Cisco FirePOWER ASA 5500 series Configuration Manual page 447

Chapter 25 Configuring Application Layer Protocol Inspection
Table 25-3
request-command deny Option
site
stou
(Optional) To match an FTP server, enter the following command:
f.
hostname(config-cmap)# match [not] server regex [regex_name | class regex_class_name]
Where the regex_name is the regular expression you created in
is the regular expression class map you created in
(Optional) To match an FTP username, enter the following command:
g.
hostname(config-cmap)# match [not] username regex [regex_name |
class regex_class_name]
Where the regex_name is the regular expression you created in
is the regular expression class map you created in
Create an FTP inspection policy map, enter the following command:
Step 4
hostname(config)# policy-map type inspect ftp policy_map_name
hostname(config-pmap)#
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration
mode.
(Optional) To add a description to the policy map, enter the following command:
Step 5
hostname(config-pmap)# description string
Step 6 To apply actions to matching traffic, perform the following steps.
Specify the traffic on which you want to perform actions using one of the following methods:
a.
•
•
Specify the action you want to perform on the matching traffic by entering the following command:
b.
hostname(config-pmap-c)# {[drop [send-protocol-error] |
drop-connection [send-protocol-error]| mask | reset] [log] | rate-limit message_rate}
Not all options are available for each match or class command. See the CLI help or the Cisco
Security Appliance Command Reference for the exact options available.
The drop keyword drops all packets that match.
The send-protocol-error keyword sends a protocol error message.
The drop-connection keyword drops the packet and closes the connection.
The mask keyword masks out the matching portion of the packet.
OL-10088-01
FTP Map request-command deny Options (continued)
Specify the FTP class map that you created in
hostname(config-pmap)# class class_map_name
hostname(config-pmap-c)#
Specify traffic directly in the policy map using one of the match commands described in
If you use a match not command, then any traffic that does not match the criterion in the match
not command has the action applied.
Purpose
Disallows the command that are specific to the server system.
Usually used for remote administration.
Disallows the command that stores a file using a unique file name.
Step 2.
Step 2.
Step 3
Cisco Security Appliance Command Line Configuration Guide
FTP Inspection
Step 1. The class regex_class_name
Step 1. The class regex_class_name
by entering the following command:
Step 3.
25-29