Intrusion Prevention tab
|
Enable IPS for this Traffic
|
Enables or disables intrusion prevention for this traffic flow. When this box is checked, the other parameters on this panel
are available.
|
IPS Mode
|
Select the operating mode for intrusion prevention:
-
Inline—This mode places the IPS module directly in the traffic flow. No traffic that you identified for IPS inspection can continue
through the ASA without first passing through, and being inspected by, the IPS module. This mode is the most secure because
every packet identified for inspection is analyzed before being allowed through. Also, the IPS module can implement a blocking
policy on a packet-by-packet basis. However, this mode can affect throughput.
-
Promiscuous—This mode sends a duplicate stream of traffic to the IPS module. This is less secure than Inline mode, but has little impact
on traffic throughput. Unlike Inline mode, in Promiscuous mode the IPS module cannot drop the original packets, it can only
block traffic by instructing the ASA to shun the traffic, or by resetting the connection on the appliance.
Also, while the IPS module is analyzing the traffic, a small amount of traffic may pass through the ASA before the IPS module
can shun it.
|
On IPS Card Failure
|
Specify the action to be taken if the IPS module becomes inoperable. Select either:
|
Virtual Sensor
|
Text box in which you can view, edit, or remove the virtual sensor in the service policy that you are adding or editing
|
CXSC tab
Note
|
Security Manager uses “CXSC” in places to refer to an ASA CX Security Services Processor (SSP).
|
|
Enable CXSC For This Traffic
|
Check this box to enable redirection of this traffic flow to an ASA CX installed in the ASA. When this box is checked, the
other parameters on this panel are available.
Note
|
These parameters are applicable only on ASA 5585-X devices running version 8.4(4)+ and ASA 55xx-X devices running version
9.1(1)+ that have an ASA CX SSP installed.
|
|
On Context Security Card Failure
|
Specify the action to be taken if the ASA CX becomes inoperable. Select either:
-
Open – If the ASA CX fails for any reason, the ASA will continue to pass traffic that would otherwise be redirected to the ASA
CX.
-
Close – If the ASA CX fails, the ASA will drop any traffic that would otherwise be redirected to the ASA CX.
|
Enable Auth Proxy
|
Check this box to enable the authentication proxy, which is required if you want to use active authentication in the identity
policies on the ASA CX. If not checked, no authentication is performed.
|
FirePOWER tab
|
Enable FirePOWER Card For This Traffic
|
Check this box to enable redirection of this traffic flow to an ASA FirePOWER module installed in the ASA. When this box is
checked, the other parameters on this panel are available.
Note
|
These parameters are applicable only on ASA 55xx-X devices running version 9.2(1)+.
|
|
On FirePOWER Card Failure
|
Specify the action to be taken if the ASA FirePOWER module becomes inoperable. Select either:
-
Open – If the ASA FirePOWER module fails for any reason, the ASA will continue to pass traffic that would otherwise be redirected
to the ASA FirePOWER module.
-
Close – If the ASA FirePOWER module fails, the ASA will drop any traffic that would otherwise be redirected to the ASA FirePOWER
module.
|
Enable Monitor Only
|
Sets the module to monitor-only mode. In monitor-only mode, the module can process traffic for demonstration purposes, but
then drops the traffic. You cannot use the traffic-forwarding interface or the device for production purposes.
|
Connection Settings tab
|
Enable Connection Settings For This Traffic
|
Enables or disables connection settings for this traffic flow. When this box is checked, the other parameters on this panel
become active. From the Connection Settings tab you can configure maximum connections, embryonic connections, timeouts, and
TCP parameters.
|
Maximum Connections
|
You can specify the maximum number of TCP and UDP connections, and the maximum number of embryonic connections for this traffic
flow:
-
Maximum TCP & UDP Connections – Specify the maximum number of simultaneous TCP and UDP connections for the entire subnet, up to 65,535, for ASA versions
earlier than 8.4(5); for ASA 8.4(5) and later, the maximum number is 2,000,000. The default is zero for both protocols, which
means the maximum possible connections are allowed.
-
Maximum TCP & UDP Connections Per Client – For ASA/PIX 7.1+ only; specify the maximum number of simultaneous TCP and UDP connections on a per client basis. For ASA
8.4(5) and later, the maximum number is 2,000,000.
-
Maximum Embryonic Connections – For ASA/PIX 7.0+ only; specify the maximum number of embryonic connections per host, up to 65,535, for ASA versions earlier
than 8.4(5); for ASA 8.4(5) and later, the maximum number is 2,000,000. An embryonic connection is a connection request that
has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The
default is zero, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated
by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts
TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and
help minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach
the server. This feature is not applicable if TCP State Bypass is enabled.
-
Maximum Embryonic Connections Per Client – For ASA/PIX 7.1+ only; specify the maximum number of embryonic connections on a per client basis. For ASA 8.4(5) and later,
the maximum number is 2,000,000. This feature is not applicable if TCP State Bypass is enabled.
|
Connection Timeouts
|
You can specify the following connection timeout settings for this traffic flow:
-
Embryonic Connection Timeout – Specify the idle time until an embryonic connection slot is freed. Enter 0:00:00 to disable timeout for the connection.
The default is 20 seconds for FWSMs, and 30 seconds for ASA/PIX devices.
-
Half Closed Connection Timeout – Specify the idle time until a half-closed connection slot is freed. Enter 0:00:00 to disable timeout for the connection.
For FWSMs, the default value is 20 seconds; the maximum value is 255 seconds (four minutes, 15 seconds).
For ASA 9.1.2 and later devices, the minimum is 30 seconds. For all other ASA/PIX devices, the minimum is 5 minutes. The default
is 10 minutes for all ASA/PIX devices.
|
Reset Connection Upon Timeout
|
If selected, connections are reset after a timeout occurs. Available for ASA/PIX 7.0(4)+ only.
|
Detect Dead Connections
|
Enables the Dead Connection Detection feature; available for ASA/PIX 7.2+ devices. Selecting this option enables these two
fields:
-
Dead Connection Detection Timeout – Specify the period of time between retries when a dead connection is detected. The default is 15 seconds.
-
Dead Connection Detection Retries – Specify the number of retries to be performed after a dead connection is detected. The default is five.
|
Traffic Flow Idle Timeout
|
Specify the period of time between a traffic flow becoming idle and the flow’s disconnection. Applicable to FWSM 3.2+ only.
The default is 1 hour.
|
Enable TCP Normalization
|
Enables TCP normalization, and activates the TCP Map selection option. Applies to ASA/PIX 7.0+ only; not applicable if TCP
State Bypass is enabled.
|
TCP map
|
Specify the TCP map to use for TCP normalization: enter or Select the name of a TCP map. For more information, see Configuring TCP Maps.
|
Randomize TCP Sequence Number
|
Enables the Randomize Sequence Number feature. Disable this feature only if another inline security appliance is also randomizing
sequence numbers and the result is scrambling the data. Each TCP connection has two Initial Sequence Numbers: one generated
by the client and one generated by the server. The security appliance randomizes the ISN that is generated by the host/server
on the higher security interface. At least one ISN must be randomly generated so that attackers cannot predict the next ISN
and potentially hijack the session. Not applicable if TCP State Bypass is enabled.
|
Enable TCP State Bypass
|
Enables TCP state bypass for this traffic flow. This is allows specific traffic flows in asymmetric routing environments
when both the outbound and inbound flow for a connection do not pass through the same device. Applicable to FWSM 3.2+ and
ASA 8.2+ only. See About TCP State Bypass for more information.
|
Enable SCTP State Bypass (ASA 9.5.2 + only)
|
You can bypass Stream Control Transmission Protocol (SCTP) stateful inspection if you do not want SCTP protocol validation.
|
Enable Decrement TTL
|
Select this option to turn on decrementing of the time-to-live (TTL) value in packets passed by the security appliance. Applicable
to PIX/ASA 7.2.2+ only.
|
Configure Flow Offload (For Firepower 9000/4000 series ASA 9.6(1) and above)
|
Note
|
You must enable flow offload manually on the ASA and restart the device, before configuring flow offload in the Service Policy
Wizard in Cisco Security Manager. Flow offload and flow offload statistics are supported on the ASA only in the single context
and system context modes. It is not supported in the admin or user context.ASA supports flow offload starting from version
9.5.2(1); however Cisco Security Manager supports flow offload from ASA 9.6(1).
|
Select this option to offload specific traffic to a super-fast path; traffic is switched and processed in the NIC instead
of the ASA. Offloading can help you improve performance for data-intensive applications such as large file transfers.
Tip
|
You can configure flow offload only when TCP State Bypass and SCTP State bypass are not enabled on your device.
|
|
QoS tab
|
Enable QoS For This Traffic
|
Enables Quality of Service (QoS) options for this traffic flow. When selected, the Enable Priority For This Flow and the Traffic
Policing options become active.
Note
|
The options on this tab are applicable to PIX/ASA 7.0+ devices only.
|
|
Enable Priority For This Flow
|
Enables strict scheduling priority for this flow. The priority queues must be defined on the Priority Queues Page.
|
Traffic Policing
|
Enables output and input traffic policing. Traffic policing lets you control the maximum rate of traffic transmitted or received
on an interface.
|
Output (Traffic Policing)
|
Enables policing of traffic flowing out of the device. If you enable policing, you can specify the following values:
-
Committed Rate – The rate limit for this traffic flow; this is a value in the range 8,000 to 2,000,000,000, specifying the maximum speed
(bits per second) allowed.
-
Burst Rate – A value in the range 1,000 to 512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained
burst before throttling to the conforming rate value.
-
Conform Action – The action to take when the rate is less than the conform-burst value. Choices are Transmit or Drop.
-
Exceed Action – Take this action when the rate is between the conform-rate value and the conform-burst value. Choices are Transmit or Drop.
|
Input (Traffic Policing)
|
Enables policing of traffic flowing into the device; these options apply to ASA/PIX 7.2+ devices only. If you enable policing,
you can specify the following values:
-
Committed Rate – The rate limit for this traffic flow; this is a value in the range 8,000 to 2,000,000,000, specifying the maximum speed
(bits per second) allowed.
-
Burst Rate – A value in the range 1,000 to 512,000,000 that specifies the maximum number of instantaneous bytes allowed in a sustained
burst before throttling to the conforming rate value.
-
Conform Action – The action to take when the rate is less than the conform-burst value. Choices are Transmit or Drop.
-
Exceed Action – Take this action when the rate is between the conform-rate value and the conform-burst value. Choices are Transmit or Drop.
|
CSC tab
|
Enable Content Security Control For This Traffic
|
Enables or disables the use of the Cisco CSC SSM (Content Security and Control Security Services Module) for this traffic
flow. When this box is checked, the On CSC SSM Failure options become available. These options are applicable on ASA 7.1+
devices only; they are not applicable if TCP State Bypass is enabled.
The CSC SSM provides protection against viruses, spyware, spam, and other unwanted traffic by scanning the FTP, HTTP, POP3,
and SMTP packets.
|
On CSC SSM Failure
|
Specifies the action to take if the CSC SSM becomes inoperable:
|
User Statistics tab
|
Enable user statistics accounting (ASA 8.4(2)+ only)
|
Whether to collect user statistics accounting information for identity-based firewall policies. These statistics are kept
for users to which a firewall policy is applied based on user name or user group membership. Select the type of information
you want to collect:
|
Protocol Inspection tab
|
Enable Scansafe Web Security for this traffic (ASA 9.0+ only)
|
Enables or disables the use of ScanSafe Web Security for this traffic flow. When this box is checked, two options become available:
These options are applicable on ASA 9.0+ devices only.
|
Enable SCTP for this traffic (ASA 9.5.2 + only
|
Enables or disables the use of SCTP for this traffic flow.
|
Enable Diameter Inspection for this traffic (ASA 9.5.2 + only)
|
Enables or disables the use of Diameter inspection for this traffic flow.
When Diameter Inspection is enabled, you can further enable inspection of encrypted traffic by selecting the Enable encrypted
traffic inspection check box. You must select the TLS Proxy to be used for this inspection.
|
Enable LISP for this traffic (ASA 9.5.2 + only)
|
Enables or disables the use of LISP Inspection for this traffic flow.
|
Enable Flow LISP mobility for devices (ASA 9.5.2 + only)
|
Enables flow mobility in clustering.
|
Enable STUN Inspection support for devices (ASA 9.6.2 + only)
|
Enables or disables the use of STUN inspection for this traffic flow. It is supported on ASA 9.6.2 and above in the single
and multi-context mode.
Note
|
When you enable STUN inspection on the default inspection class, TCP/UDP port 3478 is watched for STUN traffic. The inspection
supports IPv4 addresses and TCP/UDP only.STUN inspection is supported in failover and cluster modes, as pinholes are replicated.
However, as the transaction ID is not replicated among units, when a unit fails after receiving a STUN Request and another
unit received the STUN Response, the STUN Response will be dropped.
|
|
Enable M3UA for this traffic (ASA 9.6.2 + only)
|
Enables or disables the use of M3UA for this traffic flow.
|
NetFlow tab
|
Enable NetFlow for this traffic
|
Enables or disables the use of NetFlow for this traffic flow. When this box is checked, the NetFlow options become available.
|
Collectors
|
Specify the collectors that should be used when sending NetFlow events of a specific event type:
Note
|
Only use collectors that have been configured on the NetFlow page at Platform > Logging > NetFlow.
|
-
Flow Create Event
-
Flow Deny Event
-
Flow Tear Event
-
All Event Types
Note
|
Cisco Security Manager does not allow duplicate netflow collectors for ASA 9.6(4) to 9.7.0, and 9.8(2) and above devices.
Ensure that you remove the duplicate collectors.
|
|