Policy - Cisco 4700M Configuration Manual

Chapter 3 Configuring Application Protocol Inspection
Associating a Layer 7 HTTP Inspection Traffic Class with the Traffic Policy
OL-16202-01
match strict-http—Enforces that the internal compliance checks verify that
•
a message is compliant with the HTTP RFC standard, RFC 2616. If the HTTP
message is not compliant, the ACE performs one of the specified Layer 7
policy map actions: permit or reset.
For example, to add an inline match command to a Layer 7 HTTP deep inspection
policy map, enter:
host/Admin(config-pmap-ins-http)# match L7httpinspect port-misuse p2p
You can associate a traffic class created with the class-map command to associate
network traffic with the traffic policy by using the class command.
The syntax of this command is as follows:
class map_name
The map_name argument is the name of a previously defined traffic class,
configured with the class-map command, to associate traffic to the traffic policy.
Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric
characters.
The CLI displays the policy map class configuration mode.
For example, to specify an existing class map in the Layer 7 policy map, enter:
host1/Admin(config-pmap-ins-http)# class HTTP_INSPECT_L7CLASS
host1/Admin(config-pmap-ins-http-c)#
To remove a class map from a Layer 7 policy map, enter:
host1/Admin(config-pmap-ins-http)# no class HTTP_INSPECT_L7CLASS
To manually insert a class map ahead of a previously specified class map, use the
insert-before command. The ACE does not save sequence reordering through the
insert-before command as part of the configuration.
The syntax of this command is as follows:
class map_name1 insert-before map_name2
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Configuring a Layer 7 HTTP Deep Inspection Policy
3-67