Filter
Top Products
21-33
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Configuring Inspection Maps for Zone-based Firewall Policies
Add or Edit DNS Server for Protocol Info Parameters Dialog Box
Use the Add or Edit DNS Server dialog box to identify DNS servers for which traffic will be permitted
(and inspected) or denied. These servers are defined in a Protocol Info parameter map for use with the
inspection of protocols that require them in a zone-based firewall policy.
You can identify a server using any of these types:
• Server Name—The name of the DNS server. You can use an asterisk (*) as a wildcard character to
match one or more characters. For example, if you want to identify all DNS servers on the cisco.com
domain, you can specify *.cisco.com.
• IP Address—The IP address of a single DNS server.
• IP Address Range—A range of IP addresses identifying any DNS server within the start and end
addresses.
Navigation Path
From the Add or Edit Protocol Info Parameter Map dialog boxes, click the Add button beneath the server
table, or select a server and click the Edit button. See Configuring Protocol Info Parameter Maps,
page 21-32.
Configuring Policy Maps for Zone-Based Firewall Policies
Use the Add and Edit Policy Map dialog boxes for zone-based firewall policies to define the match
criterion and values for an inspection map used in a zone-based firewall policy for a Cisco IOS router.
You can create policy inspection maps for H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS),
IMAP, P2P, POP3, SIP (IOS), SMTP, and Sun RPC inspection, and the name of the dialog box indicates
the type of map you are creating.
When defining the inspection map, you select class maps of the same type and define the action to take
for matching traffic. You can configure the required class maps before creating the policy maps or while
you are creating them.
Navigation Path
Select Manage > Policy Objects, then any of the following items in the Maps > Policy Maps > Inspect
folder in the table of contents: H.323 (IOS), HTTP (Zone based IOS), IM (Zone based IOS), IMAP, P2P,
POP3, SIP (IOS), SMTP, and Sun RPC. Right-click inside the work area and select New Object, or
right-click a row and select Edit Object.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Allow Value Override per
Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level.
For more information, see Allowing a Policy Object to Be Overridden,
page 6-18 and Understanding Policy Object Overrides for Individual
Devices, page 6-17.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides. The Overrides field indicates the number
of devices that have overrides for this object.
Table 21-10 Add or Edit Protocol Info Parameter Map Dialog Boxes (Continued)
Element Description