Filter
Top Products
CHAPTER
12-1
User Guide for Cisco Security Manager 4.4
OL-28826-01
12
Introduction to Firewall Services
The Firewall policy folder (in either Device or Policy view) includes firewall-related policies that you
can deploy to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services
Module (FWSM), and security routers running Cisco IOS Software. These policies allow you to control
network access through a device.
This chapter contains the following topics:
• Overview of Firewall Services, page 12-1
• Managing Your Rules Tables, page 12-7
Overview of Firewall Services
The Firewall policy folder (in either Device or Policy view) includes firewall-related policies that you
can deploy to the Adaptive Security Appliance (ASA), PIX Firewall (PIX), Catalyst Firewall Services
Module (FWSM), and security routers running Cisco IOS Software, including Aggregation Services
Routers (ASR) and Integrated Services Routers (ISR).
These policies are focused on controlling access through the device, rather than access to the device (that
is, logging into the device so that you can change its configuration or use show commands). Following
is a general overview of the available firewall policies with pointers to topics that provide more detailed
information:
• AAA rules—These are AAA firewall or authentication proxy rules that can require a user to
authenticate (with a username and password) and optionally be authorized before the device allows
the user to make network connections through it. You can also create accounting rules to collect
billing, security, or resource allocation information. For more information, see Understanding AAA
Rules, page 15-1.
• Access rules—These are traditional interface-based extended access control rules. They permit or
deny a packet based on source address, destination address, source interface, and service, and you
can apply them in both the in and out directions. For more information, see Understanding Access
Rules, page 16-1.
• Inspection rules—These are traditional Context-Based Access Control (CBAC) inspection rules that
filter out bad TCP/UDP packets based on application-layer protocol session information and that
enable return traffic for the selected services. For more information, see Understanding Inspection
Rules, page 17-1.
• Web filter rules—These are a type of inspection rule that filters web traffic based on the requested
URL, allowing you to prevent connections to undesirable web sites. For more information, see
Understanding Web Filter Rules, page 18-1.