Configuring Application Inspection

By default, PIX 6.3 enables only the CU-SeeMe, DNS, FTP, H.323, HTTP, ILS/LDAP, NetBIOS, RSH, RTSP, SIP, SKINNY/SCCP, SMTP, SQL*Net, SunRPC, TFTP, VDO Live, Windows Media, and XDMCP fixups. If the fixup command is configured for an application protocol, then the firewall inspects that traffic with an inspection engine.

On an ASA or FWSM platform, application inspection occurs only on traffic that has been classified and applied to a policy. When you use the inspect command, as in the following command syntax, only the inspection engine that you specify examines traffic identified by the class map:

Firewall(config-pmap-c)# inspect inspect name [options]

As you might imagine, application layer inspection depends heavily on the MPF structure that is described in Section "7-2: Defining Security Policies in a Modular Policy Framework." Within a single policy map, you can configure Layer 3/4 traffic policies, as well as application layer inspection engine definitions.

As soon as an inspection policy is configured, you can monitor its activity with the following command:

Firewall# show service-policy

This command displays each active service policy, along with the class map and action breakdown. If inspect commands are configured as part of a service policy, each one is listed, along with counters for packets inspected and dropped and connections reset. The inspection engines configured in the default global policy global_policy are shown in the following example:

Firewall# show service-policy Global policy:

Service-policy: global_policy

Class-map Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect Inspect inspection default dns maximum-length 512, packet 10, drop 0, reset-drop 0

ftp, packet 39, drop 0, reset-drop 0

h323 h225, packet 0, drop 0, reset-drop 0

h323 ras, packet 0, drop 0, reset-drop 0

rsh, packet 0, drop 0, reset-drop 0

rtsp, packet 0, drop 0, reset-drop 0

esmtp, packet 28, drop 0, reset-drop 0

sqlnet, packet 0, drop 0, reset-drop 0

skinny, packet 0, drop 0, reset-drop 0

sunrpc, packet 0, drop 0, reset-drop 0

xdmcp, packet 0, drop 0, reset-drop 0

sip, packet 0, drop 0, reset-drop 0

netbios, packet 27, drop 0, reset-drop 0

tftp, packet 0, drop 0, reset-drop 0

icmp error, packet 0, drop 0, reset-drop 0

icmp, packet 76800, drop 13628, reset-drop 0

You can configure any of the supported application layer inspection engines by using the configuration command syntax listed in Table 7-7.

Table 7-7. Configuring Application Layer Inspection Engines

Application for Inspection

Command

Was this article helpful?

0 0

Post a comment