21-64
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 21 Managing Zone-based Firewall Rules
Zone-based Firewall Rules Page
Field Reference
Protocol Selector Dialog Box
Use the Protocol Selector dialog box to specify one or more communication protocols as part of the
definition of traffic for a zone-based firewall rule.
The Protocol Selector dialog box also provides access to the Configure Protocol dialog box, which you
can use to create custom protocols and edit Port Application Mapping (PAM) parameters for existing
protocols. The Configure Protocol dialog box is also where you select Deep Inspection policy maps, and
Protocol Info parameter maps, for certain protocols. See Configure Protocol Dialog Box, page 21-65 for
more information.
Navigation Path
The Protocol Selector dialog box can be accessed from the Add and Edit Zone based Firewall Rule dialog
boxes (described in Adding and Editing Zone-based Firewall Rules, page21-59). In either dialog box,
choose any Action except Content Filter and then click the Select button next to the Protocol table.
You can also open the Protocol Selector dialog box by right-clicking the Inspected Protocol column for
any entry in the Zone Based Firewall Rules table, and then choosing Edit Protocols.
Related Topics
Understanding the Zone-based Firewall Rules, page 21-3
Adding and Editing Zone-based Firewall Rules, page21-59
Table21-24 Advanced Options Dialog Box
Element Description
Time Range This feature lets you define time periods during which this zone-based
firewall rule is active. If you do not specify a time range, the rule is
immediately and always active.
Enter the name of a time-range object, or click Select to choose one
from a list in the Time Ranges Selector dialog box. You can create and
edit time-range objects from this dialog box. For more information, see
Configuring Time Range Objects, page6-66.
Options This feature lets you apply an initial-packet-fragment or an
established-connection restriction to this zone-based firewall rule.
Choose one of the following options:
None—No packet-fragment or established-connection restrictions
are applied.
Fragment – If chosen, the rule is applied to non-initial packet
fragments; the fragment is either permitted or denied accordingly.
The white paper, “Access Control Lists and IP Fragments,”
provides additional information that is also relevant to zone-based
firewall rules.
Established – For the TCP protocol only; requires an established
connection. A match occurs if the TCP datagram has the ACK or
RST control bits set. The non-matching case is that of the initial
TCP datagram to form a connection.