Modular Policy Framework - MPF
Modular Policy Framework - MPF
Modular Policy Framework - MPF
18
Modular Policy Framework Overview, page 18-1 Identifying Traffic Using a Class Map, page 18-2 Defining Actions Using a Policy Map, page 18-3 Applying a Policy to an Interface Using a Service Policy, page 18-6 Modular Policy Framework Examples, page 18-7
TCP connection limits and timeouts Application inspection Identify the traffic to which you want to apply actions. See Identifying Traffic Using a Class Map section on page 18-2. Apply actions to the traffic. See Defining Actions Using a Policy Map section on page 18-3. Activate the actions on an interface. See Applying a Policy to an Interface Using a Service Policy section on page 18-6.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-8123-01
18-1
(Optional) Add a description to the class map by entering the following command:
hostname(config-cmap)# description string
Step 3
Define the traffic to include in the class by matching one of the following characteristics. Unless otherwise specified, you can include only one match command in the class map.
Access listYou can match the class to traffic specified by an extended access list. If the FWSM is operating in transparent firewall mode, you can use an EtherType access list.
hostname(config-cmap)# match access-list acl_ID
For more information about creating access lists, see the Adding an Extended Access List section on page 10-6 or the Adding an EtherType Access List section on page 10-8. For information about creating access lists with NAT, see the IP Addresses Used for Access Lists When You Use NAT section on page 10-3.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
18-2
OL-8123-01
Chapter 18
TCP or UDP destination portsYou can match the class to a single port or a contiguous range of ports.
hostname(config-cmap)# match port {tcp | udp} {eq port_num
| range port_num
port_num}
Tip
For applications that use multiple, non-contiguous ports, use the match access-list command and define an ACE to match each port. For a list of ports you can specify, see the TCP and UDP Ports section on page D-12. For example, enter the following command to match TCP packets on port 80 (HTTP):
hostname(config-cmap)# match tcp eq 80
Default traffic for inspectionYou can match the class to the traffic that the FWSM inspects by default.
hostname(config-cmap)# match default-inspection-traffic
See the Application Engine Defaults section on page 20-5 for a list of default ports. The FWSM includes a default global policy that matches the default inspection traffic, and applies common inspections to the traffic on all interfaces. Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map. You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports and protocols to match, any ports or protocols in the access list are ignored.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-8123-01
18-3
Policy Map Overview, page 18-4 Default Policy Map, page 18-4 Adding a Policy Map, page 18-5
A packet can match only one class map in the policy map for each feature type. When the packet matches a class map for a feature type, the FWSM does not attempt to match it to any subsequent class maps for that feature type. If the packet matches a subsequent class map for a different feature type, however, then the FWSM also applies the actions for the subsequent class map. For example, if a packet matches a class map for connection limits, and also matches a class map for application inspection, then both class map actions are applied. If a packet matches a class map for application inspection, but also matches another class map for application inspection, then the second class map actions are not applied. Actions are applied only to traffic that enters the interface to which you apply the policy map. The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map. Actions are performed in the following order:
You can only assign one policy map per interface, but you can apply the same policy map to multiple interfaces.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
18-4
OL-8123-01
Chapter 18
Step 2
Step 3
See the Identifying Traffic Using a Class Map section on page 18-2 to add a class map.
Step 4
Connection limits. See the Configuring Connection Limits and Timeouts section on page 19-1. Application inspection. See Chapter 20, Applying Application Layer Protocol Inspection.
Note
If there is no match default_inspection_traffic command in a class map, then at most one inspect command is allowed to be configured under the class.
Step 5
Repeat Step 4 for each class map you want to include in this policy map.
The following is an example of a policy-map command for connection policy. It limits the number of connections allowed to the web server 10.1.1.1:
hostname(config)# access-list http-server permit tcp any host 10.1.1.1 hostname(config)# class-map http-server hostname(config-cmap)# match access-list http-server hostname(config)# policy-map global-policy hostname(config-pmap)# description This policy map defines a policy concerning connection to http server. hostname(config-pmap)# class http-server hostname(config-pmap-c)# set connection conn-max 256
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-8123-01
18-5
The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain:
hostname(config)# class-map telnet_traffic hostname(config-cmap)# match port tcp eq 23 hostname(config)# class-map ftp_traffic hostname(config-cmap)# match port tcp eq 21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy hostname(config-pmap)# class telnet_traffic hostname(config-pmap-c)# set connection timeout tcp 0:0:0 hostname(config-pmap-c)# set connection conn-max 100 hostname(config-pmap)# class ftp_traffic hostname(config-pmap-c)# set connection timeout tcp 0:5:0 hostname(config-pmap-c)# set connection conn-max 50 hostname(config-pmap)# class tcp_traffic hostname(config-pmap-c)# set connection timeout tcp 2:0:0 hostname(config-pmap-c)# set connection conn-max 2000
When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the FWSM does not make this match because they previously matched other classes.
To create a service policy by associating a policy map with an interface, enter the following command:
hostname(config)# service-policy policy_map_name interface interface_name
To create a service policy that applies to all interfaces that do not have a specific policy, enter the following command:
hostname(config)# service-policy policy_map_name global
By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. The default service policy includes the following command:
service-policy global_policy global
For example, the following command enables the inbound_policy policy map on the outside interface:
hostname(config)# service-policy inbound_policy interface outside
The following commands disable the default global policy, and enables a new one called new_global_policy on all other FWSM interfaces:
hostname(config)# no service-policy global_policy global hostname(config)# service-policy new_global_policy global
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
18-6
OL-8123-01
Chapter 18
Applying Inspection to HTTP Traffic Globally, page 18-7 Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 18-8 Applying Inspection to HTTP Traffic with NAT, page 18-9
Host B
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-8123-01
18-7
FWSM
port 80
Host B 192.168.1.1
Server B 10.1.1.2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
18-8
132872
outside
OL-8123-01
Chapter 18
Server 209.165.200.250
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide OL-8123-01
143415
outside
18-9
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
18-10
OL-8123-01