Filter
Top Products
6-73
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 6 Managing Policy Objects
Understanding Map Objects
Class Maps
Class maps are subordinate to policy maps. You cannot specify a class map directly in a device policy.
Instead, you create a policy map to incorporate the class map. The class map itself defines the match
conditions for the traffic that you want to target in an inspection rule or zone-based firewall rule.
• ASA/PIX 7.2 and higher, and FWSM devices—You can create class maps for the inspection of DNS,
FTP, HTTP, IM, and SIP traffic. You also have the option of defining the traffic match directly in the
policy map object, but if you create separate class maps, you can reuse them in more than one policy
map.
• IOS 12.4(6)T and higher devices—You can create class maps for the inspection of IM applications
(AOL, ICQ, MSN Messenger, Windows Messenger, and Yahoo Messenger), P2P applications
(eDonkey, FastTrack, Gnutella, Kazaa2), H.323, HTTP, IMAP, POP3, SIP, SMTP, Sun RPC. You can
also create class maps for filtering web content using the Local, N2H2, Trend, and Websense
objects.
Unlike the class maps used for ASA/PIX/FWSM, you must create separate class maps and refer to
them from the related policy maps. You can use these policy maps in zone-based firewall inspection
or content filtering rules. For more information, see these topics:
–
Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15
–
Configuring Content Filtering Maps for Zone-based Firewall Policies, page 21-35
To create class maps, see these topics:
• Configuring Class Maps for Inspection Policies, page 17-26
• Configuring Class Maps for Zone-Based Firewall Policies, page 21-17
To create the regular expressions and regular expression groups that you can use in class, parameter, and
policy maps, see these topics:
• Configuring Regular Expressions for Inspection Maps, page 17-86
• Configuring Regular Expression Groups, page 17-85
Parameter Maps
Parameter maps define settings that you can use in zone-based firewall inspection or content filtering
rules, or in other policy map objects.
• Inspection—You can create Inspection Parameter maps for general zone-based firewall rule
parameters, or Protocol Info Parameter maps for use with IM application inspection.
• Content Filtering—You can create the following parameter maps to define web content filtering:
Local, N2H2, Trend, URL Filter, URLF Glob, Websense.
Policy Maps
You can configure policy maps to alter the default actions of inspection or to configure web content
filtering in zone-based firewall settings policies. Policy maps typically apply to applications that require
special handling, perhaps due to embedded IP address information or the fact that the traffic opens
secondary channels on dynamically assigned ports.
The policy map identifies the action to take on traffic that matches the conditions identified in the map.
For most policy maps, you can specify traffic match conditions by referring to a class map. However,
some policy maps require that you specify the match criteria within the policy map.
You can configure these types of policy maps: