C H A P T E R
2-1
Cisco ASA Series Firewall CLI Configuration Guide
2
Special Actions for Application Inspections
(Inspection Policy Map)
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an
inspection policy map
. When the inspection policy map matches traffic within the Layer
3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted
upon as specified (for example, dropped or rate-limited).
•
Information About Inspection Policy Maps, page 2-1
•
Guidelines and Limitations, page 2-2
•
Default Inspection Policy Maps, page 2-3
•
Defining Actions in an Inspection Policy Map, page 2-4
•
Identifying Traffic in an Inspection Class Map, page 2-5
•
•
Feature History for Inspection Policy Maps, page 2-7
Information About Inspection Policy Maps
See
Configure Application Layer Protocol Inspection, page 6-9
for a list of applications that support
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
–
Some traffic matching commands can specify regular expressions to match text inside a packet.
Be sure to create and test the regular expressions before you configure the policy map, either
singly or grouped together in a regular expression class map.
•
Inspection class map—An inspection class map includes multiple traffic matching commands. You
then identify the class map in the policy map and enable actions for the class map as a whole. The
difference between creating a class map and defining the traffic match directly in the inspection
policy map is that you can create more complex match criteria and you can reuse class maps.
However, you cannot set different actions for different matches.
Note:
Not all inspections support
inspection class maps.
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...