56-7
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter56 Configuring Service Policy Rules on Firewall Devices
IPS, QoS, and Connection Rules Page
Related Topics
Step 2. Configure the traffic class, page56-7
Step 3. Configure the MPC actions, page 56-8
Step 2. Configure the traffic class
The second step in using the Insert/Edit Service Policy (MPC) Rule Wizard to configure an IPS, QoS
and Connection Rule involves specifying the traffic class to which the rule is applied.
Specify the class to use to match traffic for this rule:
Use class-default As The Traffic Class—Select this option to use the traffic class class-default
for this service policy. The class-default traffic class matches all traffic.
Traffic Class—Select this option to apply this rule to a specific traffic class. Enter the name of the
previously defined traffic class, or click Select to select it from the Traffic Flows Selector.
You also can define or edit a traffic flow “on the fly” by clicking the either Create or Edit buttons in
the Traffic Flows Selector. (Traffic flows are also created and edited on the Traffic Flows page of
the Policy Object Manager.) See Configuring Traffic Flow Objects, page 56-16 for more
information.
Related Topics
Step 1. Configure a Service Policy, page56-6
Table56-2 Insert/Edit Service Policy (MPC) Rule Wizard—Step 1. Configure a Service Policy.
Element Description
Enable The Current MPC
Rule
Check this box to enable this service policy rule. You can deselect this
option if you want to define the rule now, but not deploy it to the device
until later.
Category To assign the rule to a category, choose the category from the list.
Categories can help you organize and identify rules and objects. For
more information, see Using Category Objects, page 6-12.
Description Optionally, enter a description for the service policy rule.
Global - Applies to All
Interfaces
Select this option to apply the rule globally to all interfaces. This option
is not compatible with matching traffic based on the source or
destination IP address using an access list.
Interfaces Select this option to apply the rule to a specific interface or group of
interfaces (or interface roles), and then enter or Select the name of an
interface or interface object.
This selection is required if you want to match traffic based on the
source or destination IP address using an access list.
Note Interface-specific rules take precedence over the global service
policy for a given feature. For example, if you have a global
policy with FTP inspection, and an interface policy with TCP
connection limits, then both FTP inspection and TCP
connection limits are applied to the interface. However, if you
have a global policy with FTP inspection, and an interface
policy with FTP inspection, then only the interface policy FTP
inspection is applied to that interface.