Firewall software offers an adaptable and scalable modular policy framework to configure Security Appliance features in a manner similar to Cisco IOS Software QoS CLI (also known as Modular QoS CLI—MQC). For traffic flows traversing the firewall, flow-based policies can be established for any administratively defined criteria and then applied to a set of security services, such as firewall policies, inspection engine policies, Quality of Service (QoS) policies, and VPN policies, each specified traffic flow providing more granular and flexible inspection control.
The Modular Policy Framework (MPF) is supported with these features:
Protocol inspection services
Intrusion prevention services
QoS services
Policing (rate limit)
To configure security features using the MPF, perform the following steps, which show an example of configuring the MPF to identify HTTP traffic and control the half-open (embryonic) TCP connection limit.
A traffic class is a set of traffic that is identifiable by its packet content. For example, TCP traffic on port 80 is classified as an HTTP traffic class. Traffic flow is identified using a class-map command from the global configuration mode. Various match criteria using the match command can be included to define the traffic in the class-map. When the packet matches the specified criteria, it is subject to an action, such as application inspection or policing. Packets that do not match any of the criteria are assigned to the default traffic class. For example, create an access list to identify HTTP traffic on TCP port 80, and define it in the traffic class-map, as shown in Example 6-25.
hostname(config)# access-list 101 permit tcp any any eq 80 hostname(config)# class-map identify_http_packets hostname(config-cmap)# match access-list 101 |
Alternatively, the same could be achieved using the port command to assign the default HTTP port (as shown in Example 6-26) instead of using the ACL.
hostname(config)# class-map identify_http_packets hostname(config-cmap)# match port tcp eq www |
Use the policy-map global configuration command to create a policy map by associating the traffic class-map created in Step 1 with one or more actions that should be taken when a match occurs in a given traffic class. An action protects information or resources or performs a QoS function. Examples include specifying the maximum number of simultaneous connections, enabling inspection, or rate limiting the packets. Several types of actions are available. Example 6-27 shows how to create a policy-map called mypolicy from the global configuration mode and reference the HTTP traffic class-map identify_http_packets created previously by specifying an action to set the maximum number of TCP embryonic connections limit to 1000.
hostname(config)# policy-map mypolicy hostname(config-pmap)# class identify_http_packets hostname(config-pmap-c)# set connection embryonic-conn-max 1000 |
Use the service-policy command from the global configuration mode to apply the policy globally to all the Security Appliance interfaces or on a specific interface. Associating a policy map with an interface activates the policy. Example 6-28 shows how to apply the service policy mypolicy, which was created in Example 6-27, to the outside interface.
hostname(config)# service-policy mypolicy interface outside |
Alternatively, the same service policy can be applied to all the interfaces globally, as shown in Example 6-29.
hostname(config)# service-policy mypolicy global |
Here is another example showing how to use the MPF with the TCP normalization feature. As discussed earlier, TCP normalization is an advanced feature for examining TCP header information in TCP-based connections to identify and drop packets that do not appear normal. Part of the TCP normalization feature is to drop any packets that exceed the Maximum Segment Size (MSS) value set by the peer. To disable this feature and allow such packets, a TCP map needs to be created and used with the MPF to make exception to the default behavior. Example 6-30 shows how to create a TCP map that is used in the MPF to match all TCP packets and thereby allow MSS packets by setting an allow action in the advance TCP connection settings. The policy is applied to all packets entering the outside interface.
hostname(config)# access-list 100 permit tcp any any hostname(config)# tcp-map permit-mss-packets hostname(config-tcp-map)# exceed-mss allow hostname(config-tcp-map)# exit hostname(config)# class-map all-tcp-traffic hostname(config-cmap)# match access-list 100 hostname(config-cmap)# exit hostname(config)# policy-map allow-mss-packets hostname(config-pmap)# class all-tcp-traffic hostname(config-pmap-c)# set connection advanced-options permit-mss-packets hostname(config-pmap-c)# exit hostname(config-pmap)# exit hostname(config)# service-policy allow-mss-packets interface outside |
Use the show service-policy command to display the configured policies and their settings.