Feature Matching Guidelines Within A Policy Map; Feature Matching Guidelines For Multiple Policy Maps - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 21
Using Modular Policy Framework
For features that are applied unidirectionally, for example QoS priority queue, only traffic that exits the
interface to which you apply the policy map is affected. See
feature.
Table 21-2
Feature
TCP normalization, TCP and UDP connection
limits and timeouts, and TCP sequence number
randomization
CSC
Application inspection
IPS
QoS input policing
QoS output policing
QoS priority queue
Feature Matching Guidelines within a Policy Map
See the following guidelines for how a packet matches class maps in a policy map:
•
•
•
For example, if a packet matches a class map for connection limits, and also matches a class map for
application inspection, then both class map actions are applied.
If a packet matches a class map for application inspection, but also matches another class map that
includes application inspection, then the second class map actions are not applied.
Feature Matching Guidelines for multiple Policy Maps
For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), Modular Policy
Framework operates on traffic flows, and not just individual packets. If traffic is part of an existing
connection that matches a feature in a policy on one interface, that traffic flow cannot also match the
same feature in a policy on another interface; only the first policy is used.
For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you
have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected
on the egress of the outside interface. Similarly, the return traffic for that connection will not be
inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.
For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP
inspection, returning traffic can match a different policy map on the returning interface. For example, if
you configure IPS inspection on the inside and outside interfaces, but the inside policy uses virtual
sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor
1 outbound, but will match virtual sensor 2 inbound.
OL-12172-03
Feature Directionality
A packet can match only one class map in the policy map for each feature type.
When the packet matches a class map for a feature type, the security appliance does not attempt to
match it to any subsequent class maps for that feature type.
If the packet matches a subsequent class map for a different feature type, however, then the security
appliance also applies the actions for the subsequent class map.
Defining Actions Using a Layer 3/4 Policy Map
Table 21-2
Single Interface Direction Global Direction
Bidirectional
Bidirectional
Bidirectional
Bidirectional
Ingress
Egress
Egress
Cisco Security Appliance Command Line Configuration Guide
for the directionality of each
Ingress
Ingress
Ingress
Ingress
Ingress
Egress
Egress
21-15
Advertisement
Table of Contents
Troubleshooting
