21-15
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter21 Managing Zone-based Firewall Rules
Configuring Inspection Maps for Zone-based Firewall Policies
c. When the chosen Action is Content Filter, configure the URL filtering:
1. Click Configure next to the Protocol field to customize the HTTP PAM settings, and to apply an
HTTP deep-inspection policy map. See the Configure Protocol Dialog Box, page 21-65 for more
information
2. Select either WebFilter Parameter Map, or WebFilter Policy Map, and enter or Select the name of
the appropriate WebFilter map. See Configuring Content Filtering Maps for Zone-based Firewall
Policies, page 21-35 for more information.
d. When the chosen Action is Inspect or Content Filter, you can enter or Select the name of an Inspect
Parameter map to apply a customized set of connection, timeout, and other settings. See Configuring
Inspect Parameter Maps, page 21-29 for more information.
Step 5 (Optional) Enter a description to help you identify the rule.
Step 6 (Optional) Under Category, select a category to help you identify this rule in the rules table. See Using
Category Objects, page 6-12.
Step 7 Click OK to close the Add Zone Based Firewall Rule dialog box and return to the Zone Based Firewall
Rules table.
The new rule is listed in the table.
Configuring Inspection Maps for Zone-based Firewall Policies
When you configure zone-based firewall policies for a router, you can define rules to inspect traffic by
choosing Inspect as the Action for the rule. You can then select the specific protocols to inspect.
For some protocols, you can select policy maps to perform deep inspection on packets that match your
criteria. You can configure these maps from the policy object selector dialog box while defining the rule,
or at any time in the Policy Object Manager window (select Manage > Policy Objects). In addition to
policy maps, there are some parameter maps you can configure for inspection.
For protocols that allow deep inspection, you can select a related policy map, which in turn
incorporates class maps that define match conditions for the targeted traffic. To create these policy
maps in the Policy Object Manager, select one of the available map types (which are listed in the
following table) from the Maps > Policy Maps > Inspect folder, and review the detailed usage
information in Configuring Policy Maps for Zone-Based Firewall Policies, page21-33.
For information on creating class maps for use in your deep-inspection policy maps, see the
references to the match criterion dialog boxes in the following table, as well as the topic Configuring
Class Maps for Zone-Based Firewall Policies, page 21-17. These class map are found in the Maps
> Class Maps > Inspect folder in the Policy Object Manager.
When Inspect (or Content Filter) is the chosen Action, you can also apply an Inspect Parameters map
in the Adding and Editing Zone-based Firewall Rules. Zone-based firewall inspection includes
several general settings, all of which have default values that are appropriate for most networks. If
you want to adjust any of these settings, you must create an Inspect Parameters map. In the Policy
Object Manager, select Maps > Parameter Maps > Inspect > Inspect Parameters and review the
detailed usage information in Configuring Inspect Parameter Maps, page 21-29.