11-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 11 Service Policy Using the Modular Policy Framework
About Service Policies
• If a packet matches a class map for HTTP inspection, but also matches another class map that
includes FTP inspection, then the second class map actions are not applied because HTTP and FTP
inspections cannot be combined.
• If a packet matches a class map for HTTP inspection, but also matches another class map that
includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined
with any other type of inspection.
Order in Which Multiple Feature Actions are Applied
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map.
Actions are performed in the following order:
1. QoS input policing
2. TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number
randomization, and TCP state bypass.
Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP
payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied
before and after the proxy or payload modifying service.
3. ASA CSC
4. Application inspections that can be combined with other inspections:
a. IPv6
b. IP options
c. WAAS
5. Application inspections that cannot be combined with other inspections. See Incompatibility of
Certain Feature Actions, page 11-6 for more information.
6. ASA IPS
7. ASA CX
8. ASA FirePOWER (ASA SFR)
9. QoS output policing
10. QoS standard priority queue
Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.
Incompatibility of Certain Feature Actions
Some features are not compatible with each other for the same traffic. The following list might not
include all incompatibilities; for information about compatibility of each feature, see the chapter or
section for the feature:
• You cannot configure QoS priority queuing and QoS policing for the same set of traffic.
To Next Page
Loading...
Need help?
General
