Filter
Top Products
17-21
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
Navigation Path
Go to the Add or Edit Inspect/Application FW Rule Wizard, Inspected Protocol Page, page 17-16, select
HTTP or IM in the protocols table, and click Configure.
Configuring Protocols and Maps for Inspection
When you configure inspection rules for a device, you select the protocols that you want to inspect. Some
of these protocols allow additional configuration for deep inspection. Deep inspection allows you to
specify additional requirements that packets must meet in order to traverse the device. For example, you
can drop HTTP connections where the content type of the request and response do not match. (For a full
list of inspectible protocols, click Add Row on the Inspection Rule page and click Next to view the
protocols list.)
What you can configure depends not only on the protocol but on the device’s operating system and
version number. Typically, your ability to fine-tune inspection is higher on an ASA device compared to
an IOS device. (If you are configuring an IOS device and you want greater control over inspection,
consider configuring zone-based firewall inspection; for more information, see Understanding the
Zone-based Firewall Rules, page 21-3.)
Some deep inspection configuration is done directly in the inspection rule. However, for some protocols,
you can configure the inspection rule to include a policy map that you create as an independent policy
object. (You need to configure policy maps only if you want something other than the default inspection
options.) You can configure these maps from the policy object selector dialog box while configuring the
policy, or from the Policy Object Manager window (select Manage > Policy Objects).
For protocols that use policy maps, you can select the desired policy map, which defines the match
conditions for the targeted traffic. For ASA, PIX, and FWSM devices, these policy maps might point to
class maps that define the match conditions. To create these policy maps in the Policy Object Manager,
select one of the maps listed in the following table in the Maps > Policy Maps > Inspect folder and
review the detailed usage information in the references mentioned. For information on creating class
maps, which are in the Maps > Class Maps > Inspect folder, see the references to the match criterion
dialog boxes and Configuring Class Maps for Inspection Policies, page 17-26.