Filter
Top Products
56-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
About Service Policy Rules
• ASA CX redirection (see About the ASA CX, page 56-15)
• User statistics for identity-based firewall policies
The configuration options for these features are presented on two pages in Security Manager—Priority
Queues and IPS, QoS and Connection Rules—accessed by navigating to Platform > Service Policy
Rules.
Priority Queuing
Priority queuing establishes two queues on an interface, a Low Latency Queuing (LLQ) priority queue
and a “best effort” queue. This lets you prioritize latency-sensitive traffic like voice and video, so it is
transmitted ahead of other traffic. Packets in the priority queue are always transmitted before packets in
the best effort queue.
Because queues are not of infinite size, they can fill and overflow. When a queue is full, additional
packets cannot get into the queue and are dropped. This is called “tail drop.” To minimize tail drop, you
can increase the queue buffer size. You can also fine-tune the maximum number of packets allowed into
the transmit queue. These options let you control the latency and robustness of priority queuing.
Priority queuing is a Quality of Service (QoS) feature. In Security Manager, priority queue size and
transmit queue size are managed on the Priority Queues Page, page 56-4, while establishment of priority
queuing for a traffic class is an option on the QoS tab of the Service Policy (MPC) Rule Wizard, which
is accessed from the IPS, QoS, and Connection Rules Page, page 56-5.
Application Inspection and QoS
Some applications require special handling by the security appliance, and specific application inspection
engines are provided for this purpose. Specifically, applications that embed IP addressing information
in the user data packet, or open secondary channels on dynamically assigned ports require special
inspection.
Application inspection is enabled by default for many protocols, while it is disabled for others. In many
cases, you can change the port which the application inspection engine monitors for traffic.
Application inspection engines work with network address translation (NAT) to help identify the
location of embedded addressing information. This allows NAT to translate these embedded addresses,
and to update any checksum or other fields that are affected by the translation.
Service policy rules define how specific types of application inspection are applied to different types of
traffic processed by the security appliance. You can apply rules to specific interfaces, or globally to every
interface.
These rules provide a means to configure security appliance features in a manner similar to the Cisco
IOS software quality-of-service (QoS) CLI. For example, with service policy rules you can include IP
Precedence as one of the criteria to identify traffic for rate-limiting. You can also create a timeout
configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP
applications.
Traffic match criteria are used to define the types of traffic to which you want to apply application
inspection. For example, TCP traffic on port 23 might be classified as the Telnet traffic class. You then
might use the traffic class to apply connection limits.
Multiple traffic match criteria can be assigned to a single interface, but a packet will only match the first
criteria within a specific service policy rule.