Configuring a Layer 7 FTP Command Inspection Policy
Configuring a Layer 7 FTP Command Inspection
Policy
Note
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-30
This section describes how to create a Layer 7 class map and policy map that
allows the ACE to perform FTP command inspection, which is a security feature
that prevents web browsers from sending embedded commands to the ACE in FTP
requests. The ACE must acknowledge each FTP command before allowing a new
command. FTP inspection allows traffic by default and restricts traffic that fails
the security checks. Command filtering allows you to restrict specific commands
through the ACE. When the ACE denies a command, it closes the connection.
You can associate a maximum of 1024 instances of the same type of regular
expression (regex) with a a Layer 4 policy map. This limit applies to all Layer 7
policy-map types, including generic, HTTP, RADIUS, RDP, RTSP, and SIP. You
configure regexes in the following:
Match statements in Layer 7 class maps
•
Inline match statements in Layer 7 policy maps
•
Layer 7 hash predictors for server farms
•
Layer 7 sticky expressions in sticky groups
•
Header insertion and rewrite (including SSL URL rewrite) expressions in
•
Layer 7 action lists
This section contains the following topics:
Configuring an FTP Inspection Class Map
•
Configuring a Layer 7 FTP Command Inspection Policy Map
•
Chapter 3
Configuring Application Protocol Inspection
OL-16202-01