17-31
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
Navigation Path
Click the Filtering tab on the Add and Edit DNS Map dialog boxes. See Configuring DNS Maps,
page 17-28.
Related Topics
Understanding Map Objects, page 6-72
Configuring Protocols and Maps for Inspection, page 17-21
Field Reference
DNS Class and Policy Maps Add or Edit Match Condition (and Action) Dialog Boxes
Use the Add or Edit DNS Match Criterion (for DNS class maps) or Match Condition and Action (for
DNS policy maps) dialog boxes to do the following:
Define the match criterion and value for a DNS class map.
Select a DNS class map when creating a DNS policy map.
Define the match criterion, value, and action directly in a DNS policy map.
The fields on this dialog box change based on the criterion you select and whether you are creating a
class map or policy map.
Navigation Path
When creating a DNS class map, in the Policy Object Manager, from the Add or Edit Class Maps dialog
boxes for DNS, right-click inside the table, then select Add Row or right-click a row, then select Edit
Row. See Configuring Class Maps for Inspection Policies, page17-26.
Table17-15 DNS Map Filtering Tab
Element Description
Drop Packets that Exceed
Specified Length
Maximum Packet Length
Whether to drop packets that exceed the maximum length in bytes that
you specify. This is a global setting.
Drop Packets Sent to Server
that Exceed Specified
Maximum Length
Maximum Length
Whether to drop packets sent to the server that exceed the maximum
length in bytes that you specify.
Drop Packets Sent to Server
that Exceed Length Indicated
by Resource Record
Whether to drop packets sent to the server that exceed the length
indicated by the resource record.
Drop Packets Sent to Client
that Exceed Specified Length
Maximum Length
Whether to drop packets sent to a client that exceed the maximum
length in bytes that you specify.
Drop Packets Sent to Client
that Exceed Length Indicated
by Resource Record
Whether to drop packets sent to the client that exceed the length
indicated by the resource record.