Settings tab you can configure maximum connections, embryonic connections, timeouts, and TCP parameters. |
Maximum Connections |
You can specify the maximum number of TCP and UDP connections, and the maximum number of embryonic connections for this traffic flow:
- Maximum TCP & UDP Connections – Specify the maximum number of simultaneous TCP and UDP connections for the entire subnet, up to 65,535, for ASA versions earlier than 8.4(5); for ASA 8.4(5) and later, the maximum number is 2,000,000. The default is zero for both protocols, which means the maximum possible connections are allowed.
- Maximum TCP & UDP Connections Per Client – For ASA/PIX 7.1+ only; specify the maximum number of simultaneous TCP and UDP connections on a per client basis. For ASA 8.4(5) and later, the maximum number is 2,000,000.
- Maximum Embryonic Connections – For ASA/PIX 7.0+ only; specify the maximum number of embryonic connections per host, up to 65,535, for ASA versions earlier than 8.4(5); for ASA 8.4(5) and later, the maximum number is 2,000,000. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is zero, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. This feature is not applicable if TCP State Bypass is enabled.
- Maximum Embryonic Connections Per Client – For ASA/PIX 7.1+ only; specify the maximum number of embryonic connections on a per client basis. For ASA 8.4(5) and later, the maximum number is 2,000,000. This feature is not applicable if TCP State Bypass is enabled.
|
Connection Timeouts |
You can specify the following connection timeout settings for this traffic flow:
- Embryonic Connection Timeout – Specify the idle time until an embryonic connection slot is freed. Enter 0:00:00 to disable timeout for the connection. The default is 20 seconds for FWSMs, and 30 seconds for ASA/PIX devices.
- Half Closed Connection Timeout – Specify the idle time until a half-closed connection slot is freed. Enter 0:00:00 to disable timeout for the connection.
For FWSMs, the default value is 20 seconds; the maximum value is 255 seconds (four minutes, 15 seconds). For ASA 9.1.2 and later devices, the minimum is 30 seconds. For all other ASA/PIX devices, the minimum is 5 minutes. The default is 10 minutes for all ASA/PIX devices.
- Idle Connection Timeout – Specify the idle time until a connection slot is freed. Enter 0:00:00 to disable timeout for the connection. This duration must be at least 5 minutes. The default is 1 hour.
|
Reset Connection Upon Timeout |
If selected, connections are reset after a timeout occurs. Available for ASA/PIX 7.0(4)+ only. |
Detect Dead Connections |
Enables the Dead Connection Detection feature; available for ASA/PIX 7.2+ devices. Selecting this option enables these two fields:
- Dead Connection Detection Timeout – Specify the period of time between retries when a dead connection is detected. The default is 15 seconds.
- Dead Connection Detection Retries – Specify the number of retries to be performed after a dead connection is detected. The default is five.
|
Traffic Flow Idle Timeout |
Specify the period of time between a traffic flow becoming idle and the flow’s disconnection. Applicable to FWSM 3.2+ only. The default is 1 hour. |
Enable TCP Normalization |
Enables TCP normalization, and activates the TCP Map selection option. Applies to ASA/PIX 7.0+ only; not applicable if TCP State Bypass is enabled. |
TCP map |
Specify the TCP map to use for TCP normalization: enter or Select the name of a TCP map. For more information, see Configuring TCP Maps. |
Randomize TCP Sequence Number |
Enables the Randomize Sequence Number feature. Disable this feature only if another inline security appliance is also randomizing sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers: one generated by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server on the higher security interface. At least one ISN must be randomly generated so that attackers cannot predict the next ISN and potentially hijack the session. Not applicable if TCP State Bypass is enabled. |
Enable TCP State Bypass |
Enables TCP state bypass for this traffic flow. This is allows specific traffic flows in asymmetric routing environments when both the outbound and inbound flow for a connection do not pass through the same device. Applicable to FWSM 3.2+ and ASA 8.2+ only. See About TCP State Bypass for more information. |
Enable SCTP State Bypass (ASA 9.5.2 + only) |
You can bypass Stream Control Transmission Protocol (SCTP) stateful inspection if you do not want SCTP protocol validation. |
Enable Decrement TTL |
Select this option to turn on decrementing of the time-to-live (TTL) value in packets passed by the security appliance. Applicable to PIX/ASA 7.2.2+ only. |
Configure Flow Offload (For Firepower 9000/4000 series ASA 9.6(1) and above) |
Note You must enable flow offload manually on the ASA and restart the device, before configuring flow offload in the Service Policy Wizard in Cisco Security Manager. Flow offload and flow offload statistics are supported on the ASA only in the single context and system context modes. It is not supported in the admin or user context. ASA supports flow offload starting from version 9.5.2(1); however Cisco Security Manager supports flow offload from ASA 9.6(1). Select this option to offload specific traffic to a super-fast path; traffic is switched and processed in the NIC instead of the ASA. Offloading can help you improve performance for data-intensive applications such as large file transfers.
Tip You can configure flow offload only when TCP State Bypass and SCTP State bypass are not enabled on your device.
|
|
Enable QoS For This Traffic |
Enables Quality of Service (QoS) options for this traffic flow. When selected, the Enable Priority For This Flow and the Traffic Policing options become active. Note The options on this tab are applicable to PIX/ASA 7.0+ devices only. |
Enable Priority For This Flow |
Enables strict scheduling priority for this flow. The priority queues must be defined on the Priority Queues Page. |
Traffic Policing |
Enables output and input traffic policing. Traffic policing lets you control the maximum rate of traffic transmitted or received on an interface. |
Output (Traffic Policing) |
Enables policing of traffic flowing out of the device. If you enable policing, you can specify the following values:
- Committed Rate – The rate limit for this traffic flow; this is a value in the range 8,000 to 2,000,000,000, specifying the maximum speed (bits per second) allowed.
- Burst Rate – A value in the range 1,000 to 512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.
- Conform Action – The action to take when the rate is less than the conform-burst value. Choices are Transmit or Drop.
- Exceed Action – Take this action when the rate is between the conform-rate value and the conform-burst value. Choices are Transmit or Drop.
|
Input (Traffic Policing) |
Enables policing of traffic flowing into the device; these options apply to ASA/PIX 7.2+ devices only. If you enable policing, you can specify the following values:
- Committed Rate – The rate limit for this traffic flow; this is a value in the range 8,000 to 2,000,000,000, specifying the maximum speed (bits per second) allowed.
- Burst Rate – A value in the range 1,000 to 512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained burst before throttling to the conforming rate value.
- Conform Action – The action to take when the rate is less than the conform-burst value. Choices are Transmit or Drop.
- Exceed Action – Take this action when the rate is between the conform-rate value and the conform-burst value. Choices are Transmit or Drop.
|
|
Enable Content Security Control For This Traffic |
Enables or disables the use of the Cisco CSC SSM (Content Security and Control Security Services Module) for this traffic flow. When this box is checked, the On CSC SSM Failure options become available. These options are applicable on ASA 7.1+ devices only; they are not applicable if TCP State Bypass is enabled. The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP, POP3, and SMTP packets. |
On CSC SSM Failure |
Specifies the action to take if the CSC SSM becomes inoperable:
- Open – Permits traffic if the CSC SSM fails.
- Close – Blocks traffic if the CSC SSM fails.
|
|
Enable user statistics accounting (ASA 8.4(2)+ only) |
Whether to collect user statistics accounting information for identity-based firewall policies. These statistics are kept for users to which a firewall policy is applied based on user name or user group membership. Select the type of information you want to collect:
- Account for sent drop count
- Account for sent packet, sent drop and received packet count
|
|
Enable Scansafe Web Security for this traffic (ASA 9.0+ only) |
Enables or disables the use of ScanSafe Web Security for this traffic flow. When this box is checked, two options become available: These options are applicable on ASA 9.0+ devices only.
- ScanSafe Policy Map – enables policy map selection.
- On ScanSafe Tower Communication Failure – specifies action the system should take if ScanSafe Tower communication fails.
|
Enable SCTP for this traffic (ASA 9.5.2 + only |
Enables or disables the use of SCTP for this traffic flow.
- SCTP Policy Map – enables policy map selection
|
Enable Diameter Inspection for this traffic (ASA 9.5.2 + only) |
Enables or disables the use of Diameter inspection for this traffic flow.
- Diameter Policy Map – enables policy map selection
When Diameter Inspection is enabled, you can further enable inspection of encrypted traffic by selecting the Enable encrypted traffic inspection check box. You must select the TLS Proxy to be used for this inspection. |
Enable LISP for this traffic (ASA 9.5.2 + only) |
Enables or disables the use of LISP Inspection for this traffic flow.
- LISP Policy Map – enables policy map selection
|
Enable Flow LISP mobility for devices (ASA 9.5.2 + only) |
Enables flow mobility in clustering. |
Enable STUN Inspection support for devices (ASA 9.6.2 + only) |
Enables or disables the use of STUN inspection for this traffic flow. It is supported on ASA 9.6.2 and above in the single and multi-context mode. Note When you enable STUN inspection on the default inspection class, TCP/UDP port 3478 is watched for STUN traffic. The inspection supports IPv4 addresses and TCP/UDP only.STUN inspection is supported in failover and cluster modes, as pinholes are replicated. However, as the transaction ID is not replicated among units, when a unit fails after receiving a STUN Request and another unit received the STUN Response, the STUN Response will be dropped. |
Enable M3UA for this traffic (ASA 9.6.2 + only) |
Enables or disables the use of M3UA for this traffic flow.
- M3UA Policy Map – enables policy map selection
|
|
Enable NetFlow for this traffic |
Enables or disables the use of NetFlow for this traffic flow. When this box is checked, the NetFlow options become available. |
Collectors |
Specify the collectors that should be used when sending NetFlow events of a specific event type: Note Only use collectors that have been configured on the NetFlow page at Platform > Logging > NetFlow.
- Flow Create Event
- Flow Deny Event
- Flow Tear Event
- All Event Types
Note Cisco Security Manager does not allow duplicate netflow collectors for ASA 9.6(4) to 9.7.0, and 9.8(2) and above devices. Ensure that you remove the duplicate collectors. |