12-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 12 Introduction to Firewall Services
Overview of Firewall Services
Zone-based firewall rules—These rules replace access rules, inspection rules, and web filter rules
on IOS devices if you want to configure your rules based on zones instead of interfaces. A zone is
a defined group of interfaces that perform the same security role (such as Inside or Outside). By
using zone rules, you can create more compact device configurations than you can by using the other
types of rules. For more information, see Understanding the Zone-based Firewall Rules, page21-3.
Botnet Traffic Filter Rules—These rules help you to spot botnet traffic when it is sent to known bad
addresses. Botnets install malware on unsuspecting computers and use those computers as proxies
to perform malicious actions. For more information, see Chapter 19, “Managing Firewall Botnet
Traffic Filter Rules”.
Transparent rules—These are Ethertype access control rules that apply to non-IP layer-2 traffic on
transparent or bridged interfaces. For more information, see Configuring Transparent Firewall
Rules, page 22-1.
Most firewall rules policies are configured in rules tables. These tables allow in-line editing for most
cells, rule organization using sections, and the ability to change the order of rules. If you create shared
rules policies, you can apply them to a number of devices, even to devices running different operating
systems, and Security Manager automatically creates the appropriate device commands to configure the
policies based on the characteristics of each individual device, filtering out settings that do not apply to
a device. For more information on using rule tables, see Managing Your Rules Tables, page 12-7.
Another powerful feature used by most firewall rules policies is the idea of inheritance. When you create
shared policies, one of your options is to have a device inherit the policy rather than be assigned the
policy. This allows you to have a set of shared rules that apply to all devices, while having unique rules
that apply to only those devices that require them. For more information about inheritance, see the
following topics:
Understanding Rule Inheritance, page 5-4
Working with Shared Policies in Device View or the Site-to-Site VPN Manager, page 5-34.
The following topics provide additional overview information about firewall services policies:
Understanding the Processing Order of Firewall Rules, page 12-2
Understanding How NAT Affects Firewall Rules, page 12-3
ACL Names Preserved by Security Manager, page12-4
Understanding the Processing Order of Firewall Rules
When you configure firewall rules policies, you should keep in mind the logical order in which the rules
are processed. For example, if you plan to drop all traffic of a certain type in an access rule, there is no
reason to create rules in other firewall policies that apply to that type of traffic, because they will never
be triggered. Conversely, if you want to apply certain types of inspection or web filtering on traffic, you
must ensure that your access rules first allow that traffic to enter the device.
Following is the general logical processing order of firewall rules:
AAA rules—If you require authentication, with or without authorization, the user must successfully
pass the test or the traffic is dropped.
Access rules (In direction)—The traffic must then get through your access rules. If you used AAA
rules, you might have allowed temporary per-user access rules to be configured for the user’s
session. These per-user rules are configured in your AAA server, not in Security Manager.
On ASA 8.3+ devices, global access rules are then processed after any interface-specific access
rules. For more information, see Understanding Global Access Rules, page 16-3.