Filter
Top Products
17-6
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Inspection Rules
• Choosing the Interfaces for Inspection Rules, page 17-2
• Selecting Which Protocols To Inspect, page 17-3
• Understanding Access Rule Requirements for Inspection Rules, page 17-4
• Using Inspection To Prevent Denial of Service (DoS) Attacks on IOS Devices, page 17-4
• Configuring Protocols and Maps for Inspection, page 17-21
• Understanding Map Objects, page 6-72
Before You Begin
You might have a set of inspection rules that you want to apply to all devices. To do this, you can create
a shared rule and inherit its rules to each device’s inspection rules policy. For more information, see
Creating a New Shared Policy, page 5-51 and Inheriting or Uninheriting Rules, page 5-43.
Step 1 Do one of the following to open the Inspection Rules Page, page 17-7:
• (Device view) Select Firewall > Inspection Rules from the Policy selector.
• (Policy view) Select Firewall > Inspection Rules from the Policy Type selector. Select an existing
policy or create a new one.
Step 2 Select the row after which you want to create the rule and click the Add Row button or right-click and
select Add Row. This opens the Add or Edit Inspect/Application FW Rule Wizard, page 17-10.
Tip If you do not select a row, the new rule is added at the end of the local scope. You can also select
an existing row and edit either the entire row or specific cells. For more information, see Editing
Rules, page 12-9.
Step 3 Select whether to apply the rule to all interfaces on the device or to only the interfaces you specify.
If you elect to specify interfaces, enter the interface name or interface role, or click Select to select it
from a list. For IOS devices, you also can select whether the rule applies in the Out direction (traffic
leaving the interface). Use the In direction for all other device types.
Step 4 Select the criteria you want to use for matching traffic. This determines what gets inspected based on
this rule.
• Default Protocol Ports—Select this option if the protocol you are inspecting uses the default ports
on your network.
If you want to constrain the inspection based on the source or destination address, also select Limit
inspection between source and destination IP addresses (available only for ASA, PIX 7.x+, and
FWSM 3.x+ devices). When you click Next, you are prompted for the source and destination
addresses. You can specify any for source or destination if you are interested only in configuring
the other value.
• Custom Destination Ports—Select this option if you want to associate additional non-default TCP
or UDP ports with a given protocol, for example, treating TCP traffic on destination port 8080 as
HTTP traffic. When you click Next, you are prompted for the port or port range.
• Destination Address and Port (IOS devices only)—Select this option if you want to associate
additional non-default TCP or UDP ports with a given protocol only when the traffic is going to
certain destinations, for example, if you want to treat TCP traffic on destination port 8080 as HTTP
only when the traffic is going to server 192.168.1.10. When you click Next, you are prompted for
the destination address and the port information.