Cisco FirePOWER ASA 5500 series Configuration Manual page 441
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 25
Configuring Application Layer Protocol Inspection
To configure parameters that affect the inspection engine, perform the following steps:
Step 7
To enter parameters configuration mode, enter the following command:
a.
hostname(config-pmap)# parameters
hostname(config-pmap-p)#
To randomize the DNS identifier for a DNS query, enter the following command:
b.
hostname(config-pmap-p)# id-randomization
To enable logging for excessive DNS ID mismatches, enter the following command:
c.
hostname(config-pmap-p)# id-mismatch [count number duration seconds] action log
Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.
To require a TSIG resource record to be present, enter the following command:
d.
hostname(config-pmap-p)# tsig enforced action {drop [log] | [log}
Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.
The following example shows a how to define a DNS inspection policy map.
hostname(config)# regex domain_example "example\.com"
hostname(config)# regex domain_foo "foo\.com"
hostname(config)# ! define the domain names that the server serves
hostname(config)# class-map type inspect regex match-any my_domains
hostname(config-cmap)# match regex domain_example
hostname(config-cmap)# match regex domain_foo
hostname(config)# ! Define a DNS map for query only
hostname(config)# class-map type inspect dns match-all pub_server_map
hostname(config-cmap)# match not header-flag QR
hostname(config-cmap)# match question
hostname(config-cmap)# match not domain-name regex class my_domains
hostname(config)# policy-map type inspect dns serv_prot
hostname(config-pmap)# class pub_server_map
hostname(config-pmap-c)# drop log
hostname(config-pmap-c)# match header-flag RD
hostname(config-pmap-c)# mask log
hostname(config)# class-map dns_serv_map
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# policy-map pub_policy
hostname(config-pmap)# class dns_serv_map
hostname(config-pmap-c)# inspect dns serv_prot
hostname(config)# service-policy pub_policy interface dmz
OL-10088-01
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
25-23
Advertisement
Table of Contents
Troubleshooting
