The default policy map is named global_policy. It references only the inspection_default class map. It also has a set of predefined actions, which invoke the inspection engines as shown in Figure 7-4.

The default service policy references policy map global_policy and applies it to "global," or to every active firewall interface. The net effect of the default configuration is as follows:

• All traffic is matched against the default inspection engine settings.

• Only the 22 predefined inspection engines are active. Only traffic matching the default protocols and ports of these are inspected. All other traffic is denied unless other nondefault policies are configured.

• Traffic matching the default inspection engines is inspected, regardless of the firewall interface.

You can add your own modular policies to the default policies in two ways:

• You can configure the existing default class map and policy map to add additional matches and actions.

Although this simplifies the configuration because you do not have to configure new class maps and policy maps, any changes you make to the default policies are applied to all the firewall interfaces. In other words, you lose some ability to fully customize the security policies, because the global_policy policy map is applied globally by default.

• You can configure new class maps and new policy maps and apply those to one or more interfaces with a service policy. This approach offers the most scalability and granularity.

You can apply only one policy map to an interface with a service policy. However, you can apply your own policy map to an interface, even if the default policy map is already applied in the default service policy. One service policy can overlay the default service policy on any interface because the default is used globally.

Was this article helpful?

0 0

Post a comment