Each application has an implicit set of ports that are used for communication. In phase 1, if an application ACE
entry is hit, the traffic matching this application’s implicit port is allowed (as governed by the application ACE).
The DPI engine can monitor the exchange on these ports and determine the application. Once the application
is determined, phase 2 occurs when an evaluation is done to determine the final outcome for the session.
Example
This example shows a DPI rule along with a L3/L4 rule with forwarding action in the same ACL. Both
ACLpolicies can be applied to a single user role.
ACL Policy "AppRules", Policy Type: Session
n Rule 1
l source: any
l destination: any
l service/application: application facebook
l action: permit
l TOS value: 45
n Rule 2:
l source: any
l destination: any
l service/application: application YouTube
l action: deny
n Rule 3:
l source: any
l destination: any
l service/application: application category peer-to-peer
l action: deny
n Rule 4:
l source: any
l destination: any
l service/application: TCP 23
l action: permit
n Rule 5:
l source: network 40.1.0.0/16
l destination: any
l service/application: TCP 80
l action: permit
l TOS: 60
n Rule 6:
l source: network 20.1.0.0/16
l destination: any
l service/application: TCP 80
l action: source-nat
ACL Policy "NetRules", Policy Type: Session
n Rule 1
AOS-W 6.5.3.x | User Guide Roles and Policies | 399
To Next Page
Loading...