Filter
Top Products
21-14
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Adding Zone-Based Firewall Rules
• Drop – Matching traffic is silently dropped; no notification of the drop is sent to the originating
host.
• Drop and Log – Matching traffic is dropped and a syslog message generated; no notification of
the drop is sent to the originating host.
• Pass – Traffic is forwarded. This action is unidirectional; Pass allows traffic in only the
specified direction.
• Pass and Log – Traffic is forwarded and a syslog message generated.
Note The Pass actions do not track the state of connections or sessions within the traffic. Pass
only allows the traffic in one direction. A corresponding rule must be defined to allow
return traffic. The Pass actions are useful for protocols such as IPSec ESP, IPSec AH,
ISAKMP, and other inherently secure protocols with predictable behavior. However,
most application traffic is better handled in the zone-based firewall rules with the
Inspect action.
• Inspect – This option offers state-based traffic control—the device maintains connection or
session information for TCP and UDP traffic, meaning return traffic in reply to connection
requests is permitted.
Choose this option to apply packet inspection based on your selected Layer 4 (TCP, UDP) and Layer
7 (HTTP, IMAP, instant messaging, and peer-to-peer) protocols. You also can edit the Port
Application Mapping (PAM) settings for the selected protocols, and you can set up deep packet
inspection (DPI) and provide additional protocol-related information for the Layer 7 protocols.
• Content Filter – Lets you configure HTTP content inspection (URL filtering) based on a
WebFilter parameter map, or a WebFilter policy map. This action is generally equivalent to a
Web Filter rule; however, zone-based firewall rules support additional advanced options, such
as HTTP deep packet inspection (DPI).
The router intercepts HTTP requests, performs protocol-related inspection, and optionally contacts
a third-party server to determine whether the requests should be allowed or blocked. You can provide
a WebFilter parameter map, which defines filtering based on local URL lists, as well as information
from an external SmartFilter (previously N2H2) or Websense server. Alternately, you can provide a
WebFilter policy map that accesses Local, N2H2, Websense, or Trend Micro filtering data.
b. For any Action except Content Filter, you can select and edit the specific traffic Protocol(s) to be
considered:
Click Select next to the Protocol table to open the Protocol Selector Dialog Box, page 21-64. Select
one or more protocols and click >> to move them to the Selected Protocol list. You can edit the Port
Application Mapping (PAM) settings for the selected protocols; see Configure Protocol Dialog Box,
page 21-65 for more information.
The Instant Messaging and Stun-ice protocols also allow selection of Protocol Info parameter maps.
Further, when Inspect is the chosen Action, some protocols allow selection of deep-inspection
policy maps.
See Configuring Inspection Maps for Zone-based Firewall Policies, page 21-15, and Configuring
Protocol Info Parameter Maps, page 21-32 for more information.
Note It is not necessary to specify protocols for the Drop, Drop and Log, Pass, and Pass and Log
actions. You can leave the Protocol table empty and pass or drop traffic based on the Sources,
Destinations, and Services parameters.