Defining Actions Using A Layer 3/4 Policy Map - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 21
Using Modular Policy Framework
Defining Actions Using a Layer 3/4 Policy Map
This section describes how to associate actions with Layer 3/4 class maps by creating a Layer 3/4 policy
map. This section includes the following topics:
•
•
•
Layer 3/4 Policy Map Overview
You can identify multiple Layer 3/4 class maps in a Layer 3/4 policy map, and you can assign multiple
actions from one or more feature types to each class map. Feature types include the following:
•
•
•
•
•
•
•
A packet can match only one class map in the policy map for each feature type. When the packet matches
a class map for a feature type, the security appliance does not attempt to match it to any subsequent class
maps for that feature type. If the packet matches a subsequent class map for a different feature type,
however, then the security appliance also applies the actions for the subsequent class map. For example,
if a packet matches a class map for connection limits, and also matches a class map for application
inspection, then both class map actions are applied. If a packet matches a class map for application
inspection, but also matches another class map for application inspection, then the second class map
actions are not applied.
Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features
that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy
map is affected if the traffic matches the class map for both directions.
When you use a global policy, all features are unidirectional; features that are normally bidirectional
Note
when applied to a single interface only apply to the ingress of each interface when applied globally.
Because the policy is applied to all interfaces, the policy will be applied in both directions so
bidirectionality in this case is redundant.
OL-10088-01
Layer 3/4 Policy Map Overview, page 21-13
Default Layer 3/4 Policy Map, page 21-14
Adding a Layer 3/4 Policy Map, page 21-15
TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number
randomization
CSC
Application inspection
IPS
QoS input policing
QoS output policing
QoS priority queue
Defining Actions Using a Layer 3/4 Policy Map
Cisco Security Appliance Command Line Configuration Guide
21-13
Advertisement
Table of Contents
Troubleshooting
