56-18
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 56 Configuring Service Policy Rules on Firewall Devices
Configuring Traffic Flow Objects
Default Inspection Traffic
When you create a Traffic Flow policy object, you can choose to match the default inspection traffic. For
more information, see Configuring Traffic Flow Objects, page56-16. The following table lists the types
of traffic included in the Default Inspection Traffic category.
Available ACLs A list of the access control list (ACL) objects that you can select for the
map. Select the ACL that defines the target traffic, or click the Create
button to add a new object. You can also select an object and click Edit
to change its definition. If the list of objects is large, use the Filter field
to limit the display (see Filtering Items in Selectors, page 1-42).
TCP or UDP
TCP/UDP Port or Port Range
Radio buttons used to specify a protocol (either TCP or UDP), and a
text field used to specify a destination port number or range of numbers
to use when matching traffic based on the specified protocol/ports.
You can specify a single port value, or a range of port numbers (for
example, 0-2000). Valid port numbers are 0 to 65535.
RTP Port Range The range of RTP destination ports associated with the traffic flow. You
must enter a port range within the valid range of 2000 to 65535.
Note When you close the dialog box, the port range you entered is
converted to port-span values by subtracting the start value
from the end value. For example, if you enter the range
2001-3000 in the dialog box, “RTP port 2001 range 999”
appears in the Match Value column of the Traffic Flows policy
object table. Port-span values are expected by the device.
Tunnel group name
Match Flow IP Destination
Address
Lists available VPN tunnel groups. Choose one or enter the name of a
group. You can also select Match Flow IP Destination Address to
recognize the destination address as the match type.
Tip You can use FlexConfig objects and policies to define a VPN
tunnel group on a PIX 7.0+ device. For more information, see
Understanding FlexConfig Policies and Policy Objects,
page 7-2.
Available IP Precedence
Match on IP Precedence
The IP precedence numbers. Select the values you want to match and
click >> to add them to the Match table. Ctrl-click to select multiple
values. You can select a maximum of four values.
To remove a value from the Match table, select it and click <<.
Available DSCP Values
Match on DSCP
The IP DiffServe Code Points (DSCP) numbers. Select the values you
want to match and click >> to add them to the Match table. Ctrl-click
to select multiple values. You can select a maximum of eight values.
To remove a value from the Match table, select it and click <<.
Category The category assigned to the traffic-flow object. Categories help you
organize and identify rules and objects. See Using Category Objects,
page 6-12.
Table56-5 Add and Edit Traffic Flow Dialog Boxes (Continued)
Element Description