Modular Policy Framework (MPF)

Firewall software offers an adaptable and scalable modular policy framework to configure Security Appliance features in a manner similar to Cisco IOS Software QoS CLI (also known as Modular QoS CLI—MQC). For traffic flows traversing the firewall, flow-based policies can be established for any administratively defined criteria and then applied to a set of security services, such as firewall policies, inspection engine policies, Quality of Service (QoS) policies, and VPN policies, each specified traffic flow providing more granular and flexible inspection control.

The Modular Policy Framework (MPF) is supported with these features:

• TCP and general connection settings

• Protocol inspection services

• Intrusion prevention services

• QoS services

• Policing (rate limit)

Configuring MPF

To configure security features using the MPF, perform the following steps, which show an example of configuring the MPF to identify HTTP traffic and control the half-open (embryonic) TCP connection limit.

Step 1—Identifying Traffic Flow

A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic on port 80 is classified as an HTTP traffic class. Traffic flow is identified using a class-map command from the global configuration mode. Various match criteria using the match command can be included to define the traffic in the class-map. When the packet matches the specified criteria, it is subject to an action, such as application inspection or policing. Packets that do not match any of the criteria are assigned to the default traffic class. For example, create an access list to identify HTTP traffic on TCP port 80, and define it in the traffic class-map, as shown in Example 6-25.

Example 6-25. Configuring Class Map to Identify Traffic (Using ACL)

hostname(config)# access-list 101 permit tcp any any eq 80 hostname(config)# class-map identify_http_packets hostname(config-cmap)# match access-list 101

Alternatively, the same could be achieved using the port command to assign the default HTTP port (as shown in Example 6-26) instead of using the ACL.

Example 6-26. Configuring Class-Map to Identify Traffic (Using Match Port)

hostname(config)# class-map identify_http_packets hostname(config-cmap)# match port tcp eq www

Step 2—Creating a Policy Map

Use the policy-map global configuration command to create a policy map by associating the traffic class-map created in Step 1 with one or more actions that should be taken when a match occurs in a given traffic class. An action protects information or resources or performs a QoS function. Examples include specifying the maximum number of simultaneous connections, enabling inspection, or rate limiting the packets. Several types of actions are available. Example 6-27 shows how to create a policy-map called mypolicy from the global configuration mode and reference the HTTP traffic class-map identify_http_packets created previously by specifying an action to set the maximum number of TCP embryonic connections limit to 1000.

Example 6-27. Configuring Policy-Map and Assigning Class-Map

hostname(config)# policy-map mypolicy hostname(config-pmap)# class identify_http_packets hostname(config-pmap-c)# set connection embryonic-conn-max 1000

Step 3—Applying a Policy

Use the service-policy command from the global configuration mode to apply the policy globally to all the Security Appliance interfaces or on a specific interface. Associating a policy map with an interface activates the policy. Example 6-28 shows how to apply the service policy mypolicy, which was created in Example 6-27, to the outside interface.

Example 6-28. Assign Policy to an Interface

hostname(config)# service-policy mypolicy interface outside

Alternatively, the same service policy can be applied to all the interfaces globally, as shown in Example 6-29.

Example 6-29. Assign Policy Globally to All Interfaces

hostname(config)# service-policy mypolicy global

Here is another example showing how to use the MPF with the TCP normalization feature. As discussed earlier, TCP normalization is an advanced feature for examining TCP header information in TCP-based connections to identify and drop packets that do not appear normal. Part of the TCP normalization feature is to drop any packets that exceed the Maximum Segment Size (MSS) value set by the peer. To disable this feature and allow such packets, a TCP map needs to be created and used with the MPF to make exception to the default behavior. Example 6-30 shows how to create a TCP map that is used in the MPF to match all TCP packets and thereby allow MSS packets by setting an allow action in the advance TCP connection settings. The policy is applied to all packets entering the outside interface.

Example 6-30. Configuring a Modular Policy Framework with the TCP Normalization Feature

hostname(config)# access-list 100 permit tcp any any hostname(config)# tcp-map permit-mss-packets hostname(config-tcp-map)# exceed-mss allow hostname(config-tcp-map)# exit hostname(config)# class-map all-tcp-traffic hostname(config-cmap)# match access-list 100 hostname(config-cmap)# exit hostname(config)# policy-map allow-mss-packets hostname(config-pmap)# class all-tcp-traffic hostname(config-pmap-c)# set connection advanced-options permit-mss-packets hostname(config-pmap-c)# exit hostname(config-pmap)# exit hostname(config)# service-policy allow-mss-packets interface outside

Use the show service-policy command to display the configured policies and their settings.