Filter
Top Products
21-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules
might be applied to traffic that matches your Deny rule. (To preview the configuration, save your
changes and select Tools > Preview Configuration. For more information, see Previewing
Configurations, page 8-45.)
In general, you might use a Deny rule to exempt a specific IP address within a subnet from a
Permit rule you want to apply to the subnet in general; for example, exempting 10.100.10.1 from
a rule applying to 10.100.10.0/24. However, it is much easier to create a Permit rule for the
specific IP address and apply a desired Action, and ensure that the rule is listed above the
general rule in the zone-based rules table.
If you decide to use Deny rules, be sure to also read Troubleshooting Zone-based Rules and
Configurations, page 21-53.
• Action—The Action parameters define what happens to traffic that matches a Permit rule. These
parameters are ignored for Deny rules, except to determine to which class map the rule is added.
When you create a Permit rule, traffic that matches the Source, Destination, Services, and Protocol
fields is processed according to the Action you choose: drop the traffic (and optionally log it), pass
the traffic (and optionally log it), inspect the traffic, or apply content filtering (for Web traffic only).
When you inspect traffic for some protocols, or perform content filtering, you have the option of
specifying a policy map to use for deep inspection. The deep inspection policy map also specifies
actions based on the deeper characteristics of the traffic. This additional inspection applies to
packets that meet the requirements of the class map to which the assigned policy map refers. Packets
that do not match the deep inspection class map are allowed. Thus, deep inspection might reset TCP
connections if the policy map specifies that action.
The following table illustrates the relationship between Permit/Deny and the chosen Action in a
zone-based firewall rule. The table uses the TCP service as an example, but the general explanation
applies to the IP service as well. The result applies only to the From and To zones specified in the rule.
Table 21-1 Relationship Between Permit/Deny and Action in Zone-based Rules
Permit / Deny Service Rule Action Protocol Result
Permit TCP Pass (None) Pass all TCP traffic.
Deny TCP Pass (None) Skip the rule and evaluate the next class
map. Either a subsequent class map
with a Permit rule is applied, or the
class default rule is applied.
The Pass action is ignored.
Permit TCP Drop (None) Drop all TCP traffic.
Deny TCP Drop (None) Skip the rule and evaluate the next class
map. Either a subsequent class map
with a Permit rule is applied, or the
class default rule is applied.
The Drop action is ignored.
Permit TCP Pass DNS Only DNS traffic passes. Other TCP
traffic is handled by subsequent rules.
Permit TCP Drop DNS DNS traffic is dropped. Other TCP
traffic is handled by subsequent rules.