11-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
About Service Policies
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See the
following table for the directionality of each feature.
Feature Matching Within a Service Policy
A packet matches class maps in a policy map for a given interface according to the following rules:
1. A packet can match only one class map in the policy map for each feature type.
2. When the packet matches a class map for a feature type, the ASA does not attempt to match it to any
subsequent class maps for that feature type.
3. If the packet matches a subsequent class map for a different feature type, however, then the ASA
also applies the actions for the subsequent class map, if supported. See Incompatibility of Certain
Feature Actions, page 11-6 for more information about unsupported combinations.
Note Application inspection includes multiple inspection types, and most are mutually exclusive.
For inspections that can be combined, each inspection is considered to be a separate feature.
Examples of Packet Matching
For example:
• If a packet matches a class map for connection limits, and also matches a class map for an
application inspection, then both actions are applied.
• If a packet matches a class map for HTTP inspection, but also matches another class map that
includes HTTP inspection, then the second class map actions are not applied.
Table 11-2 Feature Directionality
Feature Single Interface Direction Global Direction
Application inspection (multiple types) Bidirectional Ingress
ASA CSC Bidirectional Ingress
ASA CX Bidirectional Ingress
ASA CX authentication proxy Ingress Ingress
ASA FirePOWER (ASA SFR) Bidirectional Ingress
ASA IPS Bidirectional Ingress
NetFlow Secure Event Logging filtering N/A Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS standard priority queue Egress Egress
TCP and UDP connection limits and timeouts,
and TCP sequence number randomization
Bidirectional Ingress
TCP normalization Bidirectional Ingress
TCP state bypass Bidirectional Ingress
User statistics for Identity Firewall Bidirectional Ingress
To Next Page
Loading...
Need help?
General
