21-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules
Understanding the Relationship Between Services and Protocols in Zone-based Firewall Rules
When you create a zone-based firewall rule, there are two seemingly similar parameters which help
identify the characteristics of the target traffic: Services and Protocols. The entries in these fields can
provide very similar information, but it is used differently when constructing zone-based firewall
policies in the device configuration. This section describes the recommended uses of these fields.
Services – The Services field is used to define traffic protocol(s) in an access control list (ACL)
entry. Along with the Sources and Destinations specified, this ACL entry is used by a class map to
define the traffic to which you want to apply a policy. However, unlike in standard access rules, the
Services information is not the primary means of identifying the traffic protocol. It is required only
because ACLs must have a service designation for each entry.
Permit TCP Content
Filter
HTTP Allow and inspect HTTP traffic, and
apply URL filtering maps to selectively
permit or deny Web connections based
on the Web sites requested.
If you specify a policy map for deep
inspection, the action from the policy
map is applied to any packets that match
deep inspection parameters (for
example, reset the connection for
protocol violations).
Thus, traffic can be dropped either
because the Web site is blacklisted, or
because the HTTP packets violate your
deep inspection rules.
Deny TCP Content
Filter
HTTP Skip the rule for HTTP traffic and
evaluate the next class map. Either a
subsequent class map with a Permit rule
is applied, or the class default rule is
applied.
The Content Filter action is ignored.
Tip This type of rule can exempt the
specified source/destination
from content filtering if no
subsequent class maps drop the
traffic or apply content filtering.
However, if you want to allow
HTTP connections for this
traffic, you must create a
Permit/Inspect rule for the
traffic.
Table21-1 Relationship Between Permit/Deny and Action in Zone-based Rules (Continued)
Permit / Deny Service Rule Action Protocol Result