Filter
Top Products
21-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Understanding the Relationship Between Permit/Deny and Action in Zone-based Firewall Rules
Deny TCP Pass DNS Skip the rule for DNS traffic and
evaluate the next class map. Either a
subsequent class map with a Permit rule
is applied, or the class default rule is
applied.
The Pass action is ignored.
Deny TCP Drop DNS Skip the rule for DNS traffic and
evaluate the next class map. Either a
subsequent class map with a Permit rule
is applied, or the class default rule is
applied.
The Drop action is ignored.
Permit TCP Inspect HTTP Allow and inspect HTTP traffic. If you
specify a policy map for deep
inspection, the action from the policy
map is applied to any packets that match
deep inspection parameters (for
example, reset the connection for
protocol violations).
Deny TCP Inspect HTTP Skip the rule for HTTP traffic and
evaluate the next class map. Either a
subsequent class map with a Permit rule
is applied, or the class default rule is
applied.
The Inspect action is ignored.
Tip If subsequent rules, or the class
default, pass the traffic without
inspection, you need to create a
Permit/Pass rule in the other
direction (or an access rule) to
allow return traffic for the
HTTP connection. If your
intention is to prohibit HTTP
connections, create a
Permit/Drop rule instead of a
Deny/Inspect rule.
Table 21-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued)
Permit / Deny Service Rule Action Protocol Result