Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

21-10

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 21 Managing Zone-based Firewall Rules

Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules

Understanding the Relationship Between Services and

Protocols in Zone-based Firewall Rules

When you create a zone-based firewall rule, there are two seemingly similar parameters which help

identify the characteristics of the target traffic: Services and Protocols. The entries in these fields can

provide very similar information, but it is used differently when constructing zone-based firewall

policies in the device configuration. This section describes the recommended uses of these fields.

• Services – The Services field is used to define traffic protocol(s) in an access control list (ACL)

entry. Along with the Sources and Destinations specified, this ACL entry is used by a class map to

define the traffic to which you want to apply a policy. However, unlike in standard access rules, the

Services information is not the primary means of identifying the traffic protocol. It is required only

because ACLs must have a service designation for each entry.

Permit TCP Content

Filter

HTTP Allow and inspect HTTP traffic, and

apply URL filtering maps to selectively

permit or deny Web connections based

on the Web sites requested.

If you specify a policy map for deep

inspection, the action from the policy

map is applied to any packets that match

deep inspection parameters (for

example, reset the connection for

protocol violations).

Thus, traffic can be dropped either

because the Web site is blacklisted, or

because the HTTP packets violate your

deep inspection rules.

Deny TCP Content

Filter

HTTP Skip the rule for HTTP traffic and

evaluate the next class map. Either a

subsequent class map with a Permit rule

is applied, or the class default rule is

applied.

The Content Filter action is ignored.

Tip This type of rule can exempt the

specified source/destination

from content filtering if no

subsequent class maps drop the

traffic or apply content filtering.

However, if you want to allow

HTTP connections for this

traffic, you must create a

Permit/Inspect rule for the

traffic.

Table 21-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued)

Permit / Deny Service Rule Action Protocol Result

previous next