21-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 21 Using Modular Policy Framework
Defining Actions Using a Layer 3/4 Policy Map
For features that are applied unidirectionally, for example QoS priority queue, only traffic that exits the
interface to which you apply the policy map is affected. See Table 21-2 for the directionality of each
feature.
The order in which different types of actions in a policy map are performed is independent of the order
in which the actions appear in the policy map. Actions are performed in the following order:
• TCP normalization, TCP and UDP connection limits and timeouts, and TCP sequence number
randomization
Note When a the security appliance performs a proxy service (such as AAA or CSC) or it modifies
the TCP payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is
applied before and after the proxy or payload modifying service.
• CSC
• Application inspection
• IPS
• QoS input policing
• QoS output policing
• QoS priority queue
You can only assign one policy map per interface, but you can apply the same policy map to multiple
interfaces.
Default Layer 3/4 Policy Map
The configuration includes a default Layer 3/4 policy map that the security appliance uses in the default
global policy. It is called global_policy and performs inspection on the default inspection traffic. You
can only apply one global policy, so if you want to alter the global policy, you need to either reconfigure
the default policy or disable it and apply a new one.
The default policy map configuration includes the following commands:
policy-map global_policy
class inspection_default
Table 21-2 Feature Directionality
Feature Single Interface Direction Global Direction
TCP normalization, TCP and UDP connection
limits and timeouts, and TCP sequence number
randomization
Bidirectional Ingress
CSC Bidirectional Ingress
Application inspection Bidirectional Ingress
IPS Bidirectional Ingress
QoS input policing Ingress Ingress
QoS output policing Egress Egress
QoS priority queue Egress Egress
To Next Page
Loading...
