Cisco PIX 500 Series Configuration Manual page 675

Chapter 30 Configuring Connection Profiles, Group Policies, and Users
sending it periodic "are you there?" messages; if no reply comes, the VPN client knows the firewall is
down and terminates its connection to the security appliance.) The network administrator might
configure these PC firewalls originally, but with this approach, each user can customize his or her own
configuration.
In the second scenario, you might prefer to enforce a centralized firewall policy for personal firewalls
on VPN client PCs. A common example would be to block Internet traffic to remote PCs in a group using
split tunneling. This approach protects the PCs, and therefore the central site, from intrusions from the
Internet while tunnels are established. This firewall scenario is called push policy or Central Protection
Policy (CPP). On the security appliance, you create a set of traffic management rules to enforce on the
VPN client, associate those rules with a filter, and designate that filter as the firewall policy. The security
appliance pushes this policy down to the VPN client. The VPN client then in turn passes the policy to
the local firewall, which enforces it.
Enter the following commands to set the appropriate client firewall parameters. You can configure only
one instance of this command.
of these commands:
Cisco Integrated Firewall
hostname(config-group-policy)# client-firewall {opt | req} cisco-integrated acl-in ACL
acl-out ACL
Cisco Security Agent
hostname(config-group-policy)# client-firewall {opt | req} cisco-security-agent
No Firewall
hostname(config-group-policy)# client-firewall none
Custom Firewall
hostname(config-group-policy)# client-firewall {opt | req} custom vendor-id num product-id
num policy {AYT | CPP acl-in ACL acl-out ACL } [description string ]
Zone Labs Firewalls
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-integrity
When the firewall type is zonelabs-integrity, do not include arguments. The Zone Labs Integrity Server
Note
determines the policies.
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarm policy {AYT
| CPP acl-in ACL acl-out ACL }
hostname(config-group-policy)# client-firewall {opt | req} zonelabs-zonealarmorpro policy
{AYT | CPP acl-in ACL acl-out ACL }
client-firewall {opt | req} zonelabs-zonealarmpro policy {AYT | CPP acl-in ACL acl-out
ACL }
OL-12172-03
Table 30-2, following this set of commands, explains the syntax elements
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-59