Filter
Top Products
56-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
IPS, QoS, and Connection Rules Page
Randomize TCP Sequence
Number
Enables the Randomize Sequence Number feature. Disable this feature
only if another inline security appliance is also randomizing sequence
numbers and the result is scrambling the data. Each TCP connection has
two Initial Sequence Numbers: one generated by the client and one
generated by the server. The security appliance randomizes the ISN that
is generated by the host/server on the higher security interface. At least
one ISN must be randomly generated so that attackers cannot predict
the next ISN and potentially hijack the session. Not applicable if TCP
State Bypass is enabled.
Enable TCP State Bypass Enables TCP state bypass for this traffic flow. This is allows specific
traffic flows in asymmetric routing environments when both the
outbound and inbound flow for a connection do not pass through the
same device. Applicable to FWSM 3.2+ and ASA 8.2+ only. See About
TCP State Bypass, page 56-3 for more information.
Enable Decrement TTL Select this option to turn on decrementing of the time-to-live (TTL)
value in packets passed by the security appliance. Applicable to
PIX/ASA 7.2.2+ only.
QoS tab
Enable QoS For This Traffic Enables Quality of Service (QoS) options for this traffic flow. When
selected, the Enable Priority For This Flow and the Traffic Policing
options become active.
Note The options on this tab are applicable to PIX/ASA 7.0+ devices
only.
Enable Priority For This
Flow
Enables strict scheduling priority for this flow. The priority queues
must be defined on the Priority Queues Page, page 56-4.
Traffic Policing Enables output and input traffic policing. Traffic policing lets you
control the maximum rate of traffic transmitted or received on an
interface.
Output (Traffic Policing) Enables policing of traffic flowing out of the device. If you enable
policing, you can specify the following values:
• Committed Rate – The rate limit for this traffic flow; this is a
value in the range 8,000 to 2,000,000,000, specifying the
maximum speed (bits per second) allowed.
• Burst Rate – A value in the range 1,000 to 512,000,000 that
specifies the maximum number of instantaneous bytes allowed in a
sustained burst before throttling to the conforming rate value.
• Conform Action – The action to take when the rate is less than the
conform-burst value. Choices are Transmit or Drop.
• Exceed Action – Take this action when the rate is between the
conform-rate value and the conform-burst value. Choices are
Transmit or Drop.
Table 56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.
Element Description