17-71
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter17 Managing Firewall Inspection Rules
Configuring Protocols and Maps for Inspection
Field Reference
IPv6 Policy Maps Add or Edit Match Condition and Action Dialog Boxes
Use the Add or Edit Match Condition and Action dialog boxes to define an Extension Header match
criterion and action for an IPv6 policy map. The contents of the Extension Headers are not processed;
an action is applied based solely on the presence of a specified EH type.
The fields in these dialog boxes change based on the criterion you select.
Note You can apply multiple match definitions to one IPv6 policy map.
Table17-41 Add and Edit IPv6 Map Dialog Boxes
Element Description
Name The name of the policy object. A maximum of 40 characters is allowed.
Description A description of the policy object. A maximum of 200 characters is
allowed.
Parameters tab
Permit only known Extension
Headers
Whether the ASA should verify the IPv6 extension header. When
selected and an unknown IPv6 extension header is encountered, the
ASA drops the packet and logs the action.
This option is selected by default.
Enforce Extension Header
Order
Whether the ASA should enforce extension header order as defined in
the RFC 2460 specification. When selected and an error is detected, the
ASA drops the packet and logs the action.
This option is selected by default.
Match Condition and Action Tab
The Match All table lists the criteria included in the policy map. Each row indicates whether the
inspection is looking for traffic that matches or does not match each criterion, the criterion and value
that is inspected, and the action to be taken for traffic that satisfies the conditions.
These criteria entries are created and edited in the IPv6 Policy Maps Add or Edit Match Condition and
Action Dialog Boxes, page 17-71.
Category The category assigned to the object. Categories help you organize and
identify rules and objects. See Using Category Objects, page 6-12.
Allow Value Override per
Device
Overrides
Edit button
Whether to allow the object definition to be changed at the device level.
For more information, see Allowing a Policy Object to Be Overridden,
page 6-18 and Understanding Policy Object Overrides for Individual
Devices, page 6-17.
If you allow device overrides, you can click the Edit button to create,
edit, and view the overrides in the Policy Object Overrides Window,
page 6-20. The Overrides field indicates the number of devices that
have overrides for this object.