Specifying The Layer 7 Ftp Command Inspection Policy Actions - Cisco 4700M Configuration Manual
Application control engine appliance security
Hide thumbs
Also See for 4700M:
- Administration manual (292 pages) ,
- Upgrade manual (24 pages) ,
- Installation manual (18 pages)
Table of Contents
Advertisement
Chapter 3
Configuring Application Protocol Inspection
Specifying the Layer 7 FTP Command Inspection Policy Actions
OL-16202-01
To remove a class map from a Layer 7 policy map, enter:
host1/Admin(config-pmap-ftp-ins)# no class FTP_INSPECT_L7CLASS
By default, the ACE allows all FTP commands to pass. To explicitly deny specific
FTP commands, use one of the following commands as the action if the specified
FTP traffic matches the classification. You apply the specified action against the
single inline match command or the specified class map.
{deny | mask-reply}
The keywords are as follows:
deny—Denies the FTP request commands against the single inline match
•
command or specified in the class map by resetting the FTP session.
mask-reply—Applies only to the FTP SYST command and its associated
•
reply. The SYST command is used to find out the type of operating system at
the FTP server. The mask-reply keyword instructs the ACE to mask the
system's reply to the FTP SYST command by filtering sensitive information
from the command output.
For example, to specify the actions in the Layer 7 FTP inspection policy map,
enter:
host1/Admin(config)# policy-map type inspect ftp first-match
FTP_INSPECT_L7POLICY
host1/Admin(config-pmap-ftp-ins)# class FTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ftp-ins-c)# mask-reply
To disable an action from the Layer 7 FTP inspection policy map, enter:
host1/Admin(config-pmap-ftp-ins-c)# no mask-reply
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Configuring a Layer 7 FTP Command Inspection Policy
3-37
Advertisement
Table of Contents
