Modular Policy Framework Features
Modular Policy Framework supports the following features:
•QoS input policing
•TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number randomization
•CSC
•Application inspection
•IPS
•QoS output policing
•QoS standard priority queue
•QoS traffic shaping, hierarchical priority queue
Modular Policy Framework Configuration Overview
- Identify the traffic on which you want to perform Modular Policy Framework actions by creating Layer 3/4 class maps
- If one of the actions you want to perform is application inspection, and you want to perform additional actions on some inspection traffic, then create an inspection policy map
- If you want to match text with a regular expression within inspected packets, you can create a regular expression or a group of regular expressions (a regular expression class map).
- Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map.
- Determine on which interfaces you want to apply the policy map using a service policy.
- Creating a Layer 3/4 Class Map
ASA1(config-cmap)# class-map TEST
ASA1(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 ip-options-----rsvp
mgcp------udp--2427,2727 netbios---udp--137-138
radius-acct----udp--1646 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
waas------tcp--1-65535 xdmcp-----udp--177
dscp Match IP DSCP (DiffServ CodePoints)
flow Flow based Policy
port Match TCP/UDP port(s)
precedence Match IP precedence
rtp Match RTP port numbers
tunnel-group Match a Tunnel Group
A typical class map will only support one match command. The only exception is the use of match tunnel-group along with some other match commands.
- Creating a Layer 3/4 Policy Map
ASA1(config)# policy-map TEST
ASA1(config-pmap)# class TEST
ASA1(config-pmap-c)# ?
MPF policy-map class configuration commands:
exit Exit from MPF class action configuration mode
help Help for MPF policy-map class/match submode commands
no Negate or set default values of a command
police Rate limit traffic for this class
priority Strict scheduling priority for this class
quit Exit from MPF class action configuration mode
service-policy Configure QoS Service Policy
set Set connection values
shape Traffic Shaping
user-statistics configure user statistics for identity firewall
csc Content Security and Control service module
flow-export Configure filters for NetFlow events
inspect Protocol inspection services
ips Intrusion prevention services
- Creating an Inspection Policy Map
Modular Policy Framework lets you configure special actions for many application inspections.
Used to tune the inspect engine parameters.
Used to tune the inspect engine parameters.
ASA1(config)# policy-map type inspect ?
configure mode commands/options:
dcerpc Configure a policy-map of type DCERPC
dns Configure a policy-map of type DNS
esmtp Configure a policy-map of type ESMTP
ftp Configure a policy-map of type FTP
gtp Configure a policy-map of type GTP
h323 Configure a policy-map of type H.323
http Configure a policy-map of type HTTP
im Configure a policy-map of type IM
ip-options Configure a policy-map of type IP-OPTIONS
ipsec-pass-thru Configure a policy-map of type IPSEC-PASS-THRU
ipv6 Configure a policy-map of type IPv6
mgcp Configure a policy-map of type MGCP
netbios Configure a policy-map of type NETBIOS
radius-accounting Configure a policy-map of type Radius Accounting
rtsp Configure a policy-map of type RTSP
sip Configure a policy-map of type SIP
skinny Configure a policy-map of type Skinny
An inspection policy map consists of one or more of the following elements.
-Traffic matching command
-Inspection class map
-Parameters
ASA1(config)# policy-map type inspect http TEST_HTTP
ASA1(config-pmap)# ?
MPF policy-map configuration commands
class Policy criteria
match Specify policy criteria via inline match
parameters Specify this keyword to enter policy parameters.
The action that can be applied to an inspection policy map
drop-connection Drop connection
log Generate a log message
reset Close connection with a TCP reset message
When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map
ASA1(config)# policy-map TEST
ASA1(config-pmap)# class TEST
ASA1(config-pmap-c)# inspect http TEST_HTTP
You can specify multiple class or match commands in the policy map
- Applying Actions to an Interface
To activate the Layer 3/4 policy map, create a service policy and applies it to one or more interfaces or applies it globally to all interfaces
ASA1(config)# service-policy TEST interface inside
- Default Layer 3/4 Class Maps
class-map inspection_default
match default-inspection-traffic
class-map class-default
match any
- Default Layer 3/4 Policy Map
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
- Default Inspection Policy Map
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
- Default service-policy (global service-policy)
service-policy global_policy globalservice-policy global_policy global
- List of application priorities
The inspection action with higher priority will be preferred in case of conflict
- CTIQBE
- DNS
- FTP
- GTP
- H323
- HTTP
- ICMP
- ICMP error
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SMTP
- SNMP
- SQL*Net
- TFTP
- XDMCP
- DCERPC
- Instant Messaging
Conflict cases:
- packet/flow matches multiple classes within the same policy-map
-For a given feature type, the flow can match only one class, based on the order the classes are configured in the policy map.
-For different feature type feature actions from all classes are combined
- packet/flow matches multiple classes in multiple policy-map (interface and global)
-For different feature type feature actions from all classes (configured at interface-level and at global-level) are combined
-if traffic match classes at ingress and egress interfaces the action depends on traffic type (statefull vs stateless).
No comments:
Post a Comment