Order In Which Multiple Feature Actions Are Applied; Incompatibility Of Certain Feature Actions - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
About Service Policies
•
•
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map.
Actions are performed in the following order:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Note
NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list might not
include all incompatibilities; for information about compatibility of each feature, see the chapter or
section for the feature:
•
Cisco ASA Series Firewall CLI Configuration Guide
11-6
If a packet matches a class map for HTTP inspection, but also matches another class map that
includes FTP inspection, then the second class map actions are not applied because HTTP and FTP
inspections cannot be combined.
If a packet matches a class map for HTTP inspection, but also matches another class map that
includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined
with any other type of inspection.
QoS input policing
TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.
When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP
Note
payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied
before and after the proxy or payload modifying service.
ASA CSC
Application inspections that can be combined with other inspections:
IPv6
a.
IP options
b.
WAAS
c.
Application inspections that cannot be combined with other inspections. See
Certain Feature Actions, page 11-6
ASA IPS
ASA CX
ASA FirePOWER (ASA SFR)
QoS output policing
QoS standard priority queue
You cannot configure QoS priority queuing and QoS policing for the same set of traffic.
Chapter 11
Service Policy Using the Modular Policy Framework
for more information.
Incompatibility of
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
