56-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
IPS, QoS, and Connection Rules Page
Step 3. Configure the MPC actions, page 56-8
Step 3. Configure the MPC actions
The third step in the Insert/Edit Service Policy (MPC) Rule Wizard involves specifying IPS, CXSC,
Connection Setting, QoS, CSC, User Statistics, and ScanSafe Web Security parameters for the rule; each
set of parameters is presented on a separate tabbed panel.
Related Topics
Step 1. Configure a Service Policy, page56-6
Step 2. Configure the traffic class, page56-7
Field Reference
Table56-3 Insert/Edit Service Policy (MPC) Rule Wizard—Step 3. Configure the actions.
Element Description
Intrusion Prevention tab
Enable IPS for this Traffic Enables or disables intrusion prevention for this traffic flow. When this
box is checked, the other parameters on this panel are available.
Note These parameters are applicable only on ASA 7.0+ devices that
have an IPS module installed. See About IPS Modules on ASA
Devices, page 56-14 for more information.
IPS Mode Select the operating mode for intrusion prevention:
Inline—This mode places the IPS module directly in the traffic
flow. No traffic that you identified for IPS inspection can continue
through the ASA without first passing through, and being inspected
by, the IPS module. This mode is the most secure because every
packet identified for inspection is analyzed before being allowed
through. Also, the IPS module can implement a blocking policy on
a packet-by-packet basis. However, this mode can affect
throughput.
Promiscuous—This mode sends a duplicate stream of traffic to the
IPS module. This is less secure than Inline mode, but has little
impact on traffic throughput. Unlike Inline mode, in Promiscuous
mode the IPS module cannot drop the original packets, it can only
block traffic by instructing the ASA to shun the traffic, or by
resetting the connection on the appliance.
Also, while the IPS module is analyzing the traffic, a small amount
of traffic may pass through the ASA before the IPS module can
shun it.
On IPS Card Failure Specify the action to be taken if the IPS module becomes inoperable.
Select either:
Open—Permits traffic if the module or card fails.
Close—Blocks traffic if the module or card fails.
Virtual Sensor Text box in which you can view, edit, or remove the virtual sensor in
the service policy that you are adding or editing