Feature Matching Within A Service Policy - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 11
Service Policy Using the Modular Policy Framework
For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or
exits, depending on the feature) the interface to which you apply the policy map is affected. See the
following table for the directionality of each feature.
Table 11-2
Feature
Application inspection (multiple types)
ASA CSC
ASA CX
ASA CX authentication proxy
ASA FirePOWER (ASA SFR)
ASA IPS
NetFlow Secure Event Logging filtering
QoS input policing
QoS output policing
QoS standard priority queue
TCP and UDP connection limits and timeouts,
and TCP sequence number randomization
TCP normalization
TCP state bypass
User statistics for Identity Firewall
Feature Matching Within a Service Policy
A packet matches class maps in a policy map for a given interface according to the following rules:
1.
2.
3.
Examples of Packet Matching
For example:
•
•
Feature Directionality
A packet can match only one class map in the policy map for each feature type.
When the packet matches a class map for a feature type, the ASA does not attempt to match it to any
subsequent class maps for that feature type.
If the packet matches a subsequent class map for a different feature type, however, then the ASA
also applies the actions for the subsequent class map, if supported. See
Feature Actions, page 11-6
Application inspection includes multiple inspection types, and most are mutually exclusive.
Note
For inspections that can be combined, each inspection is considered to be a separate feature.
If a packet matches a class map for connection limits, and also matches a class map for an
application inspection, then both actions are applied.
If a packet matches a class map for HTTP inspection, but also matches another class map that
includes HTTP inspection, then the second class map actions are not applied.
Single Interface Direction Global Direction
Bidirectional
Bidirectional
Bidirectional
Ingress
Bidirectional
Bidirectional
N/A
Ingress
Egress
Egress
Bidirectional
Bidirectional
Bidirectional
Bidirectional
for more information about unsupported combinations.
Cisco ASA Series Firewall CLI Configuration Guide
About Service Policies
Ingress
Ingress
Ingress
Ingress
Ingress
Ingress
Ingress
Ingress
Egress
Egress
Ingress
Ingress
Ingress
Ingress
Incompatibility of Certain
11-5
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
